Friday, 24 June 2016

Kioptrix Level 3

I would like to introduce you to one of my favourite series - Kioptrix challenges. Non typical I begin form level 3 (Kioptrix 1.2).

Scanning phase
Nmap with options: -p- (all ports), -sV (versions of services) and -A (aggressive).

The OpenSSH 4.7p1 does not have dedicated exploit and critical vulnerabilities.
So, let's examine web application. We can see in the nmap result that web application uses vulnerable PHP version (5.2.4). Unfortunately in exploit-db exist only exploit for windows platform.
We can see that we are able to go to the login panel directly. BUt in spite of that let's run dirbuster.
OK, we can see gallery directory, for me it is interesting. 
Login panel looks as below
We see that CMS which hosts the web application is LotusCMS. Maybe we could find some exploit for the CMS? I found several exploits and one from Metasploit. I tested each except from Metasploit and without success. I don;t want to use Metasploit, so let's continue our pentesting.
As I said previous gallery directory looks interesting
Displaying the source code we can find that there is admin panel for gallery which is located on gadmin.
Very good! The Gallarific also has assigned several exploits. For me this most interesting was SQL injection exploit. Let's verify it.
Nice! Probably there is indeed SQLi. Let's use sqlmap
Amazing! Let's examine gallery database
Excellent! We have valid credentials to gallery (admin:n0t7t1k4).
Using the sqlmap tool I have also retrieved /etc/passwd file
I have got also credentials from mysql database (root:fuckeyou). We know that phpmyadmin is tied with our target. Maybe this would give us other way for exploitation (I have verified it and unfortunately this method doesn't work). At this moment let's back to the gallery.
I have used our credentials 
Good, we have to find place to upload PHP backdoor. Hmmm I have some problem with it. Maybe we should back to the SQL injection and find something helpful.
Bingo! We know that both dreg and loneferret are system users!
I have logged in as loneferret, because for dreg everything is restricted.
OK! We know that we are not able to execute su but /usr/local/bin/ht yes.
Using ht I have open /etc/shadow
 and /etc/sudoers
 We are allowed to edit this file, so let's exploit it!
Game over!