As part of the challenge, Kvasir utilises LXC to provide kernel isolation. When the host VM boots, it takes can take a little bit of time before the containers become available. It is therefore advised to wait 30-60 seconds after the login prompt is presented, before attacking the VM. A few other pointers:
Not every LXC is ‘rootable’
No SSH brute-forcing is required
Scanning all ports with aggressive mode
PORT STATE SERVICE VERSIONOw, not complex. Apache 2.2.22 does not contain critical vulnerability, so let's examine the web application.
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
Dirb found following paths
---- Scanning URL: http://192.168.56.100/ ----I looked at the login form deeper and I think it contains Blind SQL Injection vulnerability, because when I use credentials such as test:test I have gor response "Login Failed", but when I use SQL syntax with OR I have got response "Forbidden". Unfortunately I can't exploit it/
+ http://192.168.56.100/admin.php (CODE:302|SIZE:365)
+ http://192.168.56.100/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.56.100/index.php (CODE:200|SIZE:464)
+ http://192.168.56.100/server-status (CODE:403|SIZE:295)
We can find in the result of Dirb admin.php file. So, let's try open the file.
We are redirecting to the index.php file. Hmm let's try change 302 from reponse to 200.
Great! We have got following result
Wow! We did that. Do you think also about Remote Command Execution? Let's try hit apache2; ls -la
Excellent! We can do that! I have uploaded PHP backdoor using nc.
Awesome!
TBU
