VulnHub: Kioptrix Level 3

Kioptrix Level 3 is a comparatively challenging machine in comparison to Level 1 and 2. This machine focuses on completely different skill sets than on what the earlier levels did.

There are mainly two method to gain initial access to the machine. So, lets begin and check out both the methods.


Before starting, add an entry for in the file.

As usual the first thing to do would be to run an scan and check through the browser if some webpage is hosted over there. The results from are like

From the scan, it can be seen that there are 2 ports open which are 22 and 80. We can now check the website that is hosted over port 80 as well.

We can explore the other two tabs as well.

On the “Blog” tab, we can see a post for welcoming a new lead programmer named “loneferret”. This appears to be a username. So, we can note it.

On the third tab we can see a login page. We can try some basic SQLi but none of them appear to be working here.

As a part of web enumeration we can run a directory traversal attack on the target to check if some hidden directories are present on the server.

It can be seen that multiple directories have been detected, so we can explore each one of them to look for anything that might be helpful for us to gain access to the machine.

From the detected directories, the directory appears to be helpful as it shows some images and when we look at its source-code, we can find that it is running on a application named "Gallarific PHP Photo Script".

After some googling, we can figure out that “Gallarific” is susceptible to SQLi. We can also find a python script using which might be helpful to exploit this SQLi.

We can check out the last one i.e. .

But appears that either this does not work or we are passing wrong arguments. But even after that we can try to exploit the vulnerability manually as mentioned in the exploit here.

Also, to double check we can enter which should raise an error.

And we do get an error. So, we can use this to explore the content of the database.

Gaining Access — Method 1

To obtain information about the database we can follow the following process:

  1. Determine the number of columns

This suggests that there are 6 columns that are being returned. So, we need to craft our payloads in such a way that they return 6 columns.

2. Determine the column that contains text

  • Sending all to verify there are 6 columns

Note the error returned here:

  • Sending for each column to test which one can return text

Only when the value for column 1 was replace by that of a text it gave a different error than that when all values were passed which suggests that only column does not return text but all the other column return text value as they have the same error as in case of all .

3. Obtaining the names of all the tables

Here, because text is being returned in 2nd column we have placed in place of the 2nd columns name.

The table has entry for all the tables present in the database. Hence we are using the same to get list of all the table.

4. From the list of tables obtained from previous step, we can try to find a table that might contain some sensitive information.

One such table appears to be .

5. The next step would be to determine the columns in table.

Here, we are retrieving the list of from the table where the . The table holds the details of all the columns in the database.

Here, we can see that there are 3 columns in the table .

6. The next step would be to extract the data from the table .

We did obtain the data from the database but can’t see any entry for “password” column. So, we can the contents of "username" and "password"columns and print the same in a single column as:

And there we get the username along with their password hashes.

The next thing we need to do is simple crack these password hashes using crackstation and try to use them on the login page or for SSH.

After cracking the hashes, we get “starwars” as user loneferret’s password and “Mast3r” as user dreg’s password.

We can try these usernames and password on the login page. But none of the credentials work on the login page. So, we can try to login via SSH as well.

When we try to login as user dreg, we do succeed but the issue is dreg can’t run any commands with .

Gaining Access — Method 2

As from the blog page, we saw that a suspected username was published over there which was “loneferret”. So, we can try to run an SSH brute-force attack to check if we can crack his password.

And here we get the login credentials for the user “loneferret”.

Privilege Escalation

Also, as dreg does not have access to commands with privilege we can try to login as "loneferret" via SSH or directly use the command while being logged in as "dreg" and check if he can access commands with privilege.

It can be seen that “loneferret” can run the command as but can't run the command . So, we need to check what this command does exactly in order to determine some step that can be used for privilege escalation.

But when we try to access the binary it gives an error. And to resolve this error, we can change the value which should resolve this issue.

Now, we can again run the command , which would open an editor.

We, can try to open the file here and check if we can modify it. Because if it can be modified then we can remove the in front of the command which would enable us to run that command without any password.

To open a file, we can use the key .

Now, all that needs to be done is remove the before and save the file using and then selecting .

As we have modified the file, we can now directly use the command and get the shell.

And with this we have got the access to the machine as !

Some Key Points to Take Away

  1. Keep a track of all the credentials you obtain and try them at every possible place where you can login.
  2. Always look for different different vulnerabilities associated with services/applications that are running on the target.



  1. Kioptrix Level 1:,24/
  2. CVE-2011–0519:
  3. CrackStation:

Do check out my other work and write-ups at

Just another CyberSec Guy