Vulnhub – Kioptrix Level 1.2 (#3) Walkthrough

So, I’m here with my third write-up for Vulnhub – Kioptrix Level 3 challenge continuing OSCP like machines series. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.

Arp-scan

arp-scan --interface=eth0 --localnet

Now we have our target IP Address let’s take a look which services are running on that server.

Nmap

nmap -oA nmap -sC -sV 192.168.1.10

These are the services running on targeted machine.

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Port 80 Running Apache httpd 2.2.8 (Ubuntu)

Let’s take a look, http://192.168.1.10

If we take a look it’s running lotuscms.org CMS.

SearchSploit

Exploit using Metasploit

Exploit using NetCat

Root

So, Now that we have limited shell we’ll go for root now. Find all the users and directories.

cat /etc/passwd

Now we have two users loneferret and dreg let’s check inside directories what they hiding.

Let’s check first loneferret /home/loneferret/.

“sudo ht” was intersting but nothing really happened.

So, let’s take a look at another user directory. Nothing inside dreg directory.

There’s another directory www let’s find something there.

There’s some files inside /home/www directory we can find config settings since we have a login page there should be a database config somewhere.

find . -name ‘*.php’ | grep config

We have found these two files let’s see which of them leads us further.

./gallery/gconfig.php
./data/config/index.php

gconfig.php contains some creds for mysql.

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";                                                                                                                              
$GLOBALS["gallarific_mysql_server"] = "localhost";                                          
$GLOBALS["gallarific_mysql_database"] = "gallery";                                          
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

We didn’t have any ports open for mysql so i tested browsing http://192.168.1.10/phpmyadmin and found phpmyadmin installed and let’s try to login now.

It worked and we found a database “Gallery” which contains admin creds..

That didn’t work.. so i had to check other tables and found some other users in dev_accounts table.

dreg 0d3eccfb887aabd50f243b3f155c0f85
loneferret 5badcaf789d3d1d09794d8f021f40f0e

The hashes were md5 we can identify using hash-identifier pre-installed tool in kali linux. And we can crack using offline and online crackers.

dreg: Mast3r
loneferret: starwars

If you notice these are users are ssh users and port 22 is already open so we can try to login.

This was a success and we have nothing inside /home/dreg directory so we’re gonna go check other user see if we can find something.

I suspected to get something out from checksec.sh but failed didn’t work for me.. so i tested sudo -l and found there’s two commands which can be run as sudo without password.

Let’s try:

sudo /usr/local/bin/ht

From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file

Add the following line in the privilege specification (reference as above)
> /bin/bash
* Press F2 to save

Now run the following to gain root access.

Back to top button
Close