The goal is to get root access and retrieve the flag in the ‘root’ directory.
Kioptrix level 4 vulnhub link below:
Kioptrix Level 4 download page
A port scan reveals that 4 ports are open (22, 80, 139 and 445).
SSH appears to not have any vulnerable versions. However, SSH could possibly have weak credentials.
1.3 HTTP Login with SQLI
The login page could potentially be vulnerbale to SQL Injection. To check for SQLI the following is entered:
Password: 1' or 1 = 1#
1.4 HTTP Testing for LFI
The URL has username=Admin. LFI is tested here. However, each file says ‘permission denied’. This appears to be a dead end.
1.5 SMB Enumeration
Enum4linux is run to attempt to enumerate users:
Several users are revealed:
The users can be further tested on the website and SSH.
An attempt is made to perform a dictonary attack over SSH against these usernames but that did not work. After that an attempt is made to login with the users enumerated on the login page. The ‘john’ user shows the password in plaintext! With a password of ‘MyNameIsJohn’.
Since SSH is open, a login attempt with SSH using the credentials collected is done which is successful! However, the shell appears to be low privileged with few commands.
After some research, i found a way to escape a restriced shell using the echo command to execute the following:
This successfully invokes a bash shell with the user id of ‘john’.
Found on this link: Escaping/Bypass From Jail/Restricted Linux Shells
3.1 Post Exploitation
I then changed directory to the root and found a ‘congrats.txt’ file which contained the flag!
When looking around the file system a SQL username and password is found in the ‘/var/www’ web server files. The login php file contains the following:
There is no password for root.
When logging the mysql i was easily able to enumerate the databases.
The databses are:
After further enumeration of mysql, i was able to find the user accounts for the usernames ‘john’ and ‘robert’.
The flag has been retrived and the mysql database has been enumerated.