Today I’ll be demonstrating how to compromise the third box in the Kioptrix series. Really enjoyed this box, had a nice twist which requires some knowledge of how sudo works on Linux and how simple misconfigurations can create holes in systems.
It’s worth noting that there are lots of ways to exploit this box. I’m just going to demonstrate the approach which I used.
Super small attack surface here. Just SSH and Apache.
Opening a web browser to the victim IP takes us to this page. After a little poking around on the gallery page we identify an SQL injection vulnerability on the ID parameter in the gallery –
As we can see by the URL, messing with the ID parameter has screwed the page completely. We could now manually insert UNION statements into the URL to get the data which we’re interested in or we could just use….
SQL Map is an incredible tool for automatically exploiting SQL injection vectors. As we can see below, the first command lists all available tables and the second command attempts to dump those tables.
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" --tables --dbms=mysql
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid" -D gallery --dump --dbms=mysql
on a whim we attempt to ssh to the box using username loneferret and password starwars which were retrieved and cracked by sqlmap
As usual we run “sudo -l” to see what loneferret can execute with root privileges, and it appears that the only thing that he may execute is “ht”, which appears to be a text editor.
After scratching our heads for a while we realise that we can edit the “sudoers” file to allow loneferret to run any command as root.
Now that loneferret can run any command as root, we can simply “sudo su – ” to root and the box will be fully compromised.
Great challenge, thoroughly enjoyed it!