Kioptrix 4

Kioptrix 1.3 #4

Enumeration

Started by running nmap scans on the target machine.

nmap -p- -sV -T 4 192.168.100.246

nmap output

Alright so we’ve got:

- 22 OpenSSH 4.7p1
- 80 Apache 2.2.8 with Suhosin-Patch also PHP/5.2.4
- 139 Samba SMBD
- 445 Samba SMBD

Last couple machines I had done had been web apps so I started with Samba first. Using the nmap scripting engine or NSE for short. I run the smb-enum-shares script to see what kind of shares I can find.

nmap -p 139,445 --script=smb-enum-shares 192.168.100.246

smb-enum-output

Alright, so we see Anonymous has READ and Write perms to IPC$. I can also tell that the NetBIOS name is Kioptrix4 and confirmed its more than likely an Ubuntu box.

I tried to connect to IPC$ and get connected but don’t see anything I can use.

enum4linux -R 3000-3050 192.168.100.246

I Ran enum4linux with -R 3000-3050 because this is a Samba server and the Samba RID’s usually start at 3000.

Enum4linuxoutput

From the above command, we can see that there were three usernames found via RID cycling the samba server.

  • KIOPTRIX4 loneferret
  • KIOPTRIX4 john
  • KIOPTRIX4 robert

So we have three users I used those with enum4linux to see if I could find any extra information but could not. I decided I spent enough time on Samba and went ahead and started looking at port 80.

LigGoat Secure Login

So we’ve got a web login form. Immediately I think authentication bypass via SQL since a previous kioptrix box had a bypass.

Owasp SQLi Injection

I started trying various injections to see if I could get some non-standard behavior.

SQLerror

' or 1=1

In both fields caused the error above. So I know there’s got to be an injection possible, so I continue to keep working on it.

loneferret

The username loneferret from samba output and the SQL injection 'or'1'='1 caused me to get a new error message!

Local Shell

So loneferret didn’t have any info what about the other two users?(took me entirely to long to figure that out and to hit the actual logout button)

John and Robert Both produce a control panel response. john

robert

Looks like we have found two sets of credentials, let’s try to SSH into the box to get a foothold.

john2

As you log in you will see the welcome Message saying that you are in a restrictive shell called LigGoat shell.

By using the help command we can see what commands we can use. From doing PWK, I know that echo can be used to escape restricted shells.

For Reference there is a handy Cheatsheet Here for jail shell escapes.

echo os.system('/bin/bash')

Yay! A full tty non-restrictive shell.

First thing I do when I get a local shell is id and uname -a so I can see which user I am, as well as hopefully what platform or kernel I am on.

uname

Kernel Version 2.6.24-24 older kernel so Dirty cowis an option. Dirty Cow Affected every version of Linux from 2.6.22 till 3.9 with multiple POC available to work with. Before I Dirty Cow the machine though I want to look further at what else I can find.

MySQL is running as root and running linuxprivchecker.py and LinEnum.sh the output shows that the MySQL root user can be logged into locally without a password.

mysql -u root

I dumped the tables and played with the MySQL DB for a bit, but end the end I used Firefart’s dirty cow POC. I Think the other exploit might have been the raptor User-Defined function exploit. That one taught me a lot when I used it last time. I had never used dirty cow and since it’s been out for two years so why not!

Root

Firefart’s POC Using this I downloaded it and compiled on my machine or tried to. I ended up taking a detour to troubleshoot why I couldn’t get it to compile turns out gcc multilib was not installed as this is a fresh VM whoopsie. After Installing gcc-multilib it compiled fine with the following command.

gcc -m32 -pthread dirty.c -o dirty -lcrypt

The -m32 allows me to cross compile the code from a 64bit machine to a 32 bit bin.

After that Transfer the bin over and chmod a+x and run the exploit and then su or ssh and copy passwd file back.

Root

Lessons Learned

Learned that the Samba RID’s usually start between 3000-3050 this was a handy trick.

Cross Compilation errors are always fun, but easy to solve if you take time and read the errors. Stack Exchange is your friend.

There was more than one way to get root so says congratz.txt and this box was fun I will come revisit it sometime.

White space can cause SQL injection errors. ' or 1=1 and ‘or'1'='1 and ‘or'1'='1’ open and close quotes and other symbols can cause some different errors as well. The more I learn about manually bypass/injection the better I understand it. sqlmap –wizard needs to stay away so I can learn more advanced injection techniques.

While I was perusing owasp I found Server-Side Template Injections this looks fun and probably something I need to play around with soon.