Sorry that I intentionally skip on posting my 'walkthrough' on Kioptrix Level 2. In fact, I have already pwned the box but those snapshots taken during my process are stored in another machine... :((
Things are getting complicated lately as I have lost my precious internet connection for several days which cause me having some bad time in updating my blog post. However, worry not much that internet is coming back again soon enough... :))
And, I will be sure to update my Kioptrix Level 2 walkthrough at soonest possible...
Delay no more, here I present to you the Level 3 of Kioptrix series... which I think is pretty easy to complete the challenge. However, I am sure there are some other penetration way... just that I happened to penetrate through the easy one huh...
OK! Let's start with finding the IP address of the target box since it is using DHCP...
Here it is, the IP address of our target box is 192.168.17.142... ( It's pretty easy to differentiate the target IP as we all know that that is the only strange IP wandering around... :p )
Next step is the reconnaissance process... as usual here comes the big help of Nmap...
Results told us that there are only 2 services running on the box, which are the SSH and the HTTP service...
Let's bring it to further aggressive mode and see if we are able to harvest some more information of the target box...
Not fruitful enough...
Not to be disappointed, the reconnaissance process is not ended yet... :p
Let's take a look on their website...
Ahaaa... we found a login page for the website... tried some easy combination "admin::admin", "admin::password", "admin::letmein"...
Of course they leave such stupid careless mistakes here... Tried with mysql injection by assuming the input is not sanitized and they are running MySQL database...
Again another rejection by the box... :(
Looks carefully and we notice that it is "Proudly powered by LotusCMS"! Some Google-fu tells me that Lotus CMS version 3.0 is vulnerable...
So here we bring up the msfconsole and look for lotuscms vulnerability... :))
Simple and straightforward enough that we only have 1 choice for our attacking towards the target box...
Setting up the info required by the exploit framework... and we're ready to GO!
After some MAGIK done by Metasploit, we just got another shell on the target box... :))
Tried running some local escalate exploit but does not work... :(
After banging around the walls, we are still stuck at "www-data" privilege, which is not our ultimate goal... :(
So after poking around the files/documents inside the box, we collected some username from /etc/passwd for cracking purpose... ( You leave me no choice! )
Launching Hydra against SSH service on our target box...
After some times, password surfaced with the username "loneferret"...
Next step to do is SSH into the target box using the credentials found earlier...
However, the user "loneferret" does not have sudo privilege for shell... :(
However, we notice that user "loneferret" is able to execute the ht editor...
After execute the ht editor with sudo privilege...
We can edit the sudoers list in the /etc/sudoers using ht editor with sudo privilege...
Pressing on "F3" will pop up the "Open Windows"... navigate to /etc/sudoers directly by typing in the address bar at the top...
Then, we add in the bash shell command as sudo privilege under user "loneferret"... and press "F2" to save...
Quit the ht editor and check again on the available sudo command for user "loneferret"...
And, shoot in the MAGIK words "sudo /bin/bash" and we are given a root shell on the target box... :))
No comments:
Post a Comment