KIOPTRIX: LEVEL 1.2 (#3) walkthrough

This challenge is geared towards the beginner. It is however different from the past Kioptrix machines. Author has added a few more steps…

This challenge is geared towards the beginner. It is however different from the past Kioptrix machines. Author has added a few more steps, and a new skill set is required.

Finding the Vuln Machines:

Use the above command sudo netdiscover to find the Vuln machine in your network.


Enumeration

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” — Sun Tzu 🧙🏻‍♂️

sudo nmap -p- -T4 -A 192.168.103.169

Analyse the results:

  • We have 2 services. — 22 ssh | 80 http
  • Apache 2.2.8 (ubuntu) — PHP/5.2.4

More Enumeration

SSH service is not vulnerable. Only possibility is User Enumeration with SSH. Hence, we can concentrate on the port 80 for find the POI (Point Of Intrusion).

Victory comes from finding opportunities in problems.” — Sun Tzu

I always follow 3 steps when i find a port which is running a web server.

  1. Go through the source code of the welcome page + robots.txt
  2. Run Nikto
  3. Run Gobuster + Dirb

Let’s go one by one…🤓

Before starting the enumeration, we have to change the host file as given below.

  1. Go through the source code of the welcome page + robots.txt
<vuln machine IP> kioptrix3.com
This is the welcome page and no robots.txt
Powered by LotusCMS🤔

2. Run Nikto

Found the presence of phpmyadmin 2.11.3

3. Run Gobuster + Dirb

Presence of phpmyadmin
Same as GoBuster

Searching for POI

  1. Searchsploit

Always remember: Do not reinvent the Wheel 🤓.

From the Enumeration section, we have gathered information of the target.

  • Apache 2.2.8 + php 5.2.4
  • Ubuntu 5.6
  • lotuscms
  • phpmyadmin 2.11.3

After searching in searchsploit, i found a possible exploit. -> Lotuscms

2. Searching for LFI or SQLi

No lucky for me on this!😩


Exploitation

I have found that there is a metasploit module already available for LotusCMS.

Found the github exploit as well — https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh

I used github exploit since i want things to be hard for me 🤓.

got the shell

(netstat -punta || ss — ntpu) -> To find the running services. I found mysql running here.

find . -type f -iname ‘*.php’ -exec grep -l “mysql.connect” {} \; 2>/dev/null

Find the files with mysql_connect function since it could be using credentials for mysql.

$GLOBALS[“gallarific_mysql_server”] = “localhost”;
$GLOBALS[“gallarific_mysql_database”] = “gallery”;
$GLOBALS[“gallarific_mysql_username”] = “root”;
$GLOBALS[“gallarific_mysql_password”] = “fuckeyou”;

Here is the credentials.

Now, connect to mysql.❤️

mysql -u root -pfuckeyou gallery
reverse the hashes.

loneferret:starwars

Try the creds with SSH 🤔

Password Reuse😵
`sudo -l` to find any sudo access

Since i had sudo access to ht editor. I changes the sudoers files as below and got the root.

Had some tough time editing..😩

https://www.offensive-security.com/wp-content/uploads/2019/11/Thomas-Edison-quote.png