Name: Kioptrix: Level 1.2
Date released: 18 April 2011
Author: Kioptrix
Download

Enumeration

Attacker: 10.11.1.7

Target: 10.11.1.10

Initial scan results below

Well there aren’t a lot of options so I decided to start with http.

I quickly found the login page for phpMyadmin and was able to login with admin as the user and no password.

Once I was in, I discovered the admin account didn’t have privileges to create a new database.

If you know of a way to go from phpMyAdmin to shell without creating a new db, please post below.

Found some useful information in phpMyAdmin.

After checking out phpMyAdmin, I found an instance of LotusCMS and shortly thereafter discovered an exploit for it.

Exploitation

I upgraded to a pty shell with python -c ‘import pty;pty.spawn(“/bin/bash”)’

After a little poking around I found the gallery config file with a username and password in it which allowed me to login to mysql.

I was able to locate a couple dev_accounts named dreg and loneferret with their hashed (md5) passwords.

From there I ran John against the hashes and came out with the passwords.

I decided to start with loneferret.

loneferret has some interesting sudo permissions.

After learning what HT Editor is, I was able to open the sudoers file with HT and add /bin/bash.

Game over!

To fix these vulnerabilities, LotusCMS should be upgraded to the newest version and sudo permissions should be removed from loneferret.

I would also recommend locking down the permissions on the gallery config file and/or encrypting the password if possible.

Another good vulnerable machine from Kioptrix! This one was rather easy. I hope the next one is a little harder. On to the next…