Kioptrix level 3 Walkthrough OSCP friendly.
Lets start the VM, the welcome screen has initial useful
info.
We need to update the /etc/hosts file with the ip of the VM
and kioptrix3.com.
Operating System is Ubuntu 8.04.3.
Nmap show us Multiple ports and services open.
Lets quickly check ssh and webserver for low hanging fruits.
Upon Enumeration of ssh, no exploits was found for OpenSSH
4.7p1.
Checking web server, no exploits were found for Apache 2.2.8.
Browsing through kioptrix3.com , we found some useful
information. The gallery app and username.
Lets check both of these further.
Since we have the username now , lets do a bruteforcing attack
on ssh in the background.
Using medusa for brute forcing ssh, reason its reliable for
ssh bruteforce.
medusa -h 192.168.78.141 -u loneferret -P
/usr/share/wordlists/fasttrack.txt -M
ssh
In Web application the login page URL seems suspicious,
looks like it is using the page name as argument.
Upon checking it for LFI, I managed to exploit the LFI.
The /etc/passwd file also confirmed the username loneferret.
Let’s check again on our brute force progress.
Excellent, Medusa found the password for user loneferret.
Lets login via SSH.
I used multiple scripts to check for priv esc hint but
couldn’t find any useful thing. So I went to the user’s home folder and here we
had 2 files, one of them is company's profile.
Upon using sudo ht I faced an error of no xterm-256 color ,
something like that. Google told me how to fix it.
Export TERM=xterm
And now we can run sudo ht.
Eventually ht is an application run as root, so whatever you
do in ht app, it will be done as root.
Lets give ourself permission to login as root , obviously 😊
But there is one !/usr/bin/su already added. Lets check sudo
su
So we had to have /bin/su in sudoers file in order to use
it. Do that and BINGO!!!
ROOT DANCE!!
574r570rm
No comments:
Post a Comment