Vulnhub virtual machine; On the path to OSCP this box offered web-application testing with Metasploit, myphpadmin credentials enumeration. Cracking hashes with Hashcat an interesting Priv-Esc which included modifying the sudoer file.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Navigating to http-server on port 80
searchsploit for web application
nothing of note turned up.
Checking out the source of web-application
looks to be based off php with the index.php?pagee=index.
We have a username
loneferret who was mentioned on a blog section post. Move to try to bruteforce the ssh with user name.
Hydra Bruteforcing SSH
Important: to use
*-t 4* to not overload the ssh server and risk some passwords not being tested.
brute forcing inside a VM is… well terrible.
Viewing how the Metasploit vulnerability works
There is a manipulation of the page parameter from the default page that will be worth investigating.
Remote Code Execution
Run metasploit - search lotuscms
this will load up the postgres and required files to launch.
We have achieved an easy shell.
getuid gets users sysinfo gets system information
loneferret exists as conformation.
Search for any type of config files
Investigating config files
myphpadmin user/password discovered!
Login to myphpadmin navigate to kioptrix3.com/phpmyadmin
Navigating through MySQL sever to the Gallery database and discovered
Determining type of hash
MD5 looks like a possible match.
Cracking Hashes with Hashcat add hashes to hash.txt
Hashes successfully cracked.
Connect to SSH
perform a quick sudo -l to determine what we can su-DO. (joke complementary)
execute sudo ht
playing around till discovered
*ALT+f* is the command to move around in application
Modifying the sudoers file
/bin/sh/ to loneferret && save file
Bring me the root!