This one is great. More web stuff. More of me failing at SQL injection. It’s worth failing to learn, though. I keep making progress via exploits and tools, but I need to get stronger on these more basic concepts.
The entire challenge hinges on getting one of two user account passwords. Looking at the webpages and seeing the LotusCMS software, my first instinct was to look for a vulnerability for that. And I found a couple, but this one worked: https://github.com/Hood3dRob1n/LotusCMS-Exploit. So that works and gets a shell with the www-data account, which isn’t much. There are a couple of exploits listed for the Linux kernel that should have escalated privs, but they didn’t work. So I tried doing grep -rn “password”, which worked on one of the SANS Holiday Hack challenges. Sure enough, hard-coded mysql password.
There are three ways, that I know of, to get the user creds. First is the method I used, which is to used the LotusCMS exploit then find the hardcoded MySQL password and then go to kioptrix3.com/phpmyadmin/index.php and logging in there. From there, you can get the user credentials for loneferret and dreg. You can also use SQL injection on the parameters from the gallery on the main site and get the cred that way, or use sqlmap to get the creds.
Once in, you can sudo to use the ht text editor as root, which allows you to edit the sudoers file. Clever. I liked seeing multiple paths to victory here, even if I only saw them all after the fact. Now on to Kioptrix 4, which is quite a bit harder for me.