Kioptrix: Level 1.2 (#3)

Heya,

yes, yes – I know. This is probably the 9543245945361st version of the Kioptrix #3 walkthrough but I’ll post it anyways since it’s the first vulnhub CTF I did that required a bit more effort. So, here we go.

After launching the VM (in VMware Fusion), we first have to discover the IP address of the system. I chose netdiscover for that.

netdiscover -r 172.16.198.0/24

We quickly identify the VM (172.16.198.142) from the list of returned ARP packets.

screenshot

Next, the obvious nmap scan. Result is, that only port 80 (webserver) and 22 (SSH) are open.

screenshot

So let’s take a look at the webserver content. Apparently, there’s a site running a CMS called “LotusCMS”.

screenshot

One of the links points to a login page but unfortunately this page doesn’t seem to be vulnerable to SQLi attacks.

screenshot 2

Moving on, we find a link to a gallery. Make sure to add the “kioptrix3.com” entry to your hosts file in order to see its full glory! 🙂

screenshot 3

One of the sub pages carries PHP code with an explicit id parameter. By passing a as id we get an SQL error – this shows that this parameter can most likely be used for an SQL Injection attack (SQLi).

screenshot 4

Let’s fire up sqlmap and do some analysis. By using this command

sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dbs

… we’re able to retrieve a list of available mySQL databases.

screenshot

Digging deeper, we decide to dump the complete ‘gallery’ database to our harddisk (uhm, or SSD).

sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dump gallery

In one of the tables (dev_accounts) we find username and password hashes. Wouldn’t it be great if these could be used to SSH into the machine?

screenshot 2

Let’s give it a try. First crack the hashes with hacker’s best friend: HASHCAT

screenshot

Wow, that was easy. So we now got two valid logins:

loneferret:starwars
dreg:Mast3r

Since I like ferrets, let’s use that one first and see if it gets us a shell.

screenshot

Bingo! We’re in. Let’s dig around a bit. In a README file we get a pointer towards possible SUDO possibilities.

screenshot 2

And yes, sudo -l indeed reveals some possibilities.

screenshot 3

That “ht” looks interesting. HT is an editor. After fixing my invalid TERM variable (hint: try to set it xterm-xfree86 in case of problems inside the editor), I was able to modify the /etc/sudoers file to allow us sudo access to /bin/su.

screenshot

Getting root is now easy.

screenshot 2

Finally, we capture the “flag” located in the /root directory.

screenshot

That’s it! That was a quick one 😉

 

Categories: CTF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s