Wednesday, May 28, 2014

[WALKTHROUGH] KIOPTRIX Level 4


Here comes the Level 4 of Kioptrix challenge... :))

Let's start off with finding out the IP address of our target box...

Do a ping sweep for the whole Class C network range and output the result in a formatted way using the powerful feature of Nmap itself...

Output the display of the content of the formatted content and grep the necessary info...

Next thing is proceed with the reconnaissance process...


From the results, we know that the box is running several service like SSH, HTTP, and SMB...

SMB is definitely a good point in gathering more information about the target box... :))

Let's do a deeper scan with the aggressive mode in Nmap...


Since we know that the box is hosting some web server, let's head over and see the content of the web page... :)


Reaching the web page of the target, we see a cute little lamb goat with a login page...

Tried with the 'admin' with sql injection but ended up unsuccessful... However, it seems that sql injection is possible in this page...

Since we do not have a valid user account to test it out, let's leave it aside for a moment and scan with DirBuster to see if we can find any useful resources... :))


We see some 'usernames' out from the DirBuster results...

Let's try again this time with both the username 'john' and 'robert'... :))





So, now we have the password for user 'john' and 'robert'...

Without further delay, let's login using the credentials found using SSH...


We have successfully get a shell from the target box... however.......

Unfortunately, we have a limited shell and only able to execute some available fixed commands...

After done some Google-fu, we found that lshell is a python based shell and it is able to bypass the restriction IF ONLY 'echo' command or 'vi/vim' command is available...


After bypassing the restriction, we now have a proper shell on the target box...

It is time to search for a local exploit to escalate to root privilege...


After some trial and error, we have found a suitable exploit for the box...

Transferring binary files by wget the file hosting on web server is a little bit tricky...

Hence, we go for another method for file transferring using the Netcat...



After received the exploit file successfully, we change the file permission to highest '777' and by running the exploit, we are able to get a root shell... :))


While I poking around the box, I found a congrats note from the author... :))

And, thank you loneferret... it was fun! :)


Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)