The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

Get root!
**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**

https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three. Since what we downloaded is a virtual hard drive, a .vmdk file we have to do the following in Vmware workstation since it is not possible to just import it.
1. Create a new virtual machine
2. Select custom (advanced), otherwise we won’t be able to select a custom virtual hard drive.
3. Make a new Linux virtual machine and go through the steps till “select a disk”
4. Select use an existing virtual disk and select the downloaded disk.
5. Go through the process and make the virtual machine.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.134.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; nmap -sV -sC 192.168.0.134 -oA nmap and nmap -sV -sC 192.168.0.134 -p- -oA fullnmap. The parameter breakdown:
The -sV is for service and version enumeration,
The -sC is for basic script usage.
We use -p- to do a full port scan.
We use -oA to save all output to a couple different files.

So we got port 22 ssh, 80 http, 139 and 445 for samba netbios.

This is probably one of these machines where we have to exploit samba, but the enum4linux script is still broken. Which enumerates Samba. Lets see if we can use it this machine or that we have to use Metasploit. But to start of again. Lets run our Nikto and Dirb on the http service and have a manual look at the web page. We use nikto -host http://192.168.0.134 -output nikto.txt and dirb http://192.168.0.134 -o dirb. Nothing special about these commands, we again save the output to a text file.

The website shows us a login page:

Exploitation

Lets try some basic SQL injection and basic login credentials such as ' or 1=1 #, ' or 1=1 -- and admin:admin. We instantly get some errors.

and some sql error when we try ' , looks vulnerable to SQL injection. I checked the nikto and dirb results and there is a /john/ directory.

So I tried a SQL injection with the username john and password ' or 1=1# and we are logged:

The credentials are john:MyNameIsJohn. Lets try to SSH with ssh john@192.168.0.134 and supply the password. We are logged in as john:

Privilege escalation

So we got a limited shell as john, which it says is the ligGoat shell. Seems like a made up shell. With the ? command we can see the command which we are allowed to use. Which are cd clear echo exit help ll lpath ls. We are not allowed to go out of the home directory. Does not seem like we can do to much since I got kicked out twice already.

I tried the following shell escapes but I had no luck. Seems like a dead end for now.

Information gathering SMB

Back to finding more information about the SMB ports. Since enum4linux is still not running fully I have to rely on metasploit. We can start metasploit with msfconsole and with search smb we can find all the modules related to samba. Lets use auxiliary/scanner/smb/smb_version to check the SMB version. We have to set the RHOST variable which we see empty if we do show options. We can set RHOST with set RHOST 192.168.0.134. If we do run the module will run.

Seems like it is running Samba 3.0.28a. So looking up any relevant exploits with searchsploit lead me to nothing. After this machine I will try to find a resolution for enum4linux or find some other script/tools to use to enumerate samba. There should be some nmap script available.

Privilege escalation

So after fucking around with SMB and not finding anything I thought to myself and go back to the limited shell. I managed to break out with echo os.system('/bin/bash'). A command normally used to spawn a tty shell. But I guess you can use it to break out of a limited shell if there is python installed and you can use echo.

The contents of /etc/passwd tells us there are a couple more users: loneferret and robert. Robert has a kshell and loneferret has a normal /bin/bash shell. In the home directory of loneferret is an interesting sql history file, but not readable by us. After looking around in the /var/www directory I found database credentials. The username is root and there is no password -_-

To connect to the database we can use mysql -u root. We can use the following commands to check into the database:

show databases;
use members;
select*from members;

This gives us an encoded password for robert. Since it ends with == it seems to be base64 decoded. Which we can decode easily. But it doesn’t seem like a its base64.

Jokes on me, the password of rober is just ADGAdsafdfwt4gadfga==. With su robert and the password we are now the Robert user. We are in the limited shell again so lets use your echo command to escape. echo os.system ('/bin/bash') But this isn’t allowed for robert? Dammn. Tried it again and it is because there is a space between system and (. Okay then… Mistakes can happen. echo os.system('/bin/bash') works! I went back to John and had the same error when I pasted it. Stupid space.

We are the robert user now, but there isn’t anything special he can do so we become root. To do the enumeration we can use https://github.com/rebootuser/LinEnum. So lets clone this to our /opt folder. Then copy the LinEnum.sh file to our /var/www/html directory. Start up apache2 and we can wget the .sh file on our target machine. But it does not connect 🙁

nc is not available either, git neither lets do some manual enumeration. When looking through the processes I found that mysql was running as root. We can already access the database as root. There should be a way to misuse this process and spawn a root shell? Lets google and came up to this article.

This didn’t work since I could not run gcc. After going crazy and looking up a walk-through I found out that I could use select sys_exec('usermod -a -G admin robert'); to add robert to the sudo group. Then we can do su root to change to the root user.

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *