CTF: Kioptrix 3

This is another OSCP like VulnHub that was very fun to do. I didn’t have any issues rooting this one and was able to do it rather quickly.

You will get practice with:

  • nmap
  • metasploit
  • mysql client
  • file privilege escalation

Enumeration

I start off with an arp-scan to find the local machine… and it turns out that my box is 192.168.0.46. Let’s get this party started!

(arp-scan)

nmap

A basic nmap scan returns a website and an ssh port. After the initial nmap scan I kick off a more thorough scan. It doesn’t tell me anything I didn’t learn some the initial scan.

Website

The website looks like a simple CMS. On the login page, I can see that this is a LotusCMS. I immediately search online and see there is a Metasploit vulnerability.

(website hosted on port 80)
(LotusCMS)

Exploit with Metasploit

I start up Metasploit and use the search functionality to find a module.

(exploit/multi/http/lcms_php_exec)
(exploit)
(and we have access)

Pseudo Terminal

I personally prefer shell over merterpreter. It’s just more natural. I also like having the ability to clear the screen so I always set the terminal variable.

(setting terminal variable)

I immediately check the home directory to see who’s there. Then I check the /etc/passwd and take notes.

(checking home directory)

ALRIGHT! There’s a pretty big clue. “.sudo_as_admin_successful” means that loneferret can run something as root. That looks like the way up!

Internal Enumeration

I looked around and I didn’t see much of anything that I could exploit. I didn’t see any misconfigured file permissions that I had access to… but I did see that mysql was running and was bound locally.

I ran checksec.sh just to see what it did.

(checksec.sh)

MySQL is Running

I found MySQL running locally and the MySQL client was able to connect to it. Looks like I need to find some credentials to access the database.

I tried logging in as root to see if a password had not been set… but I wasn’t that lucky.

Exploring the LotusCMS Website

It’s fair to assume that if there is a Content Management System (CMS) running then there should be credentials to access some sort of database. MySQL is the most common database used with PHP applications. After digging around I found a gallery folder that contained a file “gconfig.php” This file was referenced in the index.php file and looked like a global configuration file.

(gconfig.php)

OK! I now have root credentials for the MySQL server.

Time to move through the database and see what I can find.


(credentials found in the database)

Cracking Passwords

I took those two md5 hashes and dropped them in CrackStation to get the passwords.

Turns out their passwords are:
dreg – Mas3r
loneferret – starwars

Privilege Escalation

It’s very common for people to re-use their same passwords for logins elsewhere. While this appears to be passwords to the gallery page, it could also be a Linux user’s password. Turns out, loneferret’s password works for shell access.

I’m now in under the user, loneferret and I know this user has sudo access to an application.

(Checking sudo access)

So, I can run “ht” which is a terminal editor under root.

After messing around I was able to get a screen I could work on and I decided to use the same trick I used on HA: Albania and inject a user into the /etc/passwd file.

Root

Well, this just got easy… I really enjoyed this one.

Thanks, Steven!

RELATED ARTICLESMORE FROM AUTHOR