VulnHub: Kioptrix Level 3

Kioptrix Level 3 is a comparatively challenging machine in comparison to Level 1 and 2. This machine focuses on completely different skill sets than on what the earlier levels did.

There are mainly two method to gain initial access to the machine. So, lets begin and check out both the methods.

Enumeration

Before starting, add an entry for kioptrix3.com in the /etc/hosts file.

As usual the first thing to do would be to run an nmap scan and check through the browser if some webpage is hosted over there. The results from nmap are like

From the nmap scan, it can be seen that there are 2 ports open which are 22 and 80. We can now check the website that is hosted over port 80 as well.

We can explore the other two tabs as well.

On the “Blog” tab, we can see a post for welcoming a new lead programmer named “loneferret”. This appears to be a username. So, we can note it.

On the third tab we can see a login page. We can try some basic SQLi but none of them appear to be working here.

As a part of web enumeration we can run a directory traversal attack on the target to check if some hidden directories are present on the server.

It can be seen that multiple directories have been detected, so we can explore each one of them to look for anything that might be helpful for us to gain access to the machine.

From the detected directories, the /gallery directory appears to be helpful as it shows some images and when we look at its source-code, we can find that it is running on a application named "Gallarific PHP Photo Script".

After some googling, we can figure out that “Gallarific” is susceptible to SQLi. We can also find a python script using searchsploit which might be helpful to exploit this SQLi.

We can check out the last one i.e. php/webapps/15891.txt.

But appears that either this does not work or we are passing wrong arguments. But even after that we can try to exploit the vulnerability manually as mentioned in the exploit here.

Also, to double check we can enter ' which should raise an error.

And we do get an error. So, we can use this to explore the content of the database.

Gaining Access — Method 1

To obtain information about the database we can follow the following process:

  1. Determine the number of columns

This suggests that there are 6 columns that are being returned. So, we need to craft our UNION payloads in such a way that they return 6 columns.

2. Determine the column that contains text

  • Sending all NULL to verify there are 6 columns

Note the error returned here: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') order by dateuploaded desc limit 1' at line 1

  • Sending 'a' for each column to test which one can return text

Only when the value for column 1 was replace by that of a text it gave a different error than that when all NULL values were passed which suggests that only column does not return text but all the other column return text value as they have the same error as in case of all NULL.

3. Obtaining the names of all the tables

Here, because text is being returned in 2nd column we have placed table_name in place of the 2nd columns name.

The table information_schema.tables has entry for all the tables present in the database. Hence we are using the same to get list of all the table.

4. From the list of tables obtained from previous step, we can try to find a table that might contain some sensitive information.

One such table appears to be dev_accounts.

5. The next step would be to determine the columns in dev_accounts table.

Here, we are retrieving the list of column_name from the table information_schema.columns where the table_name='dev_accounts'. The table information_schema.columns holds the details of all the columns in the database.

Here, we can see that there are 3 columns in the table dev_accounts .

6. The next step would be to extract the data from the table dev_accounts.

We did obtain the data from the database but can’t see any entry for “password” column. So, we can concat the contents of "username" and "password"columns and print the same in a single column as:

And there we get the username along with their password hashes.

The next thing we need to do is simple crack these password hashes using crackstation and try to use them on the login page or for SSH.

After cracking the hashes, we get “starwars” as user loneferret’s password and “Mast3r” as user dreg’s password.

We can try these usernames and password on the login page. But none of the credentials work on the login page. So, we can try to login via SSH as well.

When we try to login as user dreg, we do succeed but the issue is dreg can’t run any commands with sudo.

Gaining Access — Method 2

As from the blog page, we saw that a suspected username was published over there which was “loneferret”. So, we can try to run an SSH brute-force attack to check if we can crack his password.

And here we get the login credentials for the user “loneferret”.

Privilege Escalation

Also, as dreg does not have access to commands with sudo privilege we can try to login as "loneferret" via SSH or directly use the su loneferret command while being logged in as "dreg" and check if he can access commands with sudo privilege.

It can be seen that “loneferret” can run the command /usr/local/bin/ht as sudo but can't run the command /bin/su. So, we need to check what this /usr/local/bin/ht command does exactly in order to determine some step that can be used for privilege escalation.

But when we try to access the binary it gives an error. And to resolve this error, we can change the $TERM value which should resolve this issue.

Now, we can again run the command sudo /usr/local/bin/ht, which would open an editor.

We, can try to open the /etc/sudoers file here and check if we can modify it. Because if it can be modified then we can remove the ! in front of the /bin/su command which would enable us to run that command without any password.

To open a file, we can use the key Alt + F.

Now, all that needs to be done is remove the ! before /bin/su and save the file using Alt + F and then selecting Save.

As we have modified the /etc/sudoers file, we can now directly use the command sudo /bin/su and get the root shell.

And with this we have got the access to the machine as root!

Some Key Points to Take Away

  1. Keep a track of all the credentials you obtain and try them at every possible place where you can login.
  2. Always look for different different vulnerabilities associated with services/applications that are running on the target.

Mindmap

References

  1. Kioptrix Level 1: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
  2. CVE-2011–0519: https://www.exploit-db.com/exploits/15891
  3. CrackStation: https://crackstation.net/

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store