🖥️Walkthrough / Kioptrix Level 1.2🖥️

So going back to poping these vulnerable VMs onto Kioptirx level 3

Name: Kioptrix: Level 1.2 (#3)
Date release: 18 Apr 2011

Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/?p=358
Vulnhub: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

🔥HOST DISCOVERY🔥

ARP

arp-scan -l

ping

ping 192.168.0.20

The box is up and responding

🔥PORT SCANNING🔥

TCP

nmap -sS -A -sC -sV -O -p0- 192.168.0.20 -oA nmap_tcp_full_ver_sV

UDP

nmap -sU -n 192.168.0.20 -oA nmap_udp_def

hmmm nothing for UDP then

🔥SERVICE ENUMERATION 🔥

22 - ssh

ssh 192.168.0.20

80 - http

http://192.168.0.20

Has a login page

http://192.168.0.20/index.php?system=Admin

we enumerate the platform LotusCMS

nikto -h 192.168.0.20

A few more bits found with nikto

http://192.168.0.20/phpmyadmin/

phpmyadmin - 2.11.3.0

🔥EXPLOITATION🔥

Looking through metasploit we find a likely exploit

exploit/multi/http/lcms_php_exec

Execution of the exploit gives us a shell with www-data permissions

🔥PRIV ESCULATION🔥

Looking around the file system

I found the user loneferret so decided to try bruteforce SSH using hydra. More on this later

Gconfig.php has mysql creds stored in clear-text which will be useful..

Checking back on my bruteforcing a little later we have a hit

hydra -e nsr -l loneferret -P /usr/share/wordlists/rockyou.txt ssh -t 4

Now SSH'd in as loneferret:starwars

sudo ht
gives us an error but using google fu we find a quickfix
https://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color

Once we get it working we are faced with this screen.

After fighting with the gui and figuring out how to use this I open /etc/sudoers using alt+f

I added , /bin/sh to the end so we can bump to root.

Try again

got root 😎😎😎

Please follow me @shifty0g