Kioptrix 1.2(#3) walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, this walkthrough is of 3rd series of Kioptrix VM. You can download it from here. After installing it, you need to edit your host file and point the IP to kioptrix3.com. In linux, you can edit using cat /etc/hosts.
Screenshot 2018-12-13 at 1.15.33 PM.png
As usual, I started with:

#netdiscover -r 10.0.2.0/24

Ok so I got my target IP, next started scanning with the help of nmap and ran Nikto after that for extra information.
Screenshot 2018-12-13 at 12.14.09 PM.png
Screenshot 2018-12-13 at 12.37.20 PM.png
Ok, so port 80 is running as I had already edited my host file I can redirect myself via writing IP address or kioptrix3.com in the web browser.
Screenshot 2018-12-13 at 3.58.39 PM.png
Screenshot-2018-12-13-at-12.16.12-PM.png
After little googling, I found out that LotusCMS is vulnerable and I launched my Metasploit.
Screenshot 2018-12-13 at 12.29.12 PM.png

msf>set RHOST 10.0.2.10
msf>set URI /
msf>run

I got my meterpreter session.

Config files are always intriguing for pentester. I opened gconfig.php file and BAMM got user credentials.
Screenshot 2018-12-13 at 12.35.26 PM.png
Now I will use this credential on phpmyadmin page(i got this by scanning through nikto).
 

 
Here I got 2 users with their md5 encrypted password. I decrypted cipher with the help of online available decrypter(you can also use hydra or any other tool).

dreg:Mast3r
loneferret:starwars

With the help of loneferret, I logged in via SSH.
Screenshot 2018-12-13 at 12.49.49 PM.png
 

loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
loneferret@Kioptrix3:~$  

Ok so this output is saying me to “sudo ht”  but before that let me play for a while, here loneferret can run these as root without password but I need more. Let’s give shell access to loneferret and the easiest way to give this privilege was by editing  /etc/sudoers file.
Screenshot 2018-12-13 at 1.09.55 PM
Screenshot 2018-12-13 at 1.10.34 PM.png
After hitting sudo ht, I accessed /etc/sudoers and added /bin/sh. I save it and exit the file. And at last, I was ROOT.
Screenshot 2018-12-13 at 1.11.57 PM.png
Visit: Azure Skynet
Visit: Cosmic Skills
Happy Hacking:)

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top