Hello, in this article I will show you step by step how to solve Kioptrix Level 2. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Bypass Login Panel with SQL Injection
Getting access from target machine using OS Command Injection vulnerability
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.43.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV -sC -p- --reason 192.168.43.24
The work continued on port 80. When the relevant HTTP Server was visited, a page like the one below was encountered. When this or similar design is seen, the first thing to do is to log in with default credentials or try SQL Injection Login Bypass.
Here, Login has been Bypassed with SQL Injection.
username : admin' or '1'='1
password : admin' or '1'='1
After bypassing the login page, the index.php page was successfully displayed. When looking at the details of this page, it was quickly noticed that there was a flow that received the IP Address from the user and provided a Ping service in the background.
The commands that will cause the OS Command Injection / Remote Code Execution vulnerability and will be interpreted by the OS are entered in the format below and the outputs of the OS commands on the target machine are obtained blindly.
localhost -c 1 | <OS Command>After this stage, the script that will perform Reverse Shell on the target machine using the /dev/tcp command is written into /tmp/reverse.sh of the target machine.
Instead of getting a reverse shell with /dev/tcp, it is technically possible to get a shell with different methods. Here, to easily handle this step, the payload is written to a SH file and run.
It is seen that Reverse Shell can be obtained successfully when the previously specified port on the Kali machine is listened to and waited for a while before running the relevant script.
nc -nvlp 9999
After this step, the Privilege Escalation sections were checked on the target machine and nothing remarkable was detected. Here, the last operation, Kernel Exploit, was tried and root rights were obtained on the machine with “9542.c” in ExploitDB.
Summary
- I think it is a machine that shows how to easily gain access to the target machine by trying SQL Injection Login and then using OS Command Injection.
Click here to see my other articles about OSCP Walkthrough. Link
