Kioptrix: Level 1.2 (#3)


yes, yes – I know. This is probably the 9543245945361st version of the Kioptrix #3 walkthrough but I’ll post it anyways since it’s the first vulnhub CTF I did that required a bit more effort. So, here we go.

After launching the VM (in VMware Fusion), we first have to discover the IP address of the system. I chose netdiscover for that.

netdiscover -r

We quickly identify the VM ( from the list of returned ARP packets.


Next, the obvious nmap scan. Result is, that only port 80 (webserver) and 22 (SSH) are open.


So let’s take a look at the webserver content. Apparently, there’s a site running a CMS called “LotusCMS”.


One of the links points to a login page but unfortunately this page doesn’t seem to be vulnerable to SQLi attacks.

screenshot 2

Moving on, we find a link to a gallery. Make sure to add the “” entry to your hosts file in order to see its full glory! 🙂

screenshot 3

One of the sub pages carries PHP code with an explicit id parameter. By passing a as id we get an SQL error – this shows that this parameter can most likely be used for an SQL Injection attack (SQLi).

screenshot 4

Let’s fire up sqlmap and do some analysis. By using this command

sqlmap -u --dbs

… we’re able to retrieve a list of available mySQL databases.


Digging deeper, we decide to dump the complete ‘gallery’ database to our harddisk (uhm, or SSD).

sqlmap -u --dump gallery

In one of the tables (dev_accounts) we find username and password hashes. Wouldn’t it be great if these could be used to SSH into the machine?

screenshot 2

Let’s give it a try. First crack the hashes with hacker’s best friend: HASHCAT


Wow, that was easy. So we now got two valid logins:


Since I like ferrets, let’s use that one first and see if it gets us a shell.


Bingo! We’re in. Let’s dig around a bit. In a README file we get a pointer towards possible SUDO possibilities.

screenshot 2

And yes, sudo -l indeed reveals some possibilities.

screenshot 3

That “ht” looks interesting. HT is an editor. After fixing my invalid TERM variable (hint: try to set it xterm-xfree86 in case of problems inside the editor), I was able to modify the /etc/sudoers file to allow us sudo access to /bin/su.


Getting root is now easy.

screenshot 2

Finally, we capture the “flag” located in the /root directory.


That’s it! That was a quick one 😉


Categories: CTF

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s