Machine Info:

  • Difficulty: Easy
  • Goal: Gain root access

Before starting, add an entry for kioptrix3.com in the /etc/hosts file.

As usual the first thing to do would be to run an nmap scan and check through the browser if some webpage is hosted over there. The results from nmap are like.

None

On port 80 we got the webpage

None

here i got the login page on this webpage and this is powered by a CMS — Lotus which is also vulnerable to RCE

None

After exploring this webpage i got a path — http://krioptrix3.com/gallery

Here i found that this is vulnerable to sql injection-

you can try it on the id parameter of the photo

None

so after knowing site is sqli vulnerable i moved towards sql injection

command used — sqlmap — url http://kioptrix3.com/gallery/gallery.php?id=1 dev_accounts — dump

None

And i got the ssh login credentials

Let's login with ssh

None

Here after login i got two files :

1. checksuc.sh and

2. CompanyPolicy.README

i got some usefull info after doing — cat CompanyPolicy.README

None

it says to use command sudo ht , which is in /usr/local/bin/ht

when we try to run this you'll get and error , to solve this error i took help from google and used this commands as you can see in the pic

command — export TERM=xterm

after that when i run sudo ht — i got a blue screen its like a windows bios,

not like its actually a windows bios i think

None

with alt+f i opened the file tab and opened the file

None

after opening search for /etc/sudoers

None

here edit loneferret — !usr/bin/su → /bin/su , with this , i'll be able to get root shell with sudo su command

None

after saving it just press ctrl+c and get back to terminal and type sudo su

and BOOM 🎊🍾

Follow for more walkthroughs

connect me on Linkdin: www.linkedin.com/in/vivekgoswmii

HAPPY HACKING