Kioptrix 3 Walkthrough

2 minute read

There are a ton of different ways to achieve the same result on this machine which is what I liked most about this one. It wouldn’t be a bad idea to do this one just to see where you naturally feel most comfortable and maybe practice some tactics you aren’t as strong in.

Host Enumeration

I started by performing an nmap scan to see what open ports and services were present

nmap -T4 -A -v <IP>

After runing the scan, it appears that only ports 22 and 80 are open for this machine.

Service Enumeration

By running Dirb and Nikto, there are a few interesting directories like “phpmyadmin” and “gallery”. Navigating to the home page I was presented with a few options such as links to the gallery and a login page.

Home page

Side-Note: Inspecting the login section, it indicates that it’s using LotusCMS which has some remote code execution vulnerabilities (in Metasploit too!) which can be found here. If you are looking for an easy route this would be a good one to go down but I won’t be covering it here as it’s self-explanatory.

I investigated the gallery directory and found an “id” parameter and by changing id=1 to id=1’, I was presented with an error message, suggesting it could be susceptible to a SQL injection attack.

SQL Error

Breach

I enumerated the database and ultimately was able to retrieve ID’s and password hashes with ?id=-1 union select 1,2,group_concat(username,0,password),4,5,6 From dev_accounts--.

Manual SQL Attack

You can also get this by using SQLMap by using this command sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts –dump

SQLMap Attack

To crack these passwords, you can use several methods, utilizing your favorite cracker (JTR, Hashcat, etc) or you can simply crack them within SQLMap (fasttrack.txt will work), or an online cracker (crackstation, hashkiller).

Hashes Cracked

I SSH’d with “loneferret” and the password “starwars” successfully.

SSH Login

Privilege Escalation

Inspecting the home directory, there’s a “CompanyPolicy.README” which mentions software installed that is meant for editing files called “ht”.

Company Policy File

I executed sudo ht and opened the /etc/sudoers file for modification.

Opening Sudoers File

Side-Note: When attempting to run sudo ht, I was presented with an error involving “xterm-256color”. I remedied this issue by executing export TERM=xterm but there are other ways if you’re so inclined.

I added , /bin/sh to the loneferret line and saved.

Editing Sudoers File

I executed “sudo /bin/sh” and was presented with root.

Root

You can find the flag in /root/Congrats.txt as shown below.

Success Flag

Review

There were a lot of ways to enumerate additional information on this machine such as LotusCMS, SQL Injection, and PHPMyAdmin. I thought it was great practice and would recommend it to a beginner or someone looking to brush up on old skills.

You May Also Enjoy

USB Drop Assessment Guide

17 minute read

I recently did a talk at RVASec (great con btw) regarding USB drop assessments. I hesitated on submitting the talk as I was concerned that the interest level...

Introduction to Shodan

6 minute read

Shodan gets a bad rap. Many of you have probably heard the connotation that Shodan is “the world’s most dangerous search engine” or “dark Google” and it’s so...