VulnHub — Kioptrix level 3
All Right! Hello friends and welcome to my walkthrough about VulnHub machines “KiopTrix” which is designed to be for beginners, I’m actually still beginner also:) so let’s get started…
Before we start, Some important links
KiopTrix download link
How to install Kioptrix on VirtualMachine
Our Mindset or Methodology through this level
0. Recon or Information Gathering (Nmap info, IP address, Mac address, open ports, public vulnerabilities, system version, services information, etc)
- Enumeration (HTTPS, HTTP, SMB, SQL, etc)
- Exploitation (LFI, SQLi, Information disclosure, Privilege escalation, OS Execution, RCE, etc)
#0 Recon / Information Gathering
In this step we will be interested at collecting information like IP address of the machine or it’s MAC address and the open ports in addition to some public information like it’s CMS if it have or the type of its Database and some of information about the server (type, version and OS) and so on. So let’s get started with getting our IP address by ifconfig
You’ll notice that my IP address is
10.0.2.15 and from this information we will get the hosted machines in this IP range or subnet.
This subnet mask enable us to host machines from
10.0.2.256. To know more search about network subnet
To discover the hosted machines in the same network, I’ve used my own tool
NetScanner with my IP range
10.0.2.1/24 and you can use
netdiscover built in tool or what ever you use
From the result we have the IP address of the machine is
Don’t forget to note this information in any notes app like cheery tree for example
The next step is to discover the open ports on this machine because it may be the gate which will enables us to hack the machine, so check the open ports by using Nmap
nmap -sS -sV -T4 -O 10.0.2.24
For more information about the parameters in
nmap command, check
We have discovered 2 open ports from the first 1000 port which checked,
nmap check the first 1000 port by default, you can check all ports by adding -p- parameter in the command, so the first port is ssh and the version is →
OpenSSH 4.7p1 and the second port is
Until now we have 2 open ports with it’s versions and more information about the backend language → PHP/5.2.4–2 and the server type → Apache 2.2.8 and the kernel version which running on the server Linux kernel 2.6.x (nmap doesn’t determined it’s version exactly)
That’s enough information from nmap, now let’s check more information form Nikto automation scanner
We now have information which we know before from nmap and some kind of this information like directory found or there’s may be information disclosure or version is out of date and so on.
Nikto results we checked some kind of vulnerability like directory found or information disclosure or the info about the server and services. now note this information and let’s go to the next step.
#1 Enumeration (HTTP)
Open the website which hosted in the machine
10.0.2.24 and you’ll find something like blog, I think it’s similar to blog. Got Goat ? Security ! LOL !
From here you should enumerate through the all website and check of this information (content, hidden parameters, cookies, source code, CMS, hidden directories ) and some kind of this staff of information, just mapping the application to know more about its activity and how it works.
After mapping it you’ll notice that when you move between pages there’s something changes in the URL contain the name of the page you’re in, so the normal guessing that it’s get the content from the server or DB by sending the name of the page so let’s try to perform LFI ???
../../../../../../../../../../etc/passwd but there’s nothing happened so let’s try to add null byte with any extension like
%00pdf at the end of the payload and see what will happen
Great! it’s worked :) It’s vulnerable to LFI. Note that at the end of the file there’s user called Dreg Gevans, note this information
To know more about null byte and it’s work see source
Continue mapping the application, you will find something like LotusCMS in the login page
CMS is Content Management System , know more about it https://whatcms.org/
Now I'll search about any exploitation related to this kind of CMS on google or by
Nice! There’s RCE exploitation related to it on
Metasploit and search about it
we’ve used it by typing use 0 because its number is 0 or you can type use (exploitation name).
By typing show options you note that you required to insert 2 values, RHOSTS which is 10.0.2.24 (Website IP) and the URL which will be / (Main page)
set RHOSTS 10.0.2.24
set URL /
and type exploit or run to start exploitation
Bingooo ! we’ve shell now :)
Type help to see the available commands which you can use. I’m want to get more information about the machine which nmap or nikto can’t get it by typing getuid and sysinfo
but unfortunately if you type
whoami you’ll find you normal user not root so let’s search about any information in this machine like
.mysql_history or any kind of this staff of information which we can use it to get root access.
I’ve type shell to open shell on the server to deal with it and start searching, at the first you don’t have access to open root directory because you are not root :(
So I’ve continued searching and find some kind of backup files in
/var/backups but unfortunately can’t open it.
Continue Continue, never give up
I’ve changed directory to default directory
/home/www/kioptrix3.com and see gallery directory and remember that there’s something like this word in the website “Gallery”
So I tried to open this link but because the machine is very old this link it doesn’t work yet, what ever we will continue searching …
Get into gallery directory and this name is unique gconfig.php so i want to open it, may have important information
Great Great ! Credentials information about the server, database, username and password. Note this important information
Continue searching …
if you note that there’s also directory named data and contain config file also so I've opened it and get more information about the site version 3.0.5
That’s enough ! Let’s return to the website and try to exploit this information into there
Open the website and if you remember that
Nikto has tell us. before that
/phpmyadmin directory is enables and this directory is related to the Database and by default it must be hidden and no one can get into it but we can so this is vulnerability
Now you have already credentials related to the Gallery and if you tried to login with this info, it will access you the Gallery database. So try to do this
user: root & password: fuckeyou … Sorry but it’s the password 😅
Great ! Now you have access on Gallery database.
But how can you get access at the all database? Hmm! logout and let’s try something crazy
Try to login by SQLi by typing
What will happen ????
Bingooo ! We now have full access on the database and there’s another vulnerability which is the admin token transfer between the server and browser in the URL and it’s dangerous because the Wayback machines will record it.
Have Fun and take a look at all this information as you want ❤
There’s something important you should know
Because of this machine is old the gallery’s link isn’t work and because of this you can’t get root access on the machine because from the gallery’s link you should get another SQLi and get the user and password of the admin from there and connect by the server by using ssh. And this is not enabled at this time because of the Gallery’s link but you can explore the database and get this kind of information.