Thursday 16 February 2017

Kioptrix Level 4

Back at the next Kioptrix Level.  This one was a little bit sneakier than the last one.  I had to scratch my head a few times that's for certain!!

NMap















We can see that the usual ports are open (22,80) but we have 139 & 445 now.  The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.














Looks like I have a few users to try, I'll goto the web page and see what awaits.

















Just a login page.  There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.

I try one of the usernames to see what I get.








It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.

Using :


username: john
password: 'OR 1=1--










I get this nice MySQL error :)

I try hitting the boxes with various SQLi variations but I don't get a hit.  So I decided to see if I could modify it on the fly via Tamper Data.










Awesome news awaits:
















I now have potential login credential.

I try the same with robert and I get:














The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.






















And they work!! This is awesome.  But what's this banner about?






















Looks like I am in jail!!! I need to break out of my cell.  As echo is available I try

echo os.system('/bin/bash')

























I now need to enumerate this box.  I could do this manually but automation makes life easier. I look for a way to transfer files:

























I have few tools at my disposal here which is good.

I try wget via a python server to get LinuxEnum.sh on my attack box:



























Hmmmmm, this doesn't look good.  I wonder if there is a rule in place to block this traffic?  I'll try netcat










That's better!! Now to see what lurks on this box:































MySQL with root privileges!  This could be useful:





















I can see the databases time to see what lurks within:





















Nothing I don't already have.  I wonder if I can execute commands from within?  This BLOG is useful in that regard



As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges.  The sudoers file seems a good start!!














































Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.

I really enjoyed this VM, I think it has been one of my favourites so far.

No comments:

Post a Comment