Vulnhub virtual machine; On the path to OSCP this box offered web-application testing with Metasploit, myphpadmin credentials enumeration. Cracking hashes with Hashcat an interesting Priv-Esc which included modifying the sudoer file.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an βethical hackerβ standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Enumeration
1 |
|
Target: 192.168.56.105
Nmap Scanning
1 |
|
Navigating to http-server on port 80
searchsploit for web application
1 |
|
nothing of note turned up.
Checking out the source of web-application
looks to be based off php with the index.php?pagee=index.
We have a username loneferret
who was mentioned on a blog section post. Move to try to bruteforce the ssh with user name.
Hydra Bruteforcing SSH
1 |
|
Important: to use *-t 4*
to not overload the ssh server and risk some passwords not being tested.
brute forcing inside a VM is⦠well terrible.
Login page
searchsploit LotusCMS
1 |
|
interesting find
Viewing how the Metasploit vulnerability works
There is a manipulation of the page parameter from the default page that will be worth investigating.
Remote Code Execution
Run metasploit - search lotuscms
1 |
|
this will load up the postgres and required files to launch.
We have achieved an easy shell.
getuid gets users sysinfo gets system information
capture /etc/passwd
1 |
|
usernames loneferret
exists as conformation.
Search for any type of config files
1 |
|
Investigating config files
1 |
|
myphpadmin user/password discovered!
Login to myphpadmin navigate to kioptrix3.com/phpmyadmin
access granted
Navigating through MySQL sever to the Gallery database and discovered dev_accounts
Hashes captured
1 |
|
Determining type of hash
1 |
|
MD5 looks like a possible match.
Cracking Hashes with Hashcat add hashes to hash.txt
Launch Hashcat
1 |
|
Hashes successfully cracked.
1 |
|
Connect to SSH
1 |
|
perform a quick sudo -l to determine what we can su-DO. (joke complementary)
Priv-Esc
execute sudo ht
1 |
|
playing around till discovered *ALT+f*
is the command to move around in application
Modifying the sudoers file
adding /bin/sh/
to loneferret && save file
Root
1 |
|
Bring me the root!
-exec