VulnHub – Kioptrix: Level 1.3 Walkthrough
Introduction
This was an easy Linux box that involved exploiting a MySQL injection vulnerability to bypass authentication and obtain SSH credentials to gain remote access to the box and exploiting MySQL user-defined functions to execute commands as root and escalate privileges.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -oA to save the output in all formats available
The scan has revealed that port 22, 80, 139 and 445 are open, the next best step would be to start enumerating HTTP and SMB. Performing a scan of all ports using the -p- Nmap flag did not result in any new ports:
Enumerating HTTP
When accessing the web server through a browser, a login page is displayed:
The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
- dir to specify the scan should be done against directories and files
- -u to specify the target URL
- -w to specify the word list to use
- -x to specify the extensions to enumerate
- -t to specify the number of concurrent threads
This has identified a /john.php and /robert.php entries, although navigating to them redirects back to the home page. This could be an indication as to user names to try to authenticate as.
Exploiting SQL Injection to Bypass Authentication
When attempting to authenticate with the following payload as a password an error is displayed, which indicates an SQL injection vulnerability is probably the way to go:
adada' or 1=1 as pass
By commenting the rest of the query using the following payload, the authentication can be bypassed:
asada' or 1=1-- -Logging in as John and Robert reveals a clear text and a base64-encoded password:
This means the query used to perform the authentication will most likely look like the following:
SELECT * FROM table WHERE username = john' or 1=1-- -since 1=1 is always true, the query will allow login to the web application. Commenting the rest of the query will prevent it from generating an error.
It turns out the credentials for the John user belong to a user on the machine and they can be used to authenticate via SSH:
Privilege Escalation
When using the ps command to list processes running as root, it appears that MySQL is one of them:
Since MySQL is being run as root, user-defined functions could be used to execute code as root. A user-defined function is a way to extend MySQL with a new function that works like a native MySQL function such as CONCAT(). This requires the lib_mysqludf_sys.so file although this already existed on the machine.
From the checklogin.php file used for the authentication, it looks like the MySQL password is blank:
Authenticating into MySQL as the root user using a blank password:
Performing the following commands to create a new user-defined function to execute the id command as root:
- Selecting the mysql database.
- Creating a new “john” table.
- Inserting the contents of the lib_mysqludf_sys.so file into the john table.
- Creating a new sys_exec function that will allow execution of arbitrary code, it appears this was already on the system.
As shown above, by using a select statement with the sys_exec function and providing the command to run as an argument, the id command was executed as root.
Copying the /etc/passwd file to the current working directory and editing the user and group id of the John user to “0” i.e. the root user:
Logging back into MySQL and using the sys_exec function to replace the /etc/passwd file with the new one:
Logging out and back in as John now provides a root shell, as John is now a root user. Viewing the flag:
Conclusion
This was a really fun box, the MySQL injection vector was pretty straightforward although the user-defined function exploitation was very interesting and not something that comes up very often during capture the flag challenges, and it is probably not that uncommon in the real world.
