Kioptrix level 1.3(Kioptrix level 4)-walkthrough . My Path To OSCP

This is my 4th blog post about my preparation for OSCP that I’m practicing from TJnull Vulnhub VM List . You can check out the full VM list here .

Let’s Begin :

First get the VM from here . Please keep in mind that the file present in the downloaded zip is a vmdk(short for virtual machine disk) file(For vmware version) , it is a vmware hard disk drive , the import process is little different . I’m using vmware so this process is tested for vmware , if you are using any other virtualization software please do some R&D for that . First create a new vritual machine and while choosing a OS choose to install OS later , and next steps remain same . Now edit the VM settings and add a new hard disk and in the disk file path select the downloaded vmdk file . Now bootup the VM and you are good to go. Now check the VM ip if you need assistance for the command to know the ip address of the VM check my first blog post here .

Now that we got our ip and VM is up and running let’s start with reconnaissance .

Reconnaissance

Let’s start with a nmap scan . We will do it @ippsec style.

sudo nmap -sC -sV -oA nmap/kioptrix4 192.168.28.132

• -sC : For the default script
• -sV : For the version detection
• -oA : For output in all format into path nmap/kioptrix4

We got three services running .

• port 22 : ssh
• port 80 : web service
• port 139 & 445 : smb

Enumeration:

As port 80 is running a web service let’s do a nikto and gobuster directory scan .

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.28.132 -x php,txt,html -t 10

• dir : For directory searching
• -w : For wordlist path
• -u : For url
• -x : For extension
• -t : For thread count

From the nikto scan we didn’t get anything interesting , but when we look into the gobuster scan we got john and robert as two end point. So it could be name of the users .

Now we know that smb is running on 139 and 445 , let’s enumerate smb . For SMB enumeration I found @hackingarticles blog was very useful. I tried some tools to get some vulnerability information and also some other information , but it was not much useful . But I found some SMB username information using nmap nse script .

We can see some of the usernames john,loneferret,robert . Let’s look into the webpage .

It’s a basic login page . Let’s try some login using admin & password as credential just to know the web page . It migrated to checklogin.php page with error .

From previous enumeration we found some of the usenames , let’s check SQL injection using known usernames and inject against the password field . So let’s input these , the username = john , password= 1' or ‘1’=’1 if we imagine this from a SQL injection prospective the query will be .

SELECT * FROM user_table WHERE username=’john’ and password=’1' or ‘1’=’1' ;

Here the password field will always return true so the query will definitely return true and we will have a successful login . After successful login we got the ssh credentials .

Here we got john’s ssh login credential . Let’s do a ssh login and take further steps .

After login we got some limited commands to run also after some restricted command we got kicked out . This is a restricted shell . Now we have to do some escape from restricted shell . Here are some good reference for escaping restricted shell .

• https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
• https://www.sans.org/blog/escaping-restricted-linux-shells/

As echo command is allowed let’s try with that to escape shell.

echo os.system(‘/bin/bash’)

And we got the bash shell . Let’s check for privilege escalation .

Privilege Escalation:

First let’s start with sudo uses .

User john can’t use any sudo service. Let’s check with the processes that are running as root .

We can see that mysql is running as root . Let’s check if there is any MySQL credential hardcoded in php file in /var/www/ directory .

We got the MySQL credentials in checklogin.php file i.e. username=root and password is blank , there is no password . Now that we know MySQL is running as root service and also we got credentials , we can escalate privilege using MySQL UDF(User Defined Function). Here are some good reference for MySQL UDF .

• https://dev.mysql.com/doc/extending-mysql/5.7/en/adding-udf.html
• https://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html

Let’s check for mysql_udf file .

Great it is available for root user . Let’s run mysql and try for root shell.

Here I’m modifying the user john as admin user group . Let’s check it if it worked or not .

And we got the root shell .

Key Learnings From this BOX :

• Always check for SQL injection in the login even if possible check for single field .
• You can use MySQL service for privilege escalation , using MySQL UDF .
• An URL end point could also refer to an username . Here we can look into gobuster scan .