Tuesday, June 5, 2018

Kioptrix - Level 1.2 (#3)

KIOPTRIX- Level 1.2 (#3) 

- Layout for this exercise:


The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.2 (#3)

- Kioptrix Level 1.2 (#3) can be downloaded from here:


- Once downloaded, extracted and opened with WMware:


- First, using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine Kioptrix:

- When downloading the vulnerable machine there is a text file README.txt:

- Following these directions let's modify /etc/hosts:

- Now, we can directly connect to the URL kioptrix3.com:

- Clicking the Login tab, it seems that the web application is using LotusCMS:

- Scanning for versions and the operating system with Nmap:

- dirb bruteforces directories and files on the web server: 

- We learn that there is a phpMyAdmin portal:


3.1 - Searching for a exploit

- Googling vulnerabilities for LotusCMS:

- There is a script that can be used to exploit remotely the web application:

- Copying the script to the attacker's machine:

- Setting a listening netcat session on port 5555:

- Launching the exploit, and providing parameters like the attacker's IP ( and the port 5555:

- Eventually a reverse shell is achieved, though limited with non-root privileges:

3.2 - Metasploit

- Using Metasploit we achieve the same result:


- Let's start our privilege escalation process. 

- Going to the web root directory there is a gallery folder:

- Opening gallery we find a gconfig.php file:

- The file gconfig.php contains interesting credentials:

- Let's try these credentials to access the phpMyAdmin portal:

- The login is successful:

- Querying dev_accounts:

- We find two user accounts with their encrypted/hashed passwords:

- Using CrackStation to decrypt the hashes we get both plaintext passwords:

- Hydra can also decrypt the hashes:

- Going to the user loneferret home directory there is a .sudo_as_admin_successful:

- Also, reading the README text file we learn that the user loneferret could be related to the sudoers users:

- SSH-ing to the Kioptrix3 machine with the loneferret account:

- Option -l for sudo gives information about what commands can be used by the user: 

- In this case we learn that the user loneferret has access to the HT Editor, a program able to edit executable files:

- Locating the HT Editor:

- When using ht there is a problem with the terminal, that can be easily solved:

- Now, the HT Editor window pops up and modifications can be performed to the files:

- F3 opens /etc/sudoers:

- Adding the privilege to run /bin/sh and saving the change:

- Now, loneferret is able to run sudo /bin/sh and a root shell is achieved:


- Finally, going to the /root folder: