Kioptrix Level 4 — VulnHub
Introduction:
Hello everyone. Previously, i wrote about kioptrix level 3. Today, i am doing kioptrix level 4. This is the 4th and second last box in kioptrix series on vulnhub. It was easy and fun. For initial foothold, we had SQLi and mysql user defined fucntion for privilege escalation. Lets’s start.
Methodology:
First, we start off by running nmap scan and get ssh, http and smb ports open.
SMB allowed anonymous login but it didn’t have any useful.
Then, enumerating the smb using enum4linux found some usersname on the machine.
Then, i moved towards the web and found a login page.
Used the common usernames and password but it didn’t work. So, i started testing for sqli and it worked successfully on password field.
The sqli payload ‘ OR ‘1 i used worked successfully but this time it told us something else. So, i thought may be we don’t have any admin user.
So, i started enumeration using gobuster which resulted in some new pages.
Checking /john and /robert pages resulted in same error page. These usernames also matched to the list of users that we found by smb enumeration. So, i used these usernames to login through web and same sqli payload. It worked successfully and gave passwords.
Now, logout and do same using robert as username.
Using the found credentials, successfully logged in through ssh.
But we had restricted shell and there was nothing interesting in the user’s home directory except one file.
So googling the lhistory, revealed that it was limited shell implemented in python and can easily be bypassed using the following command.
Privilege Escalation:
I started some basic enumeration by finding any potential credentials in web directory. And i successfully found mysql connection credentials except that it had no password set.
So, i logged into mysql with root username. But, i did not had something interesting except for the usernames and password that we already had from web.
After some more enumeration, i started looking at processes started by root. and found mysql service running as root privileges.
Googling about mysql service, i came across some interesting exploit which showed that we can easily escalate user privileges through udf (user defined function) in mysql.
So, first i checked if i had udf. It showed we already have sys_exec udf. Using this function, i tried to set SUID bit on bash but for some reasons, it did not work. So, i changed the permission for /etc/passwd file.
Then, i generated a password hash on attack box.
And editing the /etc/passwd file, i added a new user in it with same root uid and my own generated password.
Then, i just simply switched to the new user using the password that i set and got root.
Thanks.
