So, I’m here with my third write-up for Vulnhub – Kioptrix Level 3 challenge continuing OSCP like machines series. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.
netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.
arp-scan --interface=eth0 --localnet
Now we have our target IP Address let’s take a look which services are running on that server.
nmap -oA nmap -sC -sV 192.168.1.10
These are the services running on targeted machine.
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Port 80 Running Apache httpd 2.2.8 (Ubuntu)
Let’s take a look, http://192.168.1.10
If we take a look it’s running lotuscms.org CMS.
Exploit using Metasploit
Exploit using NetCat
So, Now that we have limited shell we’ll go for root now. Find all the users and directories.
Now we have two users loneferret and dreg let’s check inside directories what they hiding.
Let’s check first loneferret /home/loneferret/.
“sudo ht” was intersting but nothing really happened.
So, let’s take a look at another user directory. Nothing inside dreg directory.
There’s another directory www let’s find something there.
There’s some files inside /home/www directory we can find config settings since we have a login page there should be a database config somewhere.
find . -name ‘*.php’ | grep config
We have found these two files let’s see which of them leads us further.
gconfig.php contains some creds for mysql.
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery"; $GLOBALS["gallarific_mysql_server"] = "localhost"; $GLOBALS["gallarific_mysql_database"] = "gallery"; $GLOBALS["gallarific_mysql_username"] = "root"; $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
We didn’t have any ports open for mysql so i tested browsing http://192.168.1.10/phpmyadmin and found phpmyadmin installed and let’s try to login now.
It worked and we found a database “Gallery” which contains admin creds..
That didn’t work.. so i had to check other tables and found some other users in dev_accounts table.
dreg 0d3eccfb887aabd50f243b3f155c0f85 loneferret 5badcaf789d3d1d09794d8f021f40f0e
The hashes were md5 we can identify using hash-identifier pre-installed tool in kali linux. And we can crack using offline and online crackers.
dreg: Mast3r loneferret: starwars
If you notice these are users are ssh users and port 22 is already open so we can try to login.
This was a success and we have nothing inside /home/dreg directory so we’re gonna go check other user see if we can find something.
I suspected to get something out from checksec.sh but failed didn’t work for me.. so i tested sudo -l and found there’s two commands which can be run as sudo without password.
From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file
Add the following line in the privilege specification (reference as above)
* Press F2 to save
Now run the following to gain root access.