Thursday, 16 February 2017

Kioptrix Level 4

Back at the next Kioptrix Level.  This one was a little bit sneakier than the last one.  I had to scratch my head a few times that's for certain!!


We can see that the usual ports are open (22,80) but we have 139 & 445 now.  The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.

Looks like I have a few users to try, I'll goto the web page and see what awaits.

Just a login page.  There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.

I try one of the usernames to see what I get.

It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.

Using :

username: john
password: 'OR 1=1--

I get this nice MySQL error :)

I try hitting the boxes with various SQLi variations but I don't get a hit.  So I decided to see if I could modify it on the fly via Tamper Data.

Awesome news awaits:

I now have potential login credential.

I try the same with robert and I get:

The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.

And they work!! This is awesome.  But what's this banner about?

Looks like I am in jail!!! I need to break out of my cell.  As echo is available I try

echo os.system('/bin/bash')

I now need to enumerate this box.  I could do this manually but automation makes life easier. I look for a way to transfer files:

I have few tools at my disposal here which is good.

I try wget via a python server to get on my attack box:

Hmmmmm, this doesn't look good.  I wonder if there is a rule in place to block this traffic?  I'll try netcat

That's better!! Now to see what lurks on this box:

MySQL with root privileges!  This could be useful:

I can see the databases time to see what lurks within:

Nothing I don't already have.  I wonder if I can execute commands from within?  This BLOG is useful in that regard

As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges.  The sudoers file seems a good start!!

Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.

I really enjoyed this VM, I think it has been one of my favourites so far.

No comments:

Post a Comment