VulnHub — Kioptrix level 3

All Right! Hello friends and welcome to my walkthrough about VulnHub machines “KiopTrix” which is designed to be for beginners, I’m actually still beginner also:) so let’s get started…

KiopTrix download link

KiopTrix level 1 walkthrough

KiopTrix level 2 walkthrough

How to install Kioptrix on VirtualMachine

0. Recon or Information Gathering (Nmap info, IP address, Mac address, open ports, public vulnerabilities, system version, services information, etc)

  1. Enumeration (HTTPS, HTTP, SMB, SQL, etc)
  2. Exploitation (LFI, SQLi, Information disclosure, Privilege escalation, OS Execution, RCE, etc)

In this step we will be interested at collecting information like IP address of the machine or it’s MAC address and the open ports in addition to some public information like it’s CMS if it have or the type of its Database and some of information about the server (type, version and OS) and so on. So let’s get started with getting our IP address by ifconfig

You’ll notice that my IP address is 10.0.2.15 and from this information we will get the hosted machines in this IP range or subnet.

This subnet mask enable us to host machines from 10.0.2.1 to 10.0.2.256. To know more search about network subnet

To discover the hosted machines in the same network, I’ve used my own tool NetScanner with my IP range 10.0.2.1/24 and you can use netdiscover built in tool or what ever you use

From the result we have the IP address of the machine is 10.0.2.24.

Don’t forget to note this information in any notes app like cheery tree for example

The next step is to discover the open ports on this machine because it may be the gate which will enables us to hack the machine, so check the open ports by using Nmap nmap -sS -sV -T4 -O 10.0.2.24

For more information about the parameters in nmap command, check nmap -h

We have discovered 2 open ports from the first 1000 port which checked, nmap check the first 1000 port by default, you can check all ports by adding -p- parameter in the command, so the first port is ssh and the version is → OpenSSH 4.7p1 and the second port is http. Nice!

Until now we have 2 open ports with it’s versions and more information about the backend language → PHP/5.2.4–2 and the server type → Apache 2.2.8 and the kernel version which running on the server Linux kernel 2.6.x (nmap doesn’t determined it’s version exactly)

That’s enough information from nmap, now let’s check more information form Nikto automation scanner

We now have information which we know before from nmap and some kind of this information like directory found or there’s may be information disclosure or version is out of date and so on.

From Nikto results we checked some kind of vulnerability like directory found or information disclosure or the info about the server and services. now note this information and let’s go to the next step.

Open the website which hosted in the machine 10.0.2.24 and you’ll find something like blog, I think it’s similar to blog. Got Goat ? Security ! LOL !

From here you should enumerate through the all website and check of this information (content, hidden parameters, cookies, source code, CMS, hidden directories ) and some kind of this staff of information, just mapping the application to know more about its activity and how it works.

After mapping it you’ll notice that when you move between pages there’s something changes in the URL contain the name of the page you’re in, so the normal guessing that it’s get the content from the server or DB by sending the name of the page so let’s try to perform LFI ???

I’ve insert ../../../../../../../../../../etc/passwd but there’s nothing happened so let’s try to add null byte with any extension like %00pdf at the end of the payload and see what will happen

Great! it’s worked :) It’s vulnerable to LFI. Note that at the end of the file there’s user called Dreg Gevans, note this information

To know more about null byte and it’s work see source

Continue mapping the application, you will find something like LotusCMS in the login page

CMS is Content Management System , know more about it https://whatcms.org/

Now I'll search about any exploitation related to this kind of CMS on google or by searchsploit tool

Nice! There’s RCE exploitation related to it on Metasploit.

Go to Metasploit and search about it

searching about LotusCMS exploitation

we’ve used it by typing use 0 because its number is 0 or you can type use (exploitation name).

By typing show options you note that you required to insert 2 values, RHOSTS which is 10.0.2.24 (Website IP) and the URL which will be / (Main page)

set RHOSTS 10.0.2.24

set URL /

and type exploit or run to start exploitation

Bingooo ! we’ve shell now :)

Type help to see the available commands which you can use. I’m want to get more information about the machine which nmap or nikto can’t get it by typing getuid and sysinfo

but unfortunately if you type whoami you’ll find you normal user not root so let’s search about any information in this machine like .bash_history, .mysql_history or any kind of this staff of information which we can use it to get root access.

I’ve type shell to open shell on the server to deal with it and start searching, at the first you don’t have access to open root directory because you are not root :(

So I’ve continued searching and find some kind of backup files in /var/backups but unfortunately can’t open it.

Continue Continue, never give up

I’ve changed directory to default directory /home/www/kioptrix3.com and see gallery directory and remember that there’s something like this word in the website “Gallery”

So I tried to open this link but because the machine is very old this link it doesn’t work yet, what ever we will continue searching …

Get into gallery directory and this name is unique gconfig.php so i want to open it, may have important information

Great Great ! Credentials information about the server, database, username and password. Note this important information

Continue searching …

if you note that there’s also directory named data and contain config file also so I've opened it and get more information about the site version 3.0.5

That’s enough ! Let’s return to the website and try to exploit this information into there

Open the website and if you remember that Nikto has tell us. before that /phpmyadmin directory is enables and this directory is related to the Database and by default it must be hidden and no one can get into it but we can so this is vulnerability

Now you have already credentials related to the Gallery and if you tried to login with this info, it will access you the Gallery database. So try to do this

user: root & password: fuckeyou … Sorry but it’s the password 😅

Great ! Now you have access on Gallery database.

But how can you get access at the all database? Hmm! logout and let’s try something crazy

Try to login by SQLi by typing admin’or+1=1#

What will happen ????

Bingooo ! We now have full access on the database and there’s another vulnerability which is the admin token transfer between the server and browser in the URL and it’s dangerous because the Wayback machines will record it.

Have Fun and take a look at all this information as you want ❤

Because of this machine is old the gallery’s link isn’t work and because of this you can’t get root access on the machine because from the gallery’s link you should get another SQLi and get the user and password of the admin from there and connect by the server by using ssh. And this is not enabled at this time because of the Gallery’s link but you can explore the database and get this kind of information.

Good Bye ❤

Offensive Security Enthusiast