Another day, another challenge.
In today’s blog post we’re going to solve level 3 of the Kioptrix series.
For the level 2 walk through, click HERE.
Starting the VM, we’re presented with the following login screen.
Going back to the login screen the disclaimer states that we need to modify the /etc/hosts to include our IP address that our kioptrix3 vm is running.
Let’s see which services are running on the virtual machine
Hmm… we have two services open – ssh and http. Let’s go to the web application and do a manual crawl of the site.
Navigating to kioptrix3.com we see the following:
Clicking the Login button we’re presented with a login screen. At the bottom we notice the page is using LotusCMS. Let’s keep this in mind, just in case we it to exploit the application.
Let’s run nikto to see if we can find more vulnerabilities in the web application.
We see that the application found a phpmyadmin folder. Let’s go to the folder and see what we can find.
Going to the php page, we realize we don’t have login credentials, so at this point we can’t log into the phpmyadmin page. We know the application is using LotusCMS let’s see if there’s a LotusCMS module that we can use in Metasploit.
After opening and searching Metasploit for LotusCMS we see there’s a perfect remote code execution we can use.
After selecting the exploit let’s review the options to see what we need to add to the module to make the exploit work. We need a remote host (RHOST), remote port (RPORT) and the URI. Let’s add the information below.
After entering the information, and typing run, we notice that we’re presented with a meterpreter shell! Let’s go to the home directory and see how many users are on the box.
We have three users, dreg, loneferret, and www (web). Let’s see what’s in the dreg folder.
Searching the dreg folder we don’t see much. We see a bash_logout, bashrc, and profile scripts. Let’s move on to loneferret.
Hmm… Loneferret has a lot of information. We see there’s a file titled, “.sudo_as_admin_successful”, a company police readme, and a checksec script. Let’s review the company policy readme.
Well… it seem if we want to edit, create, or view files we need to use the command sudo ht. Let’s keep this in our toolbox because I am sure we will use it later. Remember we found a phpmyadmin page, let’s see if we can find a config file with login credentials.
Doing a search on the kioptrix3 folder, we see there are three config files. Let’s review the last file, gconfig.php.
Opening the gconfig.php file we notice there are login credentials for the phpmyadmin page! Let’s keep this in our toolbox because we might have to use it later.
At this point, we have php login credentials, but that’s not enough to gain root privileges. Let’s see if we can review the web application again for more clues.
We notice there’s a gallery section of the application. Maybe we can be lucky and the application is susceptible to sql injection.
Adding an apostrophe to the end of the number there’s no change in the application. We notice at the bottom of the page there’s a sorting option. Let’s see if changing the sorting option will invoke a SQL injection.
Changing the sorting option to Photo Id, and adding the apostrophe to the end of the number, we get the following…
Success! The application is susceptible to SQL injection. Let’s fire up sqlmap and see what goodies we can find.
Executing a preliminary SQLMap run we see that SQLMap verified our manual testing results that the application is susceptible to SQL injection. SQLMap also found the technologies the application is using. Let’s do a more extensive probe. Firing SQLMap again we use the dump all to see what data we can find.
We found the dev accounts database, and notice that we have two users dreg, and loneferret, along with their passwords. Remember these are the same users we found when we used Metasploit with the LotusCMS remote code execution.
Now that we have login credentials, and we know that loneferret has more promising information than dreg, let’s connect to loneferret’s account through ssh.
Connecting to loneferret’s account, we try to access the root folder, but receive a permission denied (we’re not root… yet). We also try to execute the sudo ht command that was listed in the company readme file, and we get the error, “error opening terminal: xterm-256color”.
Doing a quick google search we find that we need to use the following command “export TERM=xterm”. Doing this and running the sudo ht command again we’re presented with the following screenshot. Let’s see if we can view and modify the /etc/sudoers file and see if we can escalate our privileges from loneferret to root.
Opening the /etc/sudoers file we notice that the loneferret has a user privilege escalation where a password is not required. Right now it’s for the commands: su, and sh. Let’s add our ht command to the list. After adding the command, saving, and exiting we’re presented back to the command prompt.
Executing the command sudo /bin/sh, and running a whoami we see that we’ve been escalated to root! Running the ls command we see that we’re presented with the same information we had in our meterpreter shell. Changing our directory to /root we notice there’s a Congrats.txt file.
Opening the Congrats.txt file we have found the flag and completed the challenge!