Make sure to Point your host file in your Kali Box to the machines IP.
Add kioptrix IP and kioptrix3.com like below.
And Just to be sure ping kioptrix3.com to make sure the address is correct.
Scanned Target with nmap.
nmap -p- -sV ipaddress
Found port 80 and 22 open. So we have a web server and ssh available. Unless ssh is a really old version or looks funky I’ll most likely skip it. Port 80 Brings us to a web page, clicking around on the links through the web page you can find a login page that says powered by Lotus CMS. So we need to Google lotus CMS and research known vulnerabilities for it. Reading the blog posts we find information about a gallery app that was recently implemented. Nikto let us know that there was a phpmyadmin directory as well. Let’s see what all we know so far. What we have learned so Far:
- Apache server on port 80
- Lotus CMS ??
- There is a post talking about some handy enumeration info
- The post leads us to look at gallery app that was freshly implemented
- Clicking around on the gallery app you can see /gallery/gallery.php?id=1 so its talking to a database
- Phpmyadmin Directory found via nikto
From the list of what I have learned so far. I know to google Lotus CMS vulnerabilities. I immediately find an exploit that looks promising.
While Looking for this I run sqlmap on http://ipaddress/gallery/gallery.php?id=1 to see if it finds any injections and it ends up dumping the entire database with two users and their passwords.
Well even though I found two users and Passwords with sqlmap I was curious to see if the Lotus cms exploit worked. I loaded Metasploit up and tested it. It didn’t work, but why? It should have. Looking the URI needs to be pointed to the webroot / as this is where the cms framework is hosted. Rerunning the exploit gave me a local meterpreter session. I poked around and found several interesting things, but I wanted to also see if I could ssh as the other users I found.
Awesome password works and we have local through www and through a local user. Time for more Enumeration !!! let’s find a way to get root.
Started looking through the user loneferret’s home folder. I found a text file that told all users to use sudo ht or else? What is HT ?
Googling it looked like a hex editor with known vulnerabilities.
sudo ht /etc/sudoers
cool I can edit stuff as root
There is a !/usr/bin/su entry in the sudoers file but it doesn’t work when I edit it.
Using the command below
We can see it is in /bin/su so we edit the sudoers file and then try again
Always read home directories.
Process of Elimination is your friend.