[Vulnhub] Kioptrix 3 (1.2) Write-up
this article is a walkthrough to kioptrix 3.
Information gathering
in this phase i tried to find the IP address using nmap:
and the result was:
so the IP address is 192.168.1.11.
Scanning
i then scanned the system for open ports:
and the result:
Nmap scan report for 192.168.1.11
Host is up (0.00039s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelso ssh is running and also a web server.
Enumerating HTTP
time to enumerate HTTP web server
RCE!
by going into the web server i got know to this is a lotus CMS. and then i searched for its exploits and found this article which explains a remote code execution vulnerability in lotus CMS version 3. the bug is in the URL at page parameter which is ran in eval which is quite dangerous.
i used burpsuite to play with it and finally used a syntax from the article and got myself a pretty shell:
LFI
this web server also has LFI ( Local File Inclusion ) vulnerability too! it’s a bit tricky as i kept trying LFI on page parameter and got anything because LFI doesn’t work on this parameter, but actually on system parameter.
but nothing happened! searching through LFI information in OWASP website i came across this:
which basically means i should add %00jpg at the end:
success!
SQLi
time for SQL Injection and yes the website does have this one too! after searching through the website for an exploitable SQLi i came across this webpage:
which has some interesting parameters. after adding ' to the end of id value i got a SQL error which indicates that this is indeed vulnerable to SQLi:
and so i used sqlmap to check again:
injectable indeed:
now using sqlmap or even manually we can do all sort of stuff which i won’t do here as i’m going to go for RCE vulnerability.
Privilege Escalation
and now for privilege escalation!
after searching through website directories i could find mysql credentials:
i used it to login to mysql:
i queried the databases and selected gallery:
and queried its tables:
i then searched in gallarific_users :
i used the credential to any of the users but it did not work so i let it go and queried dev_accounts :
i copied and pasted loneferret’s hash to crackstation:
the result was starwars! i used the password to login to loneferret
i used sudo -l to see what can i do:
ht seems interesting! but running it i got into an error that i fixed as follows:
then running it again:
seems like it’s nano! i used alt to navigate to file and select open:
then i wanted to change my access in /etc/sudoers and so:
i changed my access:
now i can do everything as root! i checked sudo -l again:
nice.. and now for root:
and now i’m root, the one user to rule them all!
hope you enjoyed it and happy hacking.