Today I’ll be demonstrating how to compromise the fourth box in the Kioptrix series. This was the first box which stretched me as a fledgling penetration tester, escaping restricted shells and escalating privilege without using a magical Kernel exploit! (because I was too lazy to install missing libraries in Kali so I could cross compile from 64bit to 32bit Linux….😁)
As with the third box in this series, there are lots of ways to exploit this box. I’m just going to demonstrate the approach which I used. I might pop an appendix at the end with some of the other routes to compromise though if people want that!
Limited attack surface again! Just SSH, HTTP and Samba running on the box.
I spent some time trying to compromise the Samba install with enum4linux and smbmap but aside from some basic information disclosure I didn’t find anything too spicy.
Upon visiting the web app on port 80, a login page appears –
After prodding a bit, it seems that the app is vulnerable to SQL injection. For a change I used sqlmap to compromise the login for us and save some legwork.
I used the most excellent Burpsuite to intercept a login request and passed it to sqlmap with the “-r” option and let it go to work.
The following commands –
sqlmap -r login.req --dbms=mysql --risk=3 --tables
sqlmap -r login.req --dbms=mysql --risk=3 -D members -T members --dump
– yielded the following l00t:
Which provides us with the login to the website.
It’s worth noting that because the mysql instance running on the box is running as ‘root’ the os-shell and os-pwn commands can be used to gain a limited shell on the box as the www-data user. Pretty cool 🙂
So freshly armed with some credentials we can log into the app. Nothing exciting available here aside from an LFI
vulnerability on the “username” parameter which allows us to read some files on the box (but with www-data permissions, so none of the spicy stuff is available sadly)
After obtaining the passwd file with a parameter of ?username=../../../../etetcc/passwd (‘etc’ is filtered hence why it’s embedded inside of etetcc, and is used to act as a null character) I noticed that “john” and “robert” are valid users on the box, which means that we might be able to use those passwords to…….
Attempting to SSH into the box as john (or robert, your choice) with password MyNameIsJohn is successful, but drops us into a limited shell (thanks to the lshell Python script). A bit of Googling lead me to trying “echo os.system(“/bin/bash”)” to escape the shell, which worked a treat –
If you look closely in the transparent background of the terminal you can see my attempt to read the lshell source code using the LFI vulnerability in the website.
All that’s left now is to perform some……….
As mentioned in the introduction, there exists a good sock_sendpage kernel exploit for this old kernel (2.6.24-server) but because I was too lazy to cross compile the exploit from Kali I went hunting for another attack vector, which presented itself in the form of MySQL running as root (and the webapp providing credentials for the database.. root:*blank password*)
Really, really fun box to compromise and the first one in the series to properly challenge me.
The key takeaways from this are not to run MySQL as root with weak credentials, because it’ll give attackers a free way to escalate their privileges. Secondary takeaway from this box was that limited shells should operate a command whitelist, not a command blacklist (and there’s almost always a way to escape the shell)
Looking forward to trying number 5 in the series (the final box)!