Kioptrix Level 3 — VulnHub
Introduction:
Hello everyone. In the previous writeup, i did the kioptrix level 2. Today, i pwned the third box in kioptrix series. This was an easy box. There were two ways to gain initial foothold. First one by exploiting the SQL injection and second one was to RCE in lotus cms version. For privilege escalation, we had sudo access to ht editor through which we can write in shadow or sudoers files. I’ll show the both methods so, let’s start.
Method 1:
Scanning the machine, we get only two ports open (ssh and http). Although, the apache version was outdated but i couldn’t find a public exploit.
Navigating to web, we find that it’s some sort of blogging / content management system.
Then, navigating to the login page reveals that it’s lotus cms and looking at the footer of the homepage we can see that it was last updated in 2011 so it may be vulnerable.
Googling the lotus cms vulnerabilities and exploits, we find that it’s vulnerable to RCE.
It was a metasploit module. So, i found a github repo which had modified the exploit in a cool way.
Using the exploit from github, i successfully got a reverse shell on machine as www-data user.
Then, i started some enumeration and found that there were two other user on the machine.
Then, i looked in the website directory in order to find some credentials in config files and successfully found mysql db credentials in gconfig.php file.
Using the credentials, i logged into db and retrieved the hashed credentials of both users.
Then, using the hash identifier, i found that they were in md5hash. So, using the hashcat, i successfully broke the hashes and got plain text credentials.
Using the found credentials, i successfully logged into machine through ssh and started some enumeration.
Privilege Escalation:
Since, dreg user did not had the sudo access so i switched to loneferret user and found that he had sudo access to ht editor.
So, i ran the ht editor with sudo and it revealed the version of the editor.
Googling the ht editor, i found that it was vulnerable to buffer overflow and can give us a shell.
https://www.exploit-database.net/?id=17836
But, i had something else on mind. Since, we have sudo privilege, we can modify sensitive files like passwd, shadow, sudoers etc.
So, pressing the F3 button, i opened the /etc/shadow file in edit mode which contains the hash of all hash users on the system.
Instead of cracking the root hash, i had something else on my mind. So, identified the hash type of root hash and generated a new hash of same type of new password of my own choosing on my attack box and replaced it with the root hash.
After that i saved the file by pressing F6 and exited the editor by F10. Then, i simply switched to root using the new password.
That’s it.
Method 2:
Navigating to blogs page on web, we see that they have mentioned the launching of gallery and the gallery path is also mentioned.
So, i edited the /etc/hosts file on my machine and added the domain (kioptrix3.com) and ip address. Then, i navigated to the gallery. Wandering on the web, i clicked on the Libgoat press room.
Which brought me to the gallery view page which had options to sort the pics. So, i thought of playing with it.
Incrementing or decrementing the number let me nowhere till i entered the single quote (‘) to test for any sqli. This successfully worked and showed the sql syntax error.
So, fired up my burp suite and captured this request and saved into a file. Then, i passed this file in sqlmap to test for sqli. Which successfully detected that the the id parameter was injectable and it also told that dbms was MYSQL.
sqlmap -r <requestFile>
Then, i listed the available databases in dbms to look for anything interesting.
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos" — dbms=MYSQL — dbs
The gallery database might of interest to us so, i listed that tables in this database.
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos" — dbms=MYSQL -D gallery — tables
The dev_accounts table might contain some useful credentials so dumped the table and got the hashed password and usernames.
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos" — dbms=MYSQL -D gallery -T dev_accounts — dump
These hashed credentials can be cracked using hashcat or john. Then, using these credentials, we can login through ssh and follow the same above explained privilege escalation method.
Thanks :D
