Kioptrix 3 – 3 Ways to Win

This one is great. More web stuff. More of me failing at SQL injection. It’s worth failing to learn, though. I keep making progress via exploits and tools, but I need to get stronger on these more basic concepts.

The entire challenge hinges on getting one of two user account passwords. Looking at the webpages and seeing the LotusCMS software, my first instinct was to look for a vulnerability for that. And I found a couple, but this one worked:  So that works and gets a shell with the www-data account, which isn’t much. There are a couple of exploits listed for the Linux kernel that should have escalated privs, but they didn’t work. So I tried doing grep -rn “password”, which worked on one of the SANS Holiday Hack challenges. Sure enough, hard-coded mysql password.

There are three ways, that I know of, to get the user creds. First is the method I used, which is to used the LotusCMS exploit then find the hardcoded MySQL password and then go to and logging in there. From there, you can get the user credentials for loneferret and dreg. You can also use SQL injection on the parameters from the gallery on the main site and get the cred that way, or use sqlmap to get the creds.

Once in, you can sudo to use the ht text editor as root, which allows you to edit the sudoers file. Clever. I liked seeing multiple paths to victory here, even if I only saw them all after the fact. Now on to Kioptrix 4, which is quite a bit harder for me.

Kioptrix 2 – Lessons Learned

Rather than do a traditional walkthrough on most of these, I think I’ll just do a “lessons learned” type thing. That’s more useful for me, and honestly, the world doesn’t need another Kioptrix walkthrough.

So with the first one I feel like I was pretty much successful. I took a generic pentesting methodology and applied using the specific tools I had and it worked out well. With this one, things were a bit more tricky.

Mistake one: I didn’t use anything to enumerate out web pages on the site. So I spun my wheels on the services detected through nmap for much longer than I should have rather than just looking at the index.php page. One look and it becomes pretty clear that the entry point of this VM does not lie in analysis of tool feedback and research of vulnerabilities associated with software. A little SQL injection and you’re in, and given a prompt that runs the ping command. I was able to set up a reverse shell and now we’re in the box as the apache user. This is where the research comes in and reveals a privilege escalation vulnerability for the linux kernel.

Mistake two: I missed the hardcoded credentials in the index.php source code. If the objective is just to own the box, well that’s not of too much consequence. But the objective here is really just to get as much info as possible and missing that bit of data is instructive for the future.

So far, my objective has been to stay away from Metasploit and see what I can do manually and it has been working out. These haven’t been challenging but there are inefficiencies and things I miss so I need to shore that up. I’m making a playbook for these machines and making some adjustments based on my results. Next up: Kioptrix 3.

Kioptrix 1 – First up

Diving in, my hope is to run through some of these Vulnhub instances and practice enumeration, exploitation (of course), and documentation. The goal is to begin the OSCP course in about a month, coinciding with graduation time. In the meantime I also want to develop some proto-scripts for scripting enumeration, so the focus on enumeration for me. And we’re starting with Kioptrix 1.

First off, netdiscover, match the MAC to the MAC in the ESXi settings, acquire IP

And then nmap. Keeping it simple, just an -sV.

Got some services and right off the bat we have some candidates. But let’s flesh it out and do some nikto:

I followed this up with a bunch of nmap scans that I won’t bother postiing pictures of. Basically, enumeration scripts, including http-enum and a few smb-enum-* scripts. None really gave much information.

Nikto showed us a few directories and two accessible webpages, one the default Apache webpage and one a php page named test.php that doesn’t appear to do much. Looking at rpcbind, I checked out a suggestion found online to look for rpcinfo and check for mounts. No joy, but a worthwhile effort:

After that we look at our candidates from the scans. First we have the Apache version. We also have OpenSSH, which we won’t really talk about since there does not seem to be a publicly available exploit for this version. Next we have port 139, which means netbios, which means Samba most likely. We’ll use enum4linux to pull some more info there:

It’s a lot of text, but if you dig in there you’ll find that we are dealing with Samba 2.2.1a. And exploit-db has a lot to say about our Samba version. I pulled the exploit from that link and compiled (gcc -o samba_sploit 10.c) and it ran without a hitch.

Apache is a little more intense. The code on exploit-db doesn’t compile as is. Luckily an industrious young hacker has provided steps for updating the code, however you’ll find that it still won’t compile, complaining a lot about SSL2. Turns out you will need to install libssl1.0-dev (look in the comments) as well, and it then compiled nicely.

Running OpenFuck -h you get a long list of potential targets. Look for our Apache versions on the list (ignore the OS versions) and try them one by one. Process of elimination yields us this:

Nicely. Lessons learned: don’t give up if the exploit isn’t working, took a while to find the answer on the Apache vuln here. Also wish I had done a better job documenting. My intent is to get to the point that I am doing it in the OSCP format so I’ll be ready. Next up: Kioptrix 2.


Updating the Home Lab

When I set my lab up my primary concern was keeping costs fairly low. My needs were not, and probably still are not, for a powerful system. Just a capable one, even if only barely so. The setup I had fit the bill. A 90 dollar expense through eBay, another 25 or so for RAM got me a machine with dual Xeons, 32 GB RAM, it go the job done.

Then I turned it on. And then this happened with the power:

So in the interest of global warming and the future of humanity, I came up with another solution. I ended up on the SuperMicro e200-8d, which has a single Xeon with six cores, and 64 GB of RAM. All that with only a 60 watt power supply. This was significantly more expensive, though. Approximately 800 for the server alone and another 400 for RAM. I have enough room to expand to 128 GB but couldn’t justify the expense quite yet, given my usage.

The SuperMicro server has an IPMI interface. The Dell server I had before did as well, but mine never worked and I was never motivated enough to troubleshoot it. The remote management is a really nice feature.   I didn’t think ahead to benchmark the old server so i can compare, but there’s no nee really. The SuperMicro is an incredible upgrade.
The only drawbacks, so far, is the cost and the RAM. According the the Internet, which is never wrong, this model has compatibility issues with RAM. Luckily, SuperMicro provides a list of RAM models verified to work. Unfortunately, these are all quite expensive. This took the total price up close to 1300 dollars. If I needed the full 128 GB, it would have been 1800. That’s a lot of pressure to make the purchase worthwhile, which is good in a way. Still, one of my primary concerns was keeping the lab as cheap as possible and this has hosed that goal completely. 

Projects so far: all-purpose Ubuntu server which serves as a OpenVPN server and whatever other junk I want to throw on it (twitter bots, etc), pentesting lab, Metasploitable 3.

Projects in the works: build my own AD forest, hook up some automation, enhanced pentesting lab, solve world hunger.

Here’s the new server sitting on top of the old one: