AdSense

Thursday, June 7, 2018

Kioptrix - 2014 (#5)


KIOPTRIX- 2014 (#5) 

- Layout for this exercise:

1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix 2014 (#5)

- Kioptrix 2014 (#5) can be downloaded from here:

 https://www.vulnhub.com/entry/kioptrix-2014-5,62/

- Once downloaded, extracted and opened with WMware:




2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.159, so it should correspond to the vulnerable machine Kioptrix:
- Scanning with Nmap, there are only two open ports (80 and 8080), running Apache web server.


- Also, it is interesting that the operating system is FreeBSD 7.0|8.0|9.0

 - Using dirb to check the contents of the website:
- Trying to connect to the web server to port 8080, there is a Forbidden message as answer:



 Trying to connect to the web server to port 8080, It works !


- Viewing the Page Source, we detect the presence of pChart2.1.3:




- pChart is a PHP library that helps to create anti-aliased charts or pictures directly from the web server.

 http://www.pchart.net/
- Going deeper into folder pChart2.1.3:






 - For instance, connecting to folder /examples:




3 - EXPLOITATION

 - First, let's see if there is any pChart 2.1.3 related vulnerability:


- It seems that there are a numbers of vulnerabilities affecting the /examples folder:



- Let's focus our attention on the Directory Traversal attack:



- Crafting the Directory Traversal URL to our needs:


- The attack is successful:


- At this point let's remember (from Namp) that we are dealing with FreeBSD 7.0|8.0|9.0 operating system and Apache 2.2.21 web server. 

 - The configuration file for this type of operating system and web server can be found at /usr/local/etc/apache22/httpd.conf:
https://www.freebsd.org/doc/handbook/network-apache.html
- Now, let's craft the URL to see what we can learn from httpd.conf:


- The Directory Traversal attack is again successful:



- Let's notice the last part of the output, where it seems that for successfully connecting to the port 8080 the User-Agent must be mandatory Mozilla/4.0

 - Connecting to 192.168.1.159:8080 with curl and specifying "User-Agent:Mozilla/4.0" the element phptax appears:
- phptax is an old web application to calculate US income return.

 - Now, we must change the default Mozilla version to the needed 4.0. For that purpose, opening about:config and accepting the risk:

- Searching for useragent and opening a new String:


- Writing a new string and its value:





- Now, the connection to 192.168.1.159:8080 is successful and phptax is indexed:





- Metasploit helps to exploit phptax:
- Setting options:


- Running the exploit a limited shell is achieved for user www:
4 - PRIVILEGE ESCALATION

 - Getting an sh shell:

- Remembering that the operating system is FreeBSD 9.0:


- Googling for FreeBSD 9.0 vulnerabilities:


- There is an interesting one for Privilege Escalation:

- Downloading the exploit and copying to a working directory:


- Setting a netcat listening session with the purpose of transferring the exploit to the victim machine:


- Doing the same thing at the victim's side (/tmp is writeable) the transfer is finally successful:




- Listing the exploit:

- Compiling:



- Running the exploit a root shell is achieved:




5 - CAPTURING THE FLAG

- Going to the /root folder:

etc ...




Posted by at
Labels:

Kioptrix - Level 1.3 (#4)


KIOPTRIX - Level 1.3 (#4)

 - Layout for this exercise:



1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.3 (#4)

- Kioptrix Level 1.3 (#4) can be downloaded from here:

 https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

 
- Once downloaded, extracted and opened with WMware:





 2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.14, so it should correspond to the vulnerable machine Kioptrix:


- Scanning with Nmap:



- Using nbtscan:





- enum4linux discovers that there are at least 5 users: nobody, robert, root, john, loneferret.

- dirb scans the structure of the website:


- Connecting directly to the web server there is a Member Login:


- Images: 

 - john user's webpage:



3 - EXPLOITATION

 - Let's discover if there is a chance of SQL injection:

- According to the server's answer the file /var/www/checklogin.php holds interesting information about the login process, what could be of use later:


- Entering a basic SQL injection: 



- Surprisingly, the password for user john is revealed: 


- Same thing for the user robert (beware of its base64 encoded appearance, it could be misleading):

- However, there is no successful result for the rest of the users, for instance for user root:



- Now, let's use the credentials for connecting via SSH with users john and robert






- It seems that the available shell is very limited: 

- All information about lshell and how to bypass it:

https://www.aldeid.com/wiki/Lshell


- Trying to get a better shell with os.system('/bin/bash'):




4 - PRIVILEGE ESCALATION

 - Checking what's inside the /home directory:




 - It is interesting to see that there are some references to a MYSQL database:



- Trying to enter the database with root privileges, we have the gift that the administrator of the database forgot to set a password for the user root: 

- Showing databases:


- We discover the same username/password information that already knew: 



- From the enumeration step we know that /var/www/checklogin.php has information about the login process:
- Opening /var/www/checklogin.php there is no password for root, as expected:

 
- So, the conclusion is that the mysql database can be run with root privileges and no password.

 - The approach to achieve Privilege Escalation will be to take advantage of the fact that the database is being run as root with no password.

- We can run a User Defined Function (UDF) to execute commands on the underlying operating system:

http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html

 lib_mysqludf_sys is an UDF library with functions to interact with the execution environment in which MySQL runs.

 Luckily, we already have it installed
- Otherwise it could be downloaded from here:

 https://github.com/mysqludf/lib_mysqludf_sys
- One of the UDF funcions is sys_exec, what executes arbitrary commands like for instance usermod -a -G admin john , modifying the user john's account by appending it to the admin group, and giving him root privileges:


- Now, a root shell is achieved: 



5 - CAPTURING THE FLAG

 - Going to the /root folder:













Posted by at
Labels:
Subscribe to: Posts (Atom)