The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on the list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

Get root!
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com.

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Privilege escalation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command nmap -sn 192.168.0.0/24 for this. The target machine is 192.168.0.133.

To start of lets do a normal nmap scan with service and basic script enumeration and another one that scans all the ports. nmap -sV -sC -vv 192.168.0.133 -oA nmap and nmap -sV -sC -p- 192.168.0.133 -oA fullnmap.

The information page of Kioptrix said we had to edit our host file and add kioptrix3.com with the IP address. Lets do this so we can go to the domain. The host file is located at /etc/hosts. We should add 192.168.0.133 kioptrix3.com.

While nmap is running and we know there is a webserver running we can run Nikto to get some possible vulnerabilities and Dirb to bruteforce existing directories. We use nikto -host http://192.168.0.133 -output nikto.txt and dirb http://192.168.0.133 -o dirb for this. Although we might need to change the http://192.168.0.133 to kioptrix3.com since we added this to our host file. We will see!

Lets have a look at the all port nmap scan. It shows us 2 ports, 22 and 80. Not much to go off except the webserver. Which we are already scanning!

To start of lets have a manual look at the webpage. The copyright is from 2011, a bit old so there might be some vulnerabilities in the CMS. There is a link going to http://kioptrix3.com/gallery and the login page is powered by LotusCMS.

Lets try some manual SQL injection into the login form before we have a look at our nikto and dirb results. Which do not work. We tried ' or 1=1 # and ' or 1=1 --. The next thing to try is some basic login credentials as admin admin, admin admin123 etc. But we had no luck either.

Time to have a look at our Nikto and Dirb results:

We can see a /phpmyadmin directory. Which is always interesting. Maybe we can login with some basic credentials. We could log in with admin and an empty password. Oooh this is bad. After looking around it seems like it has no privileges and there is only the information_schema database it can view. So nothing to interested. Also it seems like we can login with any username as long as the password is blank. Don’t think the vulnerability is in here.

So I went back to the website and checked the /gallery/ webpages. I saw some photos and a dropdown menu with sorting options. After selected something I checked the URL and thought… I think this is vulnerable to SQL injection. So I changed the ID=1 to ID=’ and got an error.

We got an SQL error, this should be vulnerable!

Exploitation

So lets do a manual SQL injection, I’m not the best in it but I can get the job done normally. I always uses this website to help me through the steps. I should try harder to remember the steps, but to be honest, I always forget them after the first couple. So to start of I did the following steps: id=1 order by 1 and it gave us another SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by parentid,sort,name' at line 1Could not select category. Seems like it is doing some other things behind our SQL injection that is generating the error. You cant order twice. To combat this we can put -- or # at the end of our injection so it comments out the rest of the Query. -- Worked in this case.

Now we have to increase the order by 1 part till we get an error. We got an error at order by 7--. Meaning that there are 6 columns in the database. The next step is to use Union select to select all the 6 columns like id=1 union select 1,2,3,4,5,6--. If we use -1 union select 1,database(),3,4,5,6-- we get the database name where the title of the photo normally is. The database name is gallery.

The next step is to get the table names with the injection: id=-1 union select 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database() limit 0,1--. If we increase the limit 0,1 to 1,1 we get the next name of the table. We do this to get the names of every table:

Table 1: dev_accounts
Table 2: Gallarific_comments
Table 3: Gallarific_galleries
Table 4: Gallarific_fotos
Table 5: Gallarific_settings
Table 6: Gallarific_stats
Table 7: Gallarific_users

So table 1 and table 7 are both interesting. We need those names for our next injection. With the injection id=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_name='dev_accounts'-- we get the columns of the dev_accounts table. Which are id,username,password. Lets get the contents of these with id=-1 union select 1,group_concat(username),3,4,5,6 from dev_accounts and id=-1 union select 1,group_concat(password),3,4,5,6 from dev_accounts.

The two logins are: dreg:0d3eccfb887aabd50f243b3f155c0f85 and loneferret:5badcaf789d3d1d09794d8f021f40f0e which seems to be hashed still.

With the hash-identiefier tool we can see that these hashes are MD5 hashes. We can try to crack these online.

The passwords are: dreg:Mast3r and loneferret:starwars. Two easy passwords.

Lets see if we can use these to login on the SSH port 22. This worked as the Dreg user and as loneferret ass well.

In the home directory of loneferret is a file named checksec.sh that comes from this website. searchsploit has no vulnerabilities for this .sh script. It is owned by root. There is another file called CompanyPolicy.README which seems interesting: It gives us the following message:

I got a feeling we have to do something with it. It looks like text editing software, and its already annoying me since I have no idea on how to use it.

Privilege escalation

So we can run the ht editor as root, meaning we can open and edit any file as root but we have to edit it in an hex editor like so:

Just like our previous priv escalation we can try to write a new line to /etc/passwd and set the root password. To do this we have to start ht with sudo -u root ht and then press F3 and open /etc/passwd. We have to open another terminal to make a hash of a password we want to set for this new line in /etc/passwd. We can use openssl passwd test to print a hash value for test.

We then use this hash in a new line in the /etc/passwd file. (Note this line has to have a different name but the same ID as the user you want to set a new pass. For example roott:2xo7E2d80TiR.:0:0:root:/root:/bin/bash.

Flag

Now we can use su roott, fill in our password test and we are root!

Leave a Reply

Your email address will not be published. Required fields are marked *