We at Kioptrix are not responsible for any damaged directly, or indirectly,
caused by using this system. We suggest you do not connect this installation
to the Internet.
It is, after all, a vulnerable setup.
Please keep this in mind when playing the game.
This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.
This challenge contains a Web Application.
If you have any questions, please direct them to:
Hope you enjoy this challenge.
My first go at this VM was fraught with frustration. Its not until I looked at the readme.txt and noticed this note about the hosts file. Adding this line does help. To help with things I've started using KeepNote for recording my progress with each vulnerable VM.
After booting up Kioptrix 3 and Kali I start with the usual:
root@kali:~# nmap 192.168.0.198
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-04 21:35 EST
Nmap scan report for 192.168.0.198
Host is up (0.000066s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:C7:D9:56 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
root@kali:~# nmap -T4 -A -v 192.168.0.198
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Kioptrix 3 has Apache running on it. Lets take a look:
We have a Blog page, Login and if you this page there is a gallery system. For this VM I've also decided to try out a new tool (for me), Nikto.
root@kali:~# nikto -host http://192.168.0.198/gallery
- Nikto v2.1.6
+ Target IP: 192.168.0.198
+ Target Hostname: 192.168.0.198
+ Target Port: 80
+ Start Time: 2017-02-04 19:01:13 (GMT-5)
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /gallery/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /gallery/db.sql, inode: 630988, size: 3573, mtime: Sat Oct 10 15:43:52 2009
+ OSVDB-3092: /gallery/db.sql: Database SQL?
+ /gallery/login.php: Admin login page/section found.
+ 7534 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2017-02-04 19:01:28 (GMT-5) (15 seconds)
+ 1 host(s) tested
These two highlighted parts caught my attention. Lets see what they show in the browser:
So I just got the DB structure. I'm going to save this for later. Further down on this page I also get this gem:
CREATE TABLE IF NOT EXISTS `gallarific_users` (
`userid` int(11) NOT NULL auto_increment, `username` varchar(100) NOT NULL default '',
`password` varchar(100) NOT NULL default '',
`usertype` enum('superuser','normaluser') NOT NULL default 'superuser',
`firstname` varchar(100) NOT NULL default '',
`lastname` varchar(100) NOT NULL default '',
`email` varchar(255) NOT NULL default '',
`datejoined` int(11) NOT NULL default '0',
`website` varchar(255) NOT NULL default '',
`issuperuser` tinyint(4) NOT NULL default '0',
`photo` varchar(100) NOT NULL default '',
`joincode` varchar(20) NOT NULL default '',
PRIMARY KEY (`userid`)
After clicking on the Press Room I notice a drop down menu for sorting options. After clicking it notice 'id' in the url.
Throwing in a single quote (http://kioptrix3.com/gallery/gallery.php?id=') into the url returns this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by parentid,sort,name' at line 1Could not select category
After a lot of playing around I get an SQL injection to work:
Changing the SQL Injection to:
Since I've learned the table and column names from earlier I can get the username and password from the DB:
This could be used for logging into the site, but I don't think this is a dev account. To prove this I tried logging in with this username. No luck. Time to look for another table:
Changing my earlier injection to:
From the blog site loneferret is the new admin for the site. This is the username I want.
I used crackstation.net to crack these hashes:
checksec.sh and CompanyPolicy.README
checksec.sh description shows:
# Name : checksec.sh
# Version : 1.4
# Author : Tobias Klein
# Date : January 2011
# Download: http://www.trapkit.de/tools/checksec.html
# Changes : http://www.trapkit.de/tools/checksec_changes.txt
# Modern Linux distributions offer some mitigation techniques to make it
# harder to exploit software vulnerabilities reliably. Mitigations such
# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
# Randomization (ASLR) and Position Independent Executables (PIE) have
# made reliably exploiting any vulnerabilities that do exist far more
# challenging. The checksec.sh script is designed to test what *standard*
# Linux OS and PaX (http://pax.grsecurity.net/) security features are being
# As of version 1.3 the script also lists the status of various Linux kernel
# protection mechanisms.
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
To get root, I need to sudo su. but this isn't allowed at the moment. I need to edit the sudoers file. ht will do the trick.
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers
After a quick Google search of the error I found the answer on this stackoverflow.com page:
I've edited the file so loneferret can do all the things that root can.
loneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret:
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
Gallarific 2.1 - Free Version released October 10, 2009
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
The HT Editor can be found here:
And the vulnerable version on Exploit-DB here:
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.