Kioptrix level 1.2(Kioptrix level 3)-walkthrough . My Path To OSCP
This is my 3rd blog post about my preparation for OSCP that I’m practicing from TJnull Vulnhub VM List . You can check out the full VM list here .
Let’s Begin :
First import the VM with your favorite virtualization software , and get the ip address of the VM . You can get the VM from here . If you face any problem in getting the IP address then assign a new network adapter to the Kioptrix VM and after that remove the first network adapter . Now if you need assistance for the command to know the ip address of the VM check my first blog post here .
Now that we got our ip and VM is up and running let’s start with reconnaissance .
Reconnaissance
Let’s start with a nmap scan . We will do it @ippsec style.
sudo nmap -sC -sV -oA nmap/kioptrix3 192.168.28.131
- -sC : For the default script
- -sV : For the version detection
- -oA : For out put in all format into path nmap/kioptrix3
we got only two ports open .
- one is for port 22 i.e. ssh
- 2nd one is port 80 i.e. for web service
Now before checking out the the web page let’s do a quick gobuster directory scan .
Enumeration :
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.28.131 -x php,txt,html -t 10
- dir : For directory searching
- -w : For wordlist path
- -u : For url
- -x : For extension
- -t : For thread count
We got bunch of directory end points and also it is open for phpmyadmin login . Now let’s visit the web page .
We can see that we got three section i.e. home , blog and login section . Let’s check other sections as there is nothing here .
Here we found that we can move the gallery section of the url .The add this url with it’s ip to our hosts file .
sudo vi /etc/hosts
Now let’s check the login page .
From the login page we found that it is using LotusCMS . Let’s check for any exploit for this service .
We found a metasploit exploit for this . Let’s run the exploit .
But it didn’t worked For me . Now let’s search google for any exploits available . I got a exploit written by Hood3dRob1n . You can get the exploit here https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh . Now let’s start a netcat listener and run the exploit .
It requires the remote host ip in first parameter .
Next it asks attacker ip , a port to listen and method to back connect .
Now we got a shell and let’s improve the shell with python . Let’s check what we got in there .
We found the phpmyadmin credentials in gconfig.php file in the gallery directory . Let’s login and check it .
We got some ssh credentials with usernames in dev_accounts table in database . we got two users dreg and loneferret. Let’s crack the hashes to get the plaintext password . In the first step I always prefer crackstation to crack it .
And We got the password . Let’s do the login . From the dreg user we got nothing in that account . Now logging with loneferret user We found a readme file about the root uses .
The sudo user can use ht service , ht is a hex editor . Let’s open up the hex editor . First it show error , by exporting the TERM it fixes the issue .
Now Let’s open the sudoers file and edit the sudo user service as per our choice . In ht editor press F3 to open file . And path to sudoers file is /etc/sudoers.
I have added /bin/bash service in sudoers file , but you can use any service of your choice .
And we got root shell .
There is a another way of getting the credentials for ssh by dumping sql database using sqlmap . There is a gallery section of the webpage which is vulnerable to sqlinjection which makes it to dump database using sqlmap . I haven’t covered that part here but you can take try that. After getting the ssh credentials all the things remains same .
Key Learning From this BOX :
- Always check for multiple process for solving the challenge .
- Sometimes a metasploit exploit will not work , so in that case check for publicly available exploit .