Kioptrix 4 Walkthrough

2 minute read

This set-up is slightly different than the images previously in the series, as it’s a hard-drive file that you attach to your manually created VM. While it seems kind of annoying to set up, it doesn’t take much effort and may serve as a good learning experience.

Host Enumeration

I started by performing an nmap scan to see what open ports and services were present

nmap -T4 -A -v <IP>

Service Enumeration

Ran enum4linux - enum4linux <IP>

Samba Information

Ran nikto - nitko -h <IP>

Nikto Information

Ran Dirb - Dirb http://<IP> <wordlist>

Dirb Information

Breach

Upon navigating to the website, I was presented with a login page.

Login Page

I played around with a few common SQL injection commands and finally hit pay dirt with username “john” (found from Enum4Linux results) and the password “1’ or ‘1’=’1” which displayed the password “MyNameIsJohn”

Login Bypass

I connected via SSH with username “john” and password “MyNameIsJohn” - ssh <ID>@<IP>

SSH Login

Privilege Escalation

Once logged in, I was presented with a restricted shell. Since echo was available, I used echo os.system('/bin/bash') to break out of the restricted shell

Shell Breakout

I did some enumerating and found the username and password (or lack thereof) for the database within /var/www/checklogin.php

Database Creds

Found that MySQL was running as the root user by executing ps -ef | grep root | grep mysql

MySQL running as root

Due to these poor practices mentioned above, it was the first thing that jumped out to me so I went down that path and leveraged a popular privilege escalation technique of using User Defined Functions. If you’re interested in learning more (hopefully you are) then check this and this out.

First I logged into mysql with mysql -h localhost -u root -p and executed select sys_exec ('usermod -a -G admin john'); making the account “john” an admin. I simply quit MySQL and sudo’d to root.

Root!

In the root directory, there’s a “congrats.txt” file which acts as the machine’s flag.

Flag

Review

While this machine is decently straight forward, I really enjoyed it. The only annoying part was the setup but that didn’t take long and doesn’t justify reviewing it negatively. There are numerous other ways to achieve the same result. I used SQLMap after compromise just to play around with it some and enumerate the database some more. As for privilege escalation, there’s some c code that essentially will do the same thing but I just chose the short and simple method. Feel free to post some other avenues of compromising this machine below!

You May Also Enjoy

USB Drop Assessment Guide

17 minute read

I recently did a talk at RVASec (great con btw) regarding USB drop assessments. I hesitated on submitting the talk as I was concerned that the interest level...

Introduction to Shodan

6 minute read

Shodan gets a bad rap. Many of you have probably heard the connotation that Shodan is “the world’s most dangerous search engine” or “dark Google” and it’s so...