Hello Everyone, this walkthrough is of 3rd series of Kioptrix VM. You can download it from here. After installing it, you need to edit your host file and point the IP to kioptrix3.com. In linux, you can edit using cat /etc/hosts.
As usual, I started with:
#netdiscover -r 10.0.2.0/24
Ok so I got my target IP, next started scanning with the help of nmap and ran Nikto after that for extra information.
Ok, so port 80 is running as I had already edited my host file I can redirect myself via writing IP address or kioptrix3.com in the web browser.
After little googling, I found out that LotusCMS is vulnerable and I launched my Metasploit.
msf>set RHOST 10.0.2.10 msf>set URI / msf>run
I got my meterpreter session.
Config files are always intriguing for pentester. I opened gconfig.php file and BAMM got user credentials.
Now I will use this credential on phpmyadmin page(i got this by scanning through nikto).
Here I got 2 users with their md5 encrypted password. I decrypted cipher with the help of online available decrypter(you can also use hydra or any other tool).
dreg:Mast3r loneferret:starwars
With the help of loneferret, I logged in via SSH.
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
loneferret@Kioptrix3:~$ Ok so this output is saying me to “sudo ht” but before that let me play for a while, here loneferret can run these as root without password but I need more. Let’s give shell access to loneferret and the easiest way to give this privilege was by editing /etc/sudoers file.
After hitting sudo ht, I accessed /etc/sudoers and added /bin/sh. I save it and exit the file. And at last, I was ROOT.
Visit: Azure Skynet
Visit: Cosmic Skills
Happy Hacking:)