Hello Everyone, this walkthrough is of 3rd series of Kioptrix VM. You can download it from here. After installing it, you need to edit your host file and point the IP to kioptrix3.com. In linux, you can edit using cat /etc/hosts.
As usual, I started with:
#netdiscover -r 10.0.2.0/24
Ok so I got my target IP, next started scanning with the help of nmap and ran Nikto after that for extra information.
Ok, so port 80 is running as I had already edited my host file I can redirect myself via writing IP address or kioptrix3.com in the web browser.
After little googling, I found out that LotusCMS is vulnerable and I launched my Metasploit.
msf>set RHOST 10.0.2.10msf>set URI /
I got my meterpreter session.
Config files are always intriguing for pentester. I opened gconfig.php file and BAMM got user credentials.
Now I will use this credential on phpmyadmin page(i got this by scanning through nikto).
Here I got 2 users with their md5 encrypted password. I decrypted cipher with the help of online available decrypter(you can also use hydra or any other tool).
With the help of loneferret, I logged in via SSH.
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
Ok so this output is saying me to “sudo ht” but before that let me play for a while, here loneferret can run these as root without password but I need more. Let’s give shell access to loneferret and the easiest way to give this privilege was by editing /etc/sudoers file.
I was using Vbox and I faced some problem during installation of Kioptrix on VBox.I followed these steps to let it run.
1. Create the new Virtual Machine without choosing any disk.
2. Under the setting tab, select storage, Under the IDE controller add the new existing disk (select your VMDK file of Kioptrix).
3. #Setting>ports>USB> untick “Enable USB Controller”
#Setting >Network>Advanced > from the drop down select adaptor type “PCnet-PCI II (Am79c970A)”
#Setting > Audio > Untick “Enable Audio”
Let’s Start the Dirty game.
After Successfully installing Kioptrix, I was being greeted by this page. So first I have to find the IP address of this machine.
After running “netdiscover” command I got the IP of kioptrix which was 10.0.2.21. Now next step was scanning my target.
I used “nmap -sV 10.0.2.21” to scan.
Hereafter scanning I found port 80 is open, after browsing to that server I found nada except for this test page.
After this, I tried for samba as smb always intrigues me.
I tried “enum4linux 10.0.2.21” but I didn’t get any version details. (awkward)
This time I tried “Metasploit” and got smb version= 2.2.1a