CTF Solutions: Kioptrix Level 3

Hello,
I would like to introduce you to one of my favourite series - Kioptrix challenges. Non typical I begin form level 3 (Kioptrix 1.2).

Scanning phase
Nmap with options: -p- (all ports), -sV (versions of services) and -A (aggressive).

The OpenSSH 4.7p1 does not have dedicated exploit and critical vulnerabilities.
So, let's examine web application. We can see in the nmap result that web application uses vulnerable PHP version (5.2.4). Unfortunately in exploit-db exist only exploit for windows platform.

We can see that we are able to go to the login panel directly. BUt in spite of that let's run dirbuster.

OK, we can see gallery directory, for me it is interesting.

We see that CMS which hosts the web application is LotusCMS. Maybe we could find some exploit for the CMS? I found several exploits and one from Metasploit. I tested each except from Metasploit and without success. I don;t want to use Metasploit, so let's continue our pentesting.

As I said previous gallery directory looks interesting

Displaying the source code we can find that there is admin panel for gallery which is located on gadmin.

Very good! The Gallarific also has assigned several exploits. For me this most interesting was SQL injection exploit. Let's verify it.

Nice! Probably there is indeed SQLi. Let's use sqlmap

Amazing! Let's examine gallery database

Excellent! We have valid credentials to gallery (admin:n0t7t1k4).

Using the sqlmap tool I have also retrieved /etc/passwd file

I have got also credentials from mysql database (root:fuckeyou). We know that phpmyadmin is tied with our target. Maybe this would give us other way for exploitation (I have verified it and unfortunately this method doesn't work). At this moment let's back to the gallery.

I have used our credentials

Good, we have to find place to upload PHP backdoor. Hmmm I have some problem with it. Maybe we should back to the SQL injection and find something helpful.