Kioptrix: Level 3 Walkthrough

Rafael Medeiros
6 min readMar 28, 2021

--

This is the third post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.

URL: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

Release date: 18 Apr 2011

Author: Kioptrix

Provided description: As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

This is the machine for today, I will guide you through the steps I took to root the machine.

#Scanning and Enumeration

NMAP

As always, starting with a basic scanning with nmap will reveal a web server:

nmap -T4 -sV <ipaddress>

  • -T4 - Timing and Performance. You can choose from 1 to 5. The higher, the faster, but louder and easy to be detected;
  • -sV - Scan for service version;

Gobuster

Because we have a web server, it is also good to look for subdirectories, I like to use gobuster, feel free to use your own tool:

We have a couple of different directories there, but the one we are looking for, is the phpmyadmin one. phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web.

#Exploiting

First of all, let’s find out what we can get from the phpmyadmin page:

If I try to access with the default credentials (admin, nopassword) to see what we can manage in terms of database:

I’m in! But unfortunately it won’t help us now because we don’t have any kind of privilege, so we can’t access any useful information, we have to find a valid user to start querying it.

Let’s move forward and see what we can get from the web page.

If we navigate to the web page, we’ll see the following:

Going to the Login screen, we find what CMS they are using:

This is a good indicator of what we can exploit here. I tried to bruteforce this login page with Burp suite but it didn’t work.

A quick search on the internet about exploits for LotusCMS and you’ll come up with the following exploit:

This module exploits a vulnerability found in Lotus CMS 3.0’s Router()
function. This is done by embedding PHP code in the ‘page’ parameter,
which will be passed to a eval call, therefore allowing remote code execution.

You can also find a metasploit version here:

After downloading the file to your attacker machine, all you need to do is to chmod the file to assign the ‘execute’ permission and run it against the target:

./lotusRCE.sh <ipaddress> /

where ‘/’ is the path to the CMS. If we run this against our target:

The path was found and now are are able to open a shell on the target. It is going to ask you the IP, the port, and the method the machine will connect back. choose your configuration and don’t forget to open the listener on your machine. Here I used the 1337 port:

nc -lvp 1337

Here we go, connected to the target:

We now have to find a way to log in as any valid user. Let’s find out what Linenum.sh can bring to us:

Looking at these .bak files, we found a specific one called gconfig.php:

The root password of the mysql server was hardcoded in this file. Do you remember that we had a phpmyadmin page opened?

#Way 1 to find users’ credentials

Well, if we try these credentials:

We are logged in as root and we now have permission to create databases, among other permissions, maybe something like list databases?

If you select the gallery database, you will see the dev_accounts table, which seems the correct one to find the users’ accounts. You can run the following query to list the results that are in there:

SELECT * FROM `dev_accounts`

This is going to show the following results:

#Way 2 to find the users’ credentials

You can also find the same results using mysql via command line:

#Spawn a python shell:

python -c “import pty; pty.spawn(‘/bin/bash’)”

#log in to mysql as root:

mysql -u root -p

Now that you are logged in, run the following commands:

#List the databases:

show databases;

#Select the database you want to use:

use gallery;

#Show the tables within it:

show tables;

#Select all the results within that table:

select * from dev_accounts;

The passwords are hashed. But it looks like MD5, which is pretty easy to crack, I actually used an online website to do this called crackstation.net:

Dreg’s password:

loneferret’s password:

#Escalating Privileges

With the users’ credentials on hands, we can log in using ssh:

ssh loneferret@<ipaddress>

I used the second user because the first one was not enabled to log in via ssh.

If we run sudo -l to see what we can run as sudo, we find the following:

We can run ht program as root. HT is a file editor/viewer/analyzer for executables. To run it as sudo:

Sudo ht

If you get an error like:

Error opening terminal: xterm-256color.

Simply run the following:

export TERM=xterm

The goal here is to edit /etc/sudoers and add permissions to our user to run /bin/bash as root.

Press F3 to search for a file and search for /etc/sudoers:

Add a comma (,) and /bin/bash at the end of the following line:

We allowed loneferret user to run /bin/bash as root without providing any password:

sudo /bin/bash

And with that, we rooted the machine.

#Conclusion

This was not an easy machine as it states in the machine description on Vulnhub, at least for me, I had some difficulties, especially with the HT software that I have never used before, but I learned so much with it, and I hope you too.

If you have any questions, please leave me a comment below, I will be happy to help you out.

--

--

Rafael Medeiros
Rafael Medeiros

Written by Rafael Medeiros

DevOps Engineer | 3x Azure | Kubestronaut | Terraform Fanatic | Another IT Professional willing to help the community

Responses (1)