yes, yes – I know. This is probably the 9543245945361st version of the Kioptrix #3 walkthrough but I’ll post it anyways since it’s the first vulnhub CTF I did that required a bit more effort. So, here we go.
After launching the VM (in VMware Fusion), we first have to discover the IP address of the system. I chose netdiscover for that.
netdiscover -r 172.16.198.0/24
We quickly identify the VM (172.16.198.142) from the list of returned ARP packets.
Next, the obvious nmap scan. Result is, that only port 80 (webserver) and 22 (SSH) are open.
So let’s take a look at the webserver content. Apparently, there’s a site running a CMS called “LotusCMS”.
One of the links points to a login page but unfortunately this page doesn’t seem to be vulnerable to SQLi attacks.
Moving on, we find a link to a gallery. Make sure to add the “kioptrix3.com” entry to your hosts file in order to see its full glory! 🙂
One of the sub pages carries PHP code with an explicit id parameter. By passing a ‘ as id we get an SQL error – this shows that this parameter can most likely be used for an SQL Injection attack (SQLi).
Let’s fire up sqlmap and do some analysis. By using this command
sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dbs
… we’re able to retrieve a list of available mySQL databases.
Digging deeper, we decide to dump the complete ‘gallery’ database to our harddisk (uhm, or SSD).
sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dump gallery
In one of the tables (dev_accounts) we find username and password hashes. Wouldn’t it be great if these could be used to SSH into the machine?
Let’s give it a try. First crack the hashes with hacker’s best friend: HASHCAT
Wow, that was easy. So we now got two valid logins:
Since I like ferrets, let’s use that one first and see if it gets us a shell.
Bingo! We’re in. Let’s dig around a bit. In a README file we get a pointer towards possible SUDO possibilities.
And yes, sudo -l indeed reveals some possibilities.
That “ht” looks interesting. HT is an editor. After fixing my invalid TERM variable (hint: try to set it xterm-xfree86 in case of problems inside the editor), I was able to modify the /etc/sudoers file to allow us sudo access to /bin/su.
Getting root is now easy.
Finally, we capture the “flag” located in the /root directory.
That’s it! That was a quick one 😉