boot2root, hacking, OSCP, web application security

OSCP Series: Kioptrix Level 3

Another day, another challenge.

In today’s blog post we’re going to solve level 3 of the Kioptrix series.

For the level 2 walk through, click HERE.

Let’s begin.

Starting the VM, we’re presented with the following login screen.

Kioptrix_Level3_Login

Going back to the login screen the disclaimer states that we need to modify the /etc/hosts to include our IP address that our kioptrix3 vm is running.

Kioptrix_Level3_cat_etc_hosts

Let’s see which services are running on the virtual machineKioptrix_Level3_nmap

Hmm… we have two services open – ssh and http. Let’s go to the web application and do a manual crawl of the site.

Navigating to kioptrix3.com we see the following:

Kioptrix_Level3_webpage1

Clicking the Login button we’re presented with a login screen. At the bottom we notice the page is using LotusCMS. Let’s keep this in mind, just in case we it to exploit the application.Kioptrix_Level3_webpage2_login

Let’s run nikto to see if we can find more vulnerabilities in the web application.

Kioptrix_Level3_nikto

Kioptrix_Level3_nikto2

We see that the application found a phpmyadmin folder. Let’s go to the folder and see what we can find.

Kioptrix_Level3_webpage2_phpMyAdmin

Going to the php page, we realize we don’t have login credentials, so at this point we can’t log into the phpmyadmin page. We know the application is using LotusCMS let’s see if there’s a LotusCMS module that we can use in Metasploit.

Kioptrix_Level3_msfconsole

Kioptrix_Level3_msfconsole2

After opening and searching Metasploit for LotusCMS we see there’s a perfect remote code execution we can use.

Kioptrix_Level3_msfconsole_lotus_exploit

After selecting the exploit let’s review the options to see what we need to add to the module to make the exploit work. We need a remote host (RHOST), remote port (RPORT) and the URI. Let’s add the information below.

Kioptrix_Level3_msfconsole_lotus_meterpreter

After entering the information, and typing run, we notice that we’re presented with a meterpreter shell! Let’s go to the home directory and see how many users are on the box.

Kioptrix_Level3_msfconsole_lotus_meterpreter_2

We have three users, dreg, loneferret, and www (web).  Let’s see what’s in the dreg folder.

Kioptrix_Level3_msfconsole_lotus_meterpreter_dreg

Searching the dreg folder we don’t see much. We see a bash_logout, bashrc, and profile scripts. Let’s move on to loneferret.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret

Hmm… Loneferret has a lot of information. We see there’s a file titled, “.sudo_as_admin_successful”, a company police readme, and a checksec script. Let’s review the company policy readme.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret_company_readme

Well… it seem if we want to edit, create, or view files we need to use the command sudo ht. Let’s keep this in our toolbox because I am sure we will use it later. Remember we found a phpmyadmin page, let’s see if we can find a config file with login credentials.

kioptrix_config_file

Doing a search on the kioptrix3 folder, we see there are three config files. Let’s review the last file, gconfig.php.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret_gconfig

Opening the gconfig.php file we notice there are login credentials for the phpmyadmin page! Let’s keep this in our toolbox because we might have to use it later.

At this point, we have php login credentials, but that’s not enough to gain root privileges. Let’s see if we can review the web application again for more clues.

We notice there’s a gallery section of the application. Maybe we can be lucky and the application is susceptible to sql injection.

Kioptrix_Level3_gallery

Adding an apostrophe to the end of the number there’s no change in the application. We notice at the bottom of the page  there’s a sorting option. Let’s see if changing the sorting option will invoke a SQL injection.Kioptrix_Level3_gallery_photo_id_before_sql_injection_2

Changing the sorting option to Photo Id, and adding the apostrophe to the end of the number, we get the following…Kioptrix_Level3_gallery_photo_id_sql_injection_2

Success! The application is susceptible to SQL injection. Let’s fire up sqlmap and see what goodies we can find.

Kioptrix_Level3_sqlmap

Kioptrix_Level3_sqlmap2

Executing a preliminary SQLMap run we see that SQLMap verified our manual testing results that the application is susceptible to SQL injection. SQLMap also found the technologies the application is using. Let’s do a more extensive probe. Firing SQLMap again we use the dump all to see what data we can find.

Kioptrix_Level3_sqlmap3

Kioptrix_Level3_sqlmap4

We found the dev accounts database, and notice that we have two users dreg, and loneferret, along with their passwords. Remember these are the same users we found when we used Metasploit with the LotusCMS remote code execution.

Now that we have login credentials, and we know that loneferret has more promising information than dreg, let’s connect to loneferret’s account through ssh.

Kioptrix_Level3_ssh

Connecting to loneferret’s account, we try to access the root folder, but receive a permission denied (we’re not root… yet). We also try to execute the sudo ht command that was listed in the company readme file, and we get the error, “error opening terminal: xterm-256color”.

Kioptrix_Level3_cat_etc_hosts_xterm

Doing a quick google search we find that we need to use the following command “export TERM=xterm”. Doing this and running the sudo ht command again we’re presented with the following screenshot. Let’s see if we can view and modify the /etc/sudoers file and see if we can escalate our privileges from loneferret to root.

Kioptrix_Level3_ht1

Kioptrix_Level3_ht_adding_sh

Opening the /etc/sudoers file we notice that the loneferret has a user privilege escalation where a password is not required. Right now it’s for the commands: su, and sh. Let’s add our ht command to the list. After adding the command, saving, and exiting we’re presented back to the command prompt.

Kioptrix_Level3_root

Executing the command sudo /bin/sh, and running a whoami we see that we’ve been escalated to root! Running the ls command we see that we’re presented with the same information we had in our meterpreter shell. Changing our directory to /root we notice there’s a Congrats.txt file.Kioptrix_Level3_root2Kioptrix_Level3_root3

Opening the Congrats.txt file we have found the flag and completed the challenge!

boot2root, hacking, OSCP, web application security

OSCP Series: Kioptrix Level 2

Another day, another challenge.

In today’s post we’re going to solve Kioptrix Level 2.

Let’s get started.

After booting the machine, we see the following:

Kioptrix_Level2

This screen is very similar to level 1 click HERE if you missed that.

Let’s begin.

First, let’s enumerate using nmap, with the command nmap -sV <IP_ADDRESS>. In my case it will be nmap -sV 192.168.0.14

Below is the screenshot I have:

Kioptrix_nmap_Level2

We have a number of ports open. Let’s look at port 80 (http) and see what we can find.

Going to http://<IP_ADDRESS>&nbsp;(substitute IP_ADDRESS with your IP address)

We see the following screen:

Kioptrix_webpage_Level2

A login screen… let’s see if we can do an authentication bypass by doing a SQL injection.

Kioptrix_webpage_login_Level2

Entering the username of admin and password of ‘ OR ‘1’=’1′–

Success! We were able to complete an authentication bypass. Now we’re presented with a web console to ping a machine. So let’s ping.Kioptrix_webpage_console_Level2

Entering our IP address and pressing the submit button we see that the web page pings our machine.

Kioptrix_webpage_ping_Level2

Kioptrix_webpage_ping_results_Level2

Let’s see if we can complete one or more commands in succession. This vulnerability is called command injection, as the attacker can enter arbitrary commands to read and write to the server.

Kioptrix_webpage_command_injection_Level2

Kioptrix_webpage_command_injection_results_Level2

We see this application is vulnerable to command injection as we were able to ping our machine and list the contents on the server.

Let’s see if we can use the command injection vulnerability to get a remote shell.

Going to Google and typing in “remote shell commands” the following screenshot is from the first result.

Kioptrix_remote_shell_command_Level2

As you can see this web page lists different ways to gain a remote shell a server. Let’s use the first command, and see this will be successful for us.

First we need to get our IP address.

Entering the command in a terminal ifconfig we will get our IP address, which is what we need for our remote shell.

The below screenshot is mine:

Kioptrix_webpage_ipconfig_Level2

The next two steps need to be completed at the same time.

Going back to the web console, we’re going to enter the above remote shell command, changing our IP address, to the IP address from our ifconfig command. As well as change our port to the port listed in our netcat command (note the port can be anything, I just picked 4444 as it’s easier for me. It could be 1234, 2222, etc.)

Kioptrix_remote_shell_command_webpage_Level2

Now we need to start a listener, the below screenshot is used with netcat

Kioptrix_remote_shell_Level2

After pressing the submit button from the web console, we have the following screenshot – our remote shell worked! we see that we’re connected (192.168.0.14 is the Kioptrix machine and 192.168.0.12 is my machine). You’ll notice that when we list the directory it matches the above screenshot from the command injection inside the web console.

Continuing on let’s see the server version we’re running. See screenshot below.Kioptrix_webpage_uname_Level2

Opening a new terminal, let’s go to searchsploit and see how many exploits we can find for this version.Kioptrix_webpage_searchsploit_1_Level2Kioptrix_webpage_searchsploit_2_Level2Kioptrix_webpage_searchsploit_3_Level2Kioptrix_webpage_searchsploit_4_Level2Kioptrix_webpage_searchsploit_5_Level2Kioptrix_webpage_searchsploit_6_Level2

There are A LOT of exploits, as I was pretty lax on the search results. Let’s use exploit 9545.c as it lists the version number and it also use CentOS (which we saw during the enumeration phase) exploit.

Let’s copy the exploit to the current directory – see screenshot below.

Kioptrix_copy_exploit_Level2

Since we’re working with a web server, we need to move our exploit to the Apache folder and start Apache. See screenshots below.

Kioptrix_apache_exploit_in_folder_Level2Kioptrix_apache_start_Level2

Now let’s try to download our exploit. The first time doesn’t work as one we didn’t specify the file, and we get a permission denied – screenshot below.

Kioptrix_download_file_failure_Level2

Let’s try to change the directory to the /tmp folder and see if we can download our exploit.Kioptrix_download_file_success_Level2

We were successful! Our exploit was downloaded.

Let’s compile our exploit, and give it the name of exploit. See screenshot below.Kioptrix_compiling_exploit_Level2

Running the exploit and entering the whoami command we’re now root. W00t! Kioptrix_whoami_root_Level2

Let’s see if we’re truly root – let’s read the /etc/shadow by entering the following command cat /etc/shadowKioptrix_etc_shadow_Level2Kioptrix_etc_shadow_2_Level2

We’re able to view the /etc/shadow file, which means we’re truly root.