Back at the next Kioptrix Level. This one was a little bit sneakier than the last one. I had to scratch my head a few times that's for certain!!
NMap
We can see that the usual ports are open (22,80) but we have 139 & 445 now. The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.
Looks like I have a few users to try, I'll goto the web page and see what awaits.
Just a login page. There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.
I try one of the usernames to see what I get.
It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.
Using :
I get this nice MySQL error :)
I try hitting the boxes with various SQLi variations but I don't get a hit. So I decided to see if I could modify it on the fly via Tamper Data.
Awesome news awaits:
I now have potential login credential.
I try the same with robert and I get:
The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.
And they work!! This is awesome. But what's this banner about?
Looks like I am in jail!!! I need to break out of my cell. As echo is available I try
I now need to enumerate this box. I could do this manually but automation makes life easier. I look for a way to transfer files:
I have few tools at my disposal here which is good.
I try wget via a python server to get LinuxEnum.sh on my attack box:
Hmmmmm, this doesn't look good. I wonder if there is a rule in place to block this traffic? I'll try netcat
That's better!! Now to see what lurks on this box:
MySQL with root privileges! This could be useful:
I can see the databases time to see what lurks within:
Nothing I don't already have. I wonder if I can execute commands from within? This BLOG is useful in that regard
As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges. The sudoers file seems a good start!!
Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.
I really enjoyed this VM, I think it has been one of my favourites so far.
NMap
We can see that the usual ports are open (22,80) but we have 139 & 445 now. The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.
Looks like I have a few users to try, I'll goto the web page and see what awaits.
Just a login page. There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.
I try one of the usernames to see what I get.
It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.
Using :
username: john password: 'OR 1=1--
I get this nice MySQL error :)
I try hitting the boxes with various SQLi variations but I don't get a hit. So I decided to see if I could modify it on the fly via Tamper Data.
Awesome news awaits:
I now have potential login credential.
I try the same with robert and I get:
The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.
And they work!! This is awesome. But what's this banner about?
Looks like I am in jail!!! I need to break out of my cell. As echo is available I try
echo os.system('/bin/bash')
I now need to enumerate this box. I could do this manually but automation makes life easier. I look for a way to transfer files:
I have few tools at my disposal here which is good.
I try wget via a python server to get LinuxEnum.sh on my attack box:
Hmmmmm, this doesn't look good. I wonder if there is a rule in place to block this traffic? I'll try netcat
That's better!! Now to see what lurks on this box:
MySQL with root privileges! This could be useful:
I can see the databases time to see what lurks within:
Nothing I don't already have. I wonder if I can execute commands from within? This BLOG is useful in that regard
As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges. The sudoers file seems a good start!!
Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.
I really enjoyed this VM, I think it has been one of my favourites so far.
No comments:
Post a Comment