Name: Kioptrix: Level 1.2
Date released: 18 April 2011
Author: Kioptrix
Download
Enumeration
Attacker: 10.11.1.7
Target: 10.11.1.10
Initial scan results below
Well there aren’t a lot of options so I decided to start with http.
I quickly found the login page for phpMyadmin and was able to login with admin as the user and no password.
Once I was in, I discovered the admin account didn’t have privileges to create a new database.
If you know of a way to go from phpMyAdmin to shell without creating a new db, please post below.
Found some useful information in phpMyAdmin.
After checking out phpMyAdmin, I found an instance of LotusCMS and shortly thereafter discovered an exploit for it.
Exploitation
Exploit: https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh
I upgraded to a pty shell with python -c ‘import pty;pty.spawn(“/bin/bash”)’
After a little poking around I found the gallery config file with a username and password in it which allowed me to login to mysql.
I was able to locate a couple dev_accounts named dreg and loneferret with their hashed (md5) passwords.
From there I ran John against the hashes and came out with the passwords.
I decided to start with loneferret.
Privilege Escalation
loneferret has some interesting sudo permissions.
After learning what HT Editor is, I was able to open the sudoers file with HT and add /bin/bash.
Game over!
Remediation
To fix these vulnerabilities, LotusCMS should be upgraded to the newest version and sudo permissions should be removed from loneferret.
I would also recommend locking down the permissions on the gallery config file and/or encrypting the password if possible.
The End
Another good vulnerable machine from Kioptrix! This one was rather easy. I hope the next one is a little harder. On to the next…