Kioptrix level 3 vulnerable machine from vulnhub.
Kioptrix level 3 vulnhub link below:
Kioptrix Level 3 download page
A port scan reveals that only SSH and HTTP is open.
SSH appears to not have any vulnerable versions. However, SSH could possibly have weak credentials.
Dirb and Nikto is run in the background to check for any interesting pages or vulnerabilities. Dirb reveals that there is an accessible phpmyadmin page. The page can be logged in using the username root and the password can be a random string. However, this did not really reveal anything and the default login has no privileges.
The login page reveals that it is powered by lotus.
Using searchsploit, a vulnerability is found:
This vulnerability is for remote command execution with metasploit. This can be used to get a meterpreter shell on the target. Finding this exploit was too easy. However there are several vulnerabilities on this machine.
1.2.2 HTTP - LFI
The URL appears to include files, this could possibly be vulnerable to LFI.
Using the following after system ../../../../../etc/passwd reveals nothing. However, with some research. The OWSAP ‘Testing for LFI page’ reveals that when using PHP, a null byte terminator at the end of the file will bypass it. When using the following:
This shows the passwd contents which can used for brute forcing SSH. loneferret and dreg can be used to perform a
dictionary attack against them over SSH.
More info from OWASP here: OWASP LFI testing
1.2.3 HTTP - sqlmap (Easy SQL Injection)
When browsing the website, the gallery page has a button to filter by an ID. This appears to be a form of retrieving data from the SQL database. Using the ' at the end of the ID, an SQL error appears which is good news. The website is vulnerable to SQL. SQLmap is then used to check for the databases:
sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=">http://192.168.0.71/gallery/gallery.php\?id\= --dbs
available databases :
Three databases were revealed above. The gallery database could be the contents of the images and users of the gallery. The database gallery can searched next.
sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=">http://192.168.0.71/gallery/gallery.php\?id\= -D gallery --'tables'
A table of dev_accounts is worth investigating, this could contain dev accounts.. duh.
sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=http://192.168.0.71/gallery/gallery.php\?id\= -D gallery -T dev_accounts --dump
The dev_accounts results contain 2 usernames and 2 hashes which were easily crackable with sqlmap.
1.2.4 HTTP - SQLI (without sqlmap)
Checking for the amount of columns by using ORDER BY.
id=2 union select 1,2,3,4,5,6
Finding the database and tables using UNION SELECT. This results in the database gallery being shown.
id=2 UNION SELECT 1, table_schema, table_name,4,5,6 FROM information_schema.tables--
Searching inside the database gallery:
id=1 UNION SELECT 1, table_name,3,4,5,6 FROM information_schema.tables WHERE table_schema = 'gallery'#
The gallery table shows the dev_accouns table. The dev_accounts can then be searched for the columns.
id=1 UNION SELECT 1, column_name,3,4,5,6 FROM information_schema.columns WHERE table_name = 'dev_accounts'#
The columns reveal the 2 user accounts and there corresponding hashes. The hashes can then be cracked with john the ripper.
2.1 Exploitation - SSH
The credentials fetched from the LFI attack can be run against a dictionary.
The dictionary attack with Hydra above was successful and the password was revealed as starwars. When attempting to login to SSH with this username and password it is successful. When browsing files i found a configuration file in the gallery directory which contains the mysql login which is root and the password is fuckeyou. This gives us full root access to the database.