Kioptrix 1.2 (Level 3) Walkthrough

Introduction

Today we're doing another pentest walkthrough in the Kioptrix series.  Kioptrix 1.2 (Level 3) was created by the Kioptrix team, and is hosted at https://www.vulnhub.com/entry/kioptrix-level-12-3,24/ .

For this pentest walkthrough we will be using two virtual machines, a Kali Linux machine as the attacking system, and the Kioptrix 1.2 machine as the target machine.

Locating the Target

After booting up both virtual machines, we run netdiscover from our attacking system to find out where the target system is on the network.

It looks like our target is at 10.0.2.16.

Additional Configuration

The documentation for Kioptrix 1.2 instructs us to edit our attacking system's hosts file after we identify the address of the target system.

On Linux, we'll use gedit to edit the file, which is located at /etc/hosts/ on our Kali machine.

We simply insert the IP address and kioptrix3.com.  Now where we browse "kioptrix3.com" in our web browser, we'll go directly to the page served by the Kioptrix machine.

Scanning and Enumeration

We'll start our scans with a quick nmap scan of both TCP and UDP ports to see what ports are open.

Looks like just a couple of open ports on this target.  Let's plug these two ports into nmap again for a more in-depth scan.

Not getting a lot from the scans so far.  We also run a Nikto scan, but it doesn't give us usable info.  Finally, we take a look at the Kioptrix webpage in our browser.  Specifically, it's hosting a blog which points to a potential user on the system.

We know that SSH is available on the system, and we have a username, so we can brute-force loneferret's SSH login with Hydra like so:

Armed with these credentials, we can log into the system using SSH.

Privilege Escalation

After a bit of investigation, we find that we are not able to download, create, or modify any files on the system, because Kioptrix is a read-only system.  However, looking through loneferret's home directory, we see two files, including CompanyPolicy.README, which reads:

HT (among other things) can be used as a text editor, and loneferret can run HT with sudo access, meaning that we can potentially use sudo ht to open any file on the system.  For instance, we could edit the etc/sudoers file to give our user loneferret root access on the system.

However, we encounter a problem.  Even though loneferret is supposed to have sudo access when using the HT command, we encountered a Segmentation Fault when we tried to save anything in the program, so we had to get creative to gain access to the flag on the system.

Specifically, we browsed the filesystem while in the Open File dialogue inside HT, so we were able to navigate to the /root/ directory and see the flag there, which we opened to get the "win".

This was a bit of a cheeky win, but alternatively, we could have used HT to open the /etc/shadow file, extracted the hash, cracked it offline, and logged in as root, but that would have taken a lot more time.

Finish



























Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more