Vulnhub KIOPTRIX-VM3 Walkthrough

Scan the host with nmap : nmap –T –A4 –p- 192.168.1.10 –vv

Lets use dirb and nikto to gather more information:

Dirb and nikto came with some listing of directories … two of them were interesting … both of them are providing login with username and passwords :

Its running LoutusCMS service , searching for the service using searchsploit came with a result:

Next we start metasploit and search for LotasCMS

We got a session .. run shell and then  python -c ‘import pty; pty.spawn(“/bin/bash”)’

Navigating through folders we can see gallery folder and there is a file called gconfig.php …open the file and there is some information we can use as username: root and password: fuckyou ….lol

As I said before there were two login pages , the other one is using phpmyadim and we going to use these credentials to login

the gallery page have a php expoit so I ran it into sqlmap –u http://192.168.1.10/gallery. php?id=1 –dbs –dump

we got two username and their hashes , it’s MD5 hash and it’s easy to decode online

loneferret : starwars

drge : Mast3r

Running chechsec.sh gave an error  xtrem-256color … google it and came with a solution export TERM=xterm

Head to /etc/sudoers and add

Trying sudo /bin/sh .. and we gor ROOT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s