Kioptrix 1.3 (#4)

November 18, 2019 29 Comments

This guy: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

We’ll start with a standard nmap scan of: nmap -sv 192.168.41.132 (or whatever the target IP is.

Next, we run enum4linux and get 5 users and some OS information:

And then we’ll run dirb for good measure: dirb http://192.168.41.132

And it looks like there’s a couple of directories in there, including an /images one and /john

Exploit Hunting

Next, let’s go to the login page. Since we got a few usernames during our initial exploration, we’ll try logging in with robert and then putting a in for the password, in an attempt to see if the website is vulnerable to SQL injection.

And it looks like it’s vulnerable. Time to try and exploit.

SQL Injection Exploit

We’ll try with our username of robert and a password of 1′ or ‘1’=’1 and let’s see what happens.

That was almost a little too easy. Let’s save that information and see if we can get some of the other user’s we enumerated, like John.

We notice that when we log in there really isn’t much we can do with this website. But our initial discovery showed that SSH was open on port 22, so let’s try to log in.

SSH


Logging in with SSH quickly shows us that we have a limited shell. We can’t even run commands like pwd. Some more information on limited shells can be found here, including how to get around them: https://www.aldeid.com/wiki/Lshell

We can elevate it to a regular, interactive shell, with the following command: echo os.system(‘/bin/bash’)

From here, we can see that we can run some standard commands in our window, like PWD. We can even navigate to the root directory without problems.

Next, let’s see what is currently running with root privledges, by typing the command ps -ef | grep root

It looks like the MySQL database is running as root. Let’s see if we can look at some of the MySQL configuration files for interesting information: ls /var/www

It looks like there’s a checklogin.php file in that directory, so we look at it and see the following:

The SQL database has no password associated with it. Since there is no password for the database, and it’s running as root, we can try to execute a user defined function to do privilege escalation. This will allow us to execute commands on the operating system itself as root.

To do this, we need to verify that lib_mysqludf_sys.so is installed, so we can use the whereis command to verify. It’s there, right where it’s supposed to be:

Access to Root

We need to get into the MySQL database to run these commands: mysql -h localhost -u root -p

Next, we run this command: select sys_exec(‘usermod -a -G admin john’);

Usermod allows us to modify a user, -a means append, -G will add them to a group (admin in this case) and then we put the user we’re modifying.

Type exit to get out of MySQL, and do su john, enter the password you found, and then verify your access and location with whoami and pwd.

29 thoughts on “Kioptrix 1.3 (#4)”

  1. That is the right weblog for anyone who wants to seek out out about this topic. You notice so much its virtually laborious to argue with you (not that I really would need…HaHa). You undoubtedly put a brand new spin on a topic thats been written about for years. Nice stuff, simply great!

  2. Great work! This is the type of info that should be shared around the web. Shame on Google for not positioning this post higher! Come on over and visit my site . Thanks =)

  3. Aviator combines air travel with high stakes.
    Jump into the cockpit and play through cloudy adventures for massive payouts.
    With its retro-inspired visuals, the game evokes the spirit of pioneering pilots.
    https://www.linkedin.com/posts/robin-kh-150138202_aviator-game-download-activity-7295792143506321408-81HD/
    Watch as the plane takes off – withdraw before it disappears to secure your earnings.
    Featuring smooth gameplay and dynamic audio design, it’s a must-try for gambling fans.
    Whether you’re testing luck, Aviator delivers non-stop action with every round.

  4. Este site é realmente demais. Sempre que acesso eu encontro coisas incríveis Você também pode acessar o nosso site e descobrir mais detalhes! conteúdo único. Venha descobrir mais agora! 🙂

  6. hi!,I like your writing so much! share we communicate more about your post on AOL? I need an expert on this area to solve my problem. Maybe that’s you! Looking forward to see you.

  9. It is appropriate time to make a few plans for the longer term and it is time to be happy. I have read this put up and if I may just I desire to counsel you some attention-grabbing things or advice. Perhaps you could write next articles referring to this article. I desire to read more things approximately it!

  10. After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

  16. Hi! This is kind of off topic but I need some guidance from an established blog. Is it very difficult to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about making my own but I’m not sure where to begin. Do you have any ideas or suggestions? Many thanks

  17. Pretty section of content. I just stumbled upon your web site and in accession capital to assert that I get in fact enjoyed account your blog posts. Anyway I’ll be subscribing to your feeds and even I achievement you access consistently fast.

  18. I haven’t checked in here for a while because I thought it was getting boring, but the last several posts are great quality so I guess I will add you back to my everyday bloglist. You deserve it my friend 🙂

  19. Wonderful work! This is the type of info that should be shared around the net. Shame on the search engines for not positioning this post higher! Come on over and visit my web site . Thanks =)

  20. Hello! I could have sworn I’ve been to this website before but after checking through some of the post I realized it’s new to me. Anyhow, I’m definitely delighted I found it and I’ll be bookmarking and checking back frequently!

  21. Awsome article and right to the point. I don’t know if this is really the best place to ask but do you guys have any thoughts on where to hire some professional writers? Thanks in advance 🙂

  22. Having read this I thought it was very informative. I appreciate you taking the time and effort to put this article together. I once again find myself spending way to much time both reading and commenting. But so what, it was still worth it!

  23. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do so! Your writing style has been surprised me. Thanks, quite nice post.

  24. Great weblog here! Additionally your website loads up very fast! What web host are you the use of? Can I am getting your associate link to your host? I want my site loaded up as fast as yours lol

  25. Thank you for sharing superb informations. Your web site is so cool. I’m impressed by the details that you’ve on this website. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for more articles. You, my friend, ROCK! I found simply the info I already searched all over the place and just could not come across. What an ideal site.

  28. Hey there! Someone in my Myspace group shared this site with us so I came to check it out. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Fantastic blog and amazing design.

Leave a Reply

Your email address will not be published. Required fields are marked *