KIOPTRIX: LEVEL 1.2 (#3) walkthrough
This challenge is geared towards the beginner. It is however different from the past Kioptrix machines. Author has added a few more steps…
This challenge is geared towards the beginner. It is however different from the past Kioptrix machines. Author has added a few more steps, and a new skill set is required.
Finding the Vuln Machines:
Use the above command sudo netdiscover
to find the Vuln machine in your network.
Enumeration
“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” — Sun Tzu 🧙🏻♂️
sudo nmap -p- -T4 -A 192.168.103.169
Analyse the results:
- We have 2 services. — 22 ssh | 80 http
- Apache 2.2.8 (ubuntu) — PHP/5.2.4
More Enumeration
SSH service is not vulnerable. Only possibility is User Enumeration with SSH. Hence, we can concentrate on the port 80 for find the POI (Point Of Intrusion).
“Victory comes from finding opportunities in problems.” — Sun Tzu
I always follow 3 steps when i find a port which is running a web server.
- Go through the source code of the welcome page + robots.txt
- Run Nikto
- Run Gobuster + Dirb
Let’s go one by one…🤓
Before starting the enumeration, we have to change the host file as given below.
- Go through the source code of the welcome page + robots.txt
<vuln machine IP> kioptrix3.com
2. Run Nikto
3. Run Gobuster + Dirb
Searching for POI
- Searchsploit
Always remember: Do not reinvent the Wheel 🤓.
From the Enumeration section, we have gathered information of the target.
- Apache 2.2.8 + php 5.2.4
- Ubuntu 5.6
- lotuscms
- phpmyadmin 2.11.3
After searching in searchsploit, i found a possible exploit. -> Lotuscms
2. Searching for LFI or SQLi
No lucky for me on this!😩
Exploitation
I have found that there is a metasploit module already available for LotusCMS.
Found the github exploit as well — https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
I used github exploit since i want things to be hard for me 🤓.
(netstat -punta || ss — ntpu) -> To find the running services. I found mysql running here.
find . -type f -iname ‘*.php’ -exec grep -l “mysql.connect” {} \; 2>/dev/null
Find the files with mysql_connect function since it could be using credentials for mysql.
$GLOBALS[“gallarific_mysql_server”] = “localhost”;
$GLOBALS[“gallarific_mysql_database”] = “gallery”;
$GLOBALS[“gallarific_mysql_username”] = “root”;
$GLOBALS[“gallarific_mysql_password”] = “fuckeyou”;
Here is the credentials.
Now, connect to mysql.❤️
mysql -u root -pfuckeyou gallery
loneferret:starwars
Try the creds with SSH 🤔
Since i had sudo access to ht editor. I changes the sudoers files as below and got the root.