This is the third box in the Kioptrix series. This one gets a little trickier and brings in a few new tools that have not been seen in the last two boxes. We’re going to see URL command injection, hash cracking, and a more “realistic” privilege escalation technique.
Run an initial scan of the box with: nmap -sC -sV -oA nmap 192.168.1.X
- sC: Default Scripts
- sV: Service Version Detection
- oA: output all formats (HTML, XML, GNMAP)
[sourcecode language=”bash” wraplines=”false” collapse=”false”]
PORT STATE SERVICE VERSION
22/ tcp OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/ Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:F3:FA:B4 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are only two ports open which leaves us with two options, try standard username and password pairs / brute-force SSH or, start digging into the web server. I like the latter.
Web Server Enumeration & Dissection:
The further you get into penetration testing the more you start to learn that there should always be something scanning, searching, or brute forcing. Essentially, your time is valuable, look for everything under the sun and then some. My methods differ subject to what I see right when I go to the web server. However, there are also a few commonalities I do right away. Let’s go over a few of those.
- Nikto – A command line based web vulnerability scanner.
- Dirb or Dirbuster – Tools that automate the searching and categorizing of web pages by using a list of common page values (i.e., admin.php, index.html, etc.). These are very powerful tools that are very dynamic and can be tailer to your searching needs. For example, if you know that a page runs primarily on PHP, you can append that to .php list of values.
- BurpSuite – If you are not using Burpsuite, you’re wrong! I’m not going to go into extreme detail of Burpsuite functionality in this post. Eventually, I will make a large writeup on necessary tools and functions Burpsuite employes and how you can use it to do just about everything you need! For right now, you should have a Burpsuite Proxy set-up and be listening when you are doing your manual probe of the webpage. You’re looking for uncommon parameters, oddities in HTTP post/get responses/requests.
Before I start my manual searching and probing, I usually have two or all three of the tools up and running for efficiency. My initial probing consists of me looking at the source code. Let me say that again, LOOK AT THE SOURCE CODE! By simply looking at the source code we can often decipher common webpage frameworks (i.e., WordPress, Squarespace, etc.), we can look for bad OPSEC in comment fields that may enumerate usernames, passwords, and other valuable information. We’re also looking for page links that may prove useful during our page enumeration, which dirb/dirbuster is also working on.
Just by looking at the source code, I see a few things that peak my interest:
- Login Page (Presumably an Admin Login Page)
[sourcecode language=”html” wraplines=”false” collapse=”false”]</pre>
<a class=’lastM’ href=’index.php?system=Admin’>Login</a>
- LotusCMS: Looks to be a content management framework. Initial google search shows TONS of exploits!
- The host is also running PHPMyAdmin: if we can get in, we might have database objects that can point us to a login. (This information was gained from running Dirb)
- URL PHP Parameters: This may allow command injection but, we need to fuzz it first.
- In their blog post, they mention a new Lead programmer by the name of loneferret.
- And we now have a way into the system:
Exploit: Gallarific SQLi Exploit
- While enumerating all the pages, I found a gallatific page: http://192.168.1.207/gallery/ and after doing some research found there is a SQLi exploit:
- I’ll add gallery.php?id= and run it through Sqlmap:
- Sqlmap even does the Hash cracking for us! So, now we have two username-password pairs. Let’s go ahead and log in.
- Let’s check for obvious methods first.
- Okay, we can run two commands as root, one being ht which is HEX editor. So, let’s edit the easier file that will allow us to get root. Hell, even sudo -l gave us a big hint. We can just remove the ! in !/usr/bin/su but, I say let’s just give us complete access from the gitgo.
- Changed it to ALL=(ALL) ALL and now when we re-run sudo -l:
This was a fairly simple box but, it allowed us to use a few new tools and methods.
- We could have exploited LotusCMS with a Metasploit module or manually but, that was too obvious.
- PHPMyAdmin was another vector we could have exploited. Brute Forcing this would have proven successful with the right password list and Username (root). This would have given us direct access to the MySQL database and we could have accessed the password hashes just like we did with the Gallarific exploit.