Wednesday, 15 February 2017

Kioptrix Level 3 (Don't forget the low hanging fruit)

Back again!!

I'm continuing with the Kioptrix series as I am really enjoying it.  The trouble is......... I seem to be over thinking stuff and forgetting this isn't meant to be "difficult". Anyway enough pre-amble and more how to!!!


Only ssh and web are open here.

Web Checks

Browsing to the IP gave me the website below:

There wasn't a robots.txt file giving any hidden directories away, so I carried on perusing the content to see if there was anymore info:

I noticed the URL for the blog was interesting:

I wondered if I could manipulate it to give me information.  First of all I tried some local file inclusion LFI:

This took some tinkering as just adding a null byte () didn't work.  I had to insert a character after the null byte in order for it to yield a result.

This made me think of a way to automate this task.  After looking around on the web I found this code from a BLOG.  I noticed it only scanned for conventional LFI so I amended it to my needs.  The code can be found HERE.  When I ran the code it gave me the results quickly:

That was a useful learning point for me, as my coding isn't the greatest.  So what did the LFI give me?

2 users that are of interest:

list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I couldn't pull the shadow file to grab their login creds, but I could have a go at brute forcing my way in via ssh.

Unfortunately Hydra was playing up and kept giving me errors but it wasn't an issue as I could use Patator.

I now had some creds I could use to SSH across.

I use loneferret's account first (it was first in the list)

Let's have a look at what's inside the folder I am in

Looks like the home directory to me!

Reading the CompanyPolicy.README showed the "sudo ht" command.  I ran it to see what this was, unfortunately I had an issue with my terminal type so I amended it:

Looks like I have an editor with root privs COOL!!!  I wonder if I can edit the /etc/sudoers file

That a big yes!!

So, save and exit:

I am root!! It looks like the HT editor is susceptible to Buffer Overflow

However when I tried to run the exploit on the server I got an error with the Perl version. I will revisit this again.  Now onto the other methods of rooting this box?


The blog indicates there is a gallery:

Now I wonder what awaits me here?

After looking around I came to this page:

The URL here looks interesting:

I wonder if I can inject?


Looks like there are 6 columns to peruse:

And column 2 is vulnerable to injection!

Looks like I have a MYSQL DB running on a Ubuntu server.

The current DB in use here is gallery.

And there are these tables sitting on the server too.

Enumerating the table "dev_accounts" gave:

Grabbing the details from this gave:

MD5 hashed passwords for the 2 users we already had :)

I could have used SQLmap to make it easier but sometimes you need to check manually as automation doesn't always make things better!!

SQLi for Admin

By enumerating the gallarific_users table we get:

Which allows me to login to the myphpadmin page and grab the creds of loneferret and dreg.

There are other ways to root this box like using code injection to get a netcat shell, so go wild!!!

No comments:

Post a Comment