[WALKTHROUGH] KIOPTRIX Level 4

Here comes the Level 4 of Kioptrix challenge... :))

Let's start off with finding out the IP address of our target box...

Do a ping sweep for the whole Class C network range and output the result in a formatted way using the powerful feature of Nmap itself...

Output the display of the content of the formatted content and grep the necessary info...

Next thing is proceed with the reconnaissance process...

From the results, we know that the box is running several service like SSH, HTTP, and SMB...

SMB is definitely a good point in gathering more information about the target box... :))

Let's do a deeper scan with the aggressive mode in Nmap...

Since we know that the box is hosting some web server, let's head over and see the content of the web page... :)

Reaching the web page of the target, we see a cute little lamb goat with a login page...

Tried with the 'admin' with sql injection but ended up unsuccessful... However, it seems that sql injection is possible in this page...

Since we do not have a valid user account to test it out, let's leave it aside for a moment and scan with DirBuster to see if we can find any useful resources... :))

We see some 'usernames' out from the DirBuster results...

Let's try again this time with both the username 'john' and 'robert'... :))

So, now we have the password for user 'john' and 'robert'...

Without further delay, let's login using the credentials found using SSH...

We have successfully get a shell from the target box... however.......

Unfortunately, we have a limited shell and only able to execute some available fixed commands...

After done some Google-fu, we found that lshell is a python based shell and it is able to bypass the restriction IF ONLY 'echo' command or 'vi/vim' command is available...

After bypassing the restriction, we now have a proper shell on the target box...

It is time to search for a local exploit to escalate to root privilege...

After some trial and error, we have found a suitable exploit for the box...

Transferring binary files by wget the file hosting on web server is a little bit tricky...

Hence, we go for another method for file transferring using the Netcat...



After received the exploit file successfully, we change the file permission to highest '777' and by running the exploit, we are able to get a root shell... :))

While I poking around the box, I found a congrats note from the author... :))

And, thank you loneferret... it was fun! :)

[WALKTHROUGH] KIOPTRIX Level 2

 Finally, I am able to update my Kioptrix Level 2 walkthrough here... :))

Well, let's start the hacking... 

 Using Nmap to find out our target machine... you will know the IP address of the target box when you see a strange IP there... In case you forgotten your own interface IP, you may check using 'ifconfig' in Linux...

 Target's IP address found...

Next thing to do is proceed with our reconnaissance step...

Some ports are open and running with services... here we have SSH, HTTP, RPC, HTTPS, IPP, and MYSQL...

Let's try reconnaissance HARDER!

 After we got a deeper look into the box, let's see what is in the website...

By opening up the target's website with Iceweasel, we are brought to a login page...

Results of reconnaissance stage earlier told us that this box is running a MySQL service, so we tried to login using sql injection and we got ourselves in...

 Now, we have brought to a page which claim to be a a web console for the admin...

We try input a expected input, which is a ip address and see how it responded...

The page responded with ping command which seems legit...

Hmmm.... what if we input some other command which is not intended to be?  (:

 Let's try with display all the content in /etc/passwd , /etc/groups and /etc/shadow...

Note: Input a semicolon ";" in front so that the command before the semicolon will terminate and continue proceed to the command after the semicolon...

We do not have permissions to display out the content of shadow file, but we able to display the content of passwd and groups file...

At least we now know this input is not sanitized... :))

Next thing to do is to create a PHP reverse shell payload...

Kali Linux has several webshells stored in /usr/share/webshells which are a very great resources...

To avoid messing up with the real payload, we copy the payload into another folder so that the original payload remained unchanged...

 Check out the content of the php payload, and we notice that we have to change the listening IP address and listening port...

In this case, the listening IP address will be our client box and I use port 443 as my listening port as port 443 is unlikely blocked all the time...

 After made the changes in the PHP payload, I rename the payload to a shorter name for convenience purpose...

Then we cat out the PHP payload content and pipe out to our listening port at 443...



Then we may switch back to the webpage and grab the content from our client listening IP address at listening port at 443 and output it into a file to be stored inside the target box...

 Now we have successfully land our payload in our target machine...

Start listening on port 443 in our client using Netcat...

 While listening on port 443 in our client machine, now we launch the PHP payload landed in our target box earlier to establish a reverse-shell back to our client...

After we get a shell on the target box, we need to escalate our privilege from Apache user to root... which is the ultimate goal of the challenge...

So, we started searching the local exploit for Linux running with Kernel 2.6...

After we found one suitable exploit ( you may still try some other available exploit too...), copy the exploit code file into our Apache server...

 Next, we back to our shell in target box...

Grab over the exploit code file, which is hosting in our Apache web server right now using the wget command and store the output in /tmp folder in target machine...

Compile the exploit and run it...

Now, we just got another shell with root privilege...  ;)