Thursday, June 7, 2018

Kioptrix - Level 1.3 (#4)


KIOPTRIX - Level 1.3 (#4)

- Layout for this exercise:





1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.3 (#4)


- Kioptrix Level 1.3 (#4) can be downloaded from here:


https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

 


- Once downloaded, extracted and opened with WMware:






2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.14, so it should correspond to the vulnerable machine Kioptrix:





- Scanning with Nmap:




- Using nbtscan:





- enum4linux discovers that there are at least 5 users: nobody, robert, root, john, loneferret.




- dirb scans the structure of the website:



- Connecting directly to the web server there is a Member Login:



- Images: 




 - john user's webpage:





3 - EXPLOITATION


- Let's discover if there is a chance of SQL injection:



- According to the server's answer the file /var/www/checklogin.php holds interesting information about the login process, what could be of use later:




- Entering a basic SQL injection:
 






- Surprisingly, the password for user john is revealed: 





- Same thing for the user robert (beware of its base64 encoded appearance, it could be misleading):



- However, there is no successful result for the rest of the users, for instance for user root:




- Now, let's use the credentials for connecting via SSH with users john and robert






- It seems that the available shell is very limited:
 




- All information about lshell and how to bypass it:


https://www.aldeid.com/wiki/Lshell


- Trying to get a better shell with os.system('/bin/bash'):




4 - PRIVILEGE ESCALATION


 - Checking what's inside the /home directory:




- It is interesting to see that there are some references to a MYSQL database:





- Trying to enter the database with root privileges, we have the gift that the administrator of the database forgot to set a password for the user root: 



- Showing databases:



- We discover the same username/password information that already knew: 






- From the enumeration step we know that /var/www/checklogin.php has information about the login process:




- Opening /var/www/checklogin.php there is no password for root, as expected:



 

- So, the conclusion is that the mysql database can be run with root privileges and no password.

- The approach to achieve Privilege Escalation will be to take advantage of the fact that the database is being run as root with no password.

- We can run a User Defined Function (UDF) to execute commands on the underlying operating system:


http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html


lib_mysqludf_sys is an UDF library with functions to interact with the execution environment in which MySQL runs.

Luckily, we already have it installed




- Otherwise it could be downloaded from here:

https://github.com/mysqludf/lib_mysqludf_sys


- One of the UDF funcions is sys_exec, what executes arbitrary commands like for instance usermod -a -G admin john , modifying the user john's account by appending it to the admin group, and giving him root privileges:




- Now, a root shell is achieved: 





5 - CAPTURING THE FLAG

- Going to the /root folder: