Kioptrix 1.3(#4) Walkthrough

Leave a Comment / June 23, 2020
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, this is the final VM from the kioptrix series and to be frank, I enjoyed it the most(I was frustrated though).
Download:https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
Screenshot 2018-12-14 at 3.09.58 PM
As usual getting the IP was the first thing. Netdiscover plays the trick. After getting IP I scanned with nmap.

netdiscover -r 10.0.2.0/24

Screenshot 2018-12-14 at 12.37.21 PM.png
Here port 80 is open so I scanned it with Nikto.

Nikto -h  http://10.0.2.20


I used some default credentials to log in and I found out that the login page was vulnerable to SQL injection. (Try ‘ )
Again on Port 445, I can see samba running(samba is the best low hanging fruit). I searched for nse script available.

locate -r '\.nse

Screenshot 2018-12-14 at 1.03.36 PM.png
Screenshot 2018-12-14 at 1.04.28 PM.png
And I was able to find 5 users john,loneferret, nobody,robert, root. I hover back to login page and with the help of john: 'or''=' i was able to log in.
Screenshot 2018-12-14 at 1.17.33 PM.png
After getting john password, I opt for SSH.
Screenshot 2018-12-14 at 1.19.09 PM.png
I got the shell but it was limited shell as I was unable to execute normal commands so I tweaked around and found this.
Screenshot 2018-12-14 at 1.29.44 PM.png
I knew that website is running on MySQL, So I visited /var/www directory and there I found one config file with the credential.
Screenshot 2018-12-14 at 1.34.51 PM.png
Here I got username as root and password is blank. I used these to log-in MySQL.
Screenshot 2018-12-14 at 1.45.49 PM
Getting root from MySQL was very tricky, it took plethora of time then I came across this blog. I followed the steps.
Screenshot 2018-12-14 at 2.31.42 PM.png
Screenshot 2018-12-14 at 3.02.38 PM
And at last, I WAS ROOT!!
Visit: Azure Skynet
Visit: Cosmic Skills
Happy Hacking:)
 
 | xargs grep categories | grep smb

Screenshot 2018-12-14 at 1.03.36 PM.png
Screenshot 2018-12-14 at 1.04.28 PM.png
And I was able to find 5 users john,loneferret, nobody,robert, root. I hover back to login page and with the help of john: ‘or”=’ i was able to log in.
Screenshot 2018-12-14 at 1.17.33 PM.png
After getting john password, I opt for SSH.
Screenshot 2018-12-14 at 1.19.09 PM.png
I got the shell but it was limited shell as I was unable to execute normal commands so I tweaked around and found this.
Screenshot 2018-12-14 at 1.29.44 PM.png
I knew that website is running on MySQL, So I visited /var/www directory and there I found one config file with the credential.
Screenshot 2018-12-14 at 1.34.51 PM.png
Here I got username as root and password is blank. I used these to log-in MySQL.
Screenshot 2018-12-14 at 1.45.49 PM
Getting root from MySQL was very tricky, it took plethora of time then I came across this blog. I followed the steps.
Screenshot 2018-12-14 at 2.31.42 PM.png
Screenshot 2018-12-14 at 3.02.38 PM
And at last, I WAS ROOT!!
Visit: Azure Skynet
Visit: Cosmic Skills
Happy Hacking:)
 

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published.

Scroll to Top