So, I’m here with my third write-up for Vulnhub – Kioptrix Level 3 challenge continuing OSCP like machines series. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.

Arp-scan

Now we have our target IP Address let’s take a look which services are running on that server.

Nmap

These are the services running on targeted machine.

Port 80 Running Apache httpd 2.2.8 (Ubuntu)

Let’s take a look, http://192.168.1.10

If we take a look it’s running lotuscms.org CMS.

SearchSploit

Exploit using Metasploit

Exploit using NetCat

Root

So, Now that we have limited shell we’ll go for root now. Find all the users and directories.

Now we have two users loneferret and dreg let’s check inside directories what they hiding.

Let’s check first loneferret /home/loneferret/.

“sudo ht” was intersting but nothing really happened.

So, let’s take a look at another user directory. Nothing inside dreg directory.

There’s another directory www let’s find something there.

There’s some files inside /home/www directory we can find config settings since we have a login page there should be a database config somewhere.

We have found these two files let’s see which of them leads us further.

gconfig.php contains some creds for mysql.

We didn’t have any ports open for mysql so i tested browsing http://192.168.1.10/phpmyadmin and found phpmyadmin installed and let’s try to login now.

It worked and we found a database “Gallery” which contains admin creds..

That didn’t work.. so i had to check other tables and found some other users in dev_accounts table.

The hashes were md5 we can identify using hash-identifier pre-installed tool in kali linux. And we can crack using offline and online crackers.

If you notice these are users are ssh users and port 22 is already open so we can try to login.

This was a success and we have nothing inside /home/dreg directory so we’re gonna go check other user see if we can find something.

I suspected to get something out from checksec.sh but failed didn’t work for me.. so i tested sudo -l and found there’s two commands which can be run as sudo without password.

Let’s try:

From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file

Add the following line in the privilege specification (reference as above)
> /bin/bash
* Press F2 to save

Now run the following to gain root access.