Tuesday, June 5, 2018

Kioptrix - Level 1.2 (#3)


KIOPTRIX- Level 1.2 (#3) 

- Layout for this exercise:



1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.2 (#3)

- Kioptrix Level 1.2 (#3) can be downloaded from here:

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/




- Once downloaded, extracted and opened with WMware:





2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.12, so it should correspond to the vulnerable machine Kioptrix:








- When downloading the vulnerable machine there is a text file README.txt:




- Following these directions let's modify /etc/hosts:






- Now, we can directly connect to the URL kioptrix3.com:




- Clicking the Login tab, it seems that the web application is using LotusCMS:





- Scanning for versions and the operating system with Nmap:




- dirb bruteforces directories and files on the web server: 















- We learn that there is a phpMyAdmin portal:





3 - EXPLOITATION

3.1 - Searching for a exploit

- Googling vulnerabilities for LotusCMS:




- There is a script that can be used to exploit remotely the web application:












- Copying the script to the attacker's machine:










- Setting a listening netcat session on port 5555:




- Launching the exploit, and providing parameters like the attacker's IP (192.168.1.17) and the port 5555:






- Eventually a reverse shell is achieved, though limited with non-root privileges:





3.2 - Metasploit

- Using Metasploit we achieve the same result:










4 - PRIVILEGE ESCALATION

- Let's start our privilege escalation process. 

- Going to the web root directory there is a gallery folder:




- Opening gallery we find a gconfig.php file:




- The file gconfig.php contains interesting credentials:




- Let's try these credentials to access the phpMyAdmin portal:





- The login is successful:




- Querying dev_accounts:







- We find two user accounts with their encrypted/hashed passwords:




- Using CrackStation to decrypt the hashes we get both plaintext passwords:






- Hydra can also decrypt the hashes:











- Going to the user loneferret home directory there is a .sudo_as_admin_successful:




- Also, reading the README text file we learn that the user loneferret could be related to the sudoers users:




- SSH-ing to the Kioptrix3 machine with the loneferret account:






- Option -l for sudo gives information about what commands can be used by the user: 




- In this case we learn that the user loneferret has access to the HT Editor, a program able to edit executable files:








- Locating the HT Editor:





- When using ht there is a problem with the terminal, that can be easily solved:







- Now, the HT Editor window pops up and modifications can be performed to the files:







- F3 opens /etc/sudoers:




- Adding the privilege to run /bin/sh and saving the change:




- Now, loneferret is able to run sudo /bin/sh and a root shell is achieved:




5 - CAPTURING THE FLAG


- Finally, going to the /root folder: