Kioptrix VM3

Started the host with a netdiscover scan

Found some open ports

SSH

HTTP

Found some login pages

I browsed to the web port to find a web app:

I clicked through the pages, then got to the login page

Lets take a step back and see if there’s an associated vulnerabilities with the lotuscms application
I found some associated exploits, even has a metasploit module. I’m going to stay away from that (practice for OSCP) and try the first github submission

I downloaded the file, chmod +x, then ran it with the arguments it asked for:

So far so good… let’s give it my IP to connect back to

I opened a netcat listener, then input the rest of the data

And we received a shell!

Now that we have a limited shell, let’s look around the file system for any other info we can use.
I looked under some of the other user’s home directory, and found an interesting file under the loneferret user, CompanyPolicy.README

Apparently our users have sudo capabilities with the ht text editor. I couldn’t issue “sudo ht” because I didn’t have a password for the www-data user… Maybe we can find another user to leverage this with..
I continued browsed through a number of files, but back in the default webserver dir, I noticed a mysql.db file in the gallery folder

I went through catting these files hoping to find additional mysql info… It took me a little while, but I stumbled upon the gconfig.php file to reveal some mysql credz

I then logged into the DB and did some enumeration

I went to the gallery db and found some username/password hashes

I cracked these passwords using crackstation

Lets see if we can login with these users, and leverage the sudo ht command (via ssh)
Wasn’t successful with the dreg user

With the loneferret user, I entered the commands again, but was prompted with an error

I found a user with a similar issue @: https://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color
His recommendation was to issue the export TERM=xterm, so I did, and was able to open the ht text editor

I then thought… what file could I edit to give my user root prives? /etc/sudoers. So I issued ” sudo ht /etc/sudoers” and was prompted with the sudoers file.
I had to change my view from hex to text (F6), and reopen the file (F3), but was presented with:

I then edited the file to say:

I pressed the “ESC + F” keys to open the File menu, then scrolled down and hit enter under “Save,” you can also select “quit” as it will prompt you to save
I then issued sudo su with loneferret’s password and got root! I then cat’d the Congrats.txt file in /root