Follow Manish Bhardwaj Blog on Feedspot

Continue with Google
Continue with Facebook


Hello Everyone, this is the final VM from the kioptrix series and to be frank, I enjoyed it the most(I was frustrated though).


As usual getting the IP was the first thing. Netdiscover plays the trick. After getting IP I scanned with nmap.

netdiscover -r

Here port 80 is open so I scanned it with Nikto.

Nikto -h

I used some default credentials to log in and I found out that the login page was vulnerable to SQL injection. (Try ‘ )

Again on Port 445, I can see samba running(samba is the best low hanging fruit). I searched for nse script available.

locate -r '\.nse$' | xargs grep categories | grep smb

And I was able to find 5 users john,loneferret, nobody,robert, root. I hover back to login page and with the help of john: ‘or”=’ i was able to log in.

After getting john password, I opt for SSH.

I got the shell but it was limited shell as I was unable to execute normal commands so I tweaked around and found this.

I knew that website is running on MySQL, So I visited /var/www directory and there I found one config file with the credential.

Here I got username as root and password is blank. I used these to log-in MySQL.

Getting root from MySQL was very tricky, it took plethora of time then I came across this blog. I followed the steps.

And at last, I WAS ROOT!!

Visit: Azure Skynet

Visit: Cosmic Skills

Happy Hacking:)

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Everyone, this walkthrough is of 3rd series of Kioptrix VM. You can download it from here. After installing it, you need to edit your host file and point the IP to kioptrix3.com. In linux, you can edit using cat /etc/hosts.

As usual, I started with:

#netdiscover -r

Ok so I got my target IP, next started scanning with the help of nmap and ran Nikto after that for extra information.

Ok, so port 80 is running as I had already edited my host file I can redirect myself via writing IP address or kioptrix3.com in the web browser.

After little googling, I found out that LotusCMS is vulnerable and I launched my Metasploit.

msf>set RHOST
msf>set URI /

I got my meterpreter session.

Config files are always intriguing for pentester. I opened gconfig.php file and BAMM got user credentials.

Now I will use this credential on phpmyadmin page(i got this by scanning through nikto).

Here I got 2 users with their md5 encrypted password. I decrypted cipher with the help of online available decrypter(you can also use hydra or any other tool).


With the help of loneferret, I logged in via SSH.

loneferret@Kioptrix3:~$ cat CompanyPolicy.README   
Hello new employee,  
It is company policy here to use our newly installed software for editing, creating and viewing files.  
Please use the command 'sudo ht'.  
Failure to do so will result in you immediate termination.  

Ok so this output is saying me to “sudo ht”  but before that let me play for a while, here loneferret can run these as root without password but I need more. Let’s give shell access to loneferret and the easiest way to give this privilege was by editing  /etc/sudoers file.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Everyone, the previous post was walkthrough of level 1 of Kioptrix series. In this blog, I am going to post walkthrough of Kioptrix 1.1 which is 2nd in the series.

So without wasting our time, let’s get started.

Just like the last machine, I was being greeted by this login page. First work was to find the IP Address of my target, Like always I used “netdiscover” and got target IP as

After getting the IP address, next work was to scan the target. I scanned it with the help of “nmap“.

OK so port 80 was open, I browse the port and was greeted by a login page.

I tried blind SQL injection and it worked like charm.

After logging in, I was presented by the interface to Ping IP address which was vulnerable to code execution Vulnerability.

I got a Reverse shell with the help of this .

I started my enumeration and found that the target is vulnerable to this and exploit was also available in Kali.

I compiled the exploit and executed it.

Tadaaaa,I am ROOT..!!

Happy Hunting:)

Visit: Azure Skynet

Visit: CosmicSkills

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Manish Bhardwaj Blog by Manish Bhardwaj - 8M ago

Kioptrix is one of the best series for those who are trying to make their way for Penetration Testing. Even it is recommended
for a lot of certification including OSCP.

This walkthrough is of Kioptrix 1.1

I was using Vbox and I faced some problem during installation of Kioptrix on VBox.I followed these steps to let it run.
1. Create the new Virtual Machine without choosing any disk.
2. Under the setting tab, select storage, Under the IDE controller add the new existing disk (select your VMDK file of Kioptrix).
3. #Setting>ports>USB> untick “Enable USB Controller”
#Setting >Network>Advanced > from the drop down select adaptor type “PCnet-PCI II           (Am79c970A)”
#Setting > Audio > Untick “Enable Audio”

Let’s Start the Dirty game.

After Successfully installing Kioptrix, I was being greeted by this page. So first I have to find the IP address of this machine.

After running “netdiscover” command I got the IP of kioptrix which was Now next step was scanning my target.

I used “nmap -sV” to scan.

Hereafter scanning I found port 80 is open, after browsing to that server I found nada except for this test page.

After this, I tried for samba as smb always intrigues me.

I tried “enum4linux” but I didn’t get any version details. (awkward)

This time I tried “Metasploit” and got smb version= 2.2.1a

After googling I downloaded a working exploit: https://www.exploit-db.com/exploits/10

I compiled and ran this exploit and got the access.

Now next part was to get the root access. But it was way easier than I thought, I just checked by typing “whoami” and damn I was ROOT.

Visit: https://www.azureskynet.com/


  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview