Friday, 22 July 2016

Kioptrix 4

Hello,
We know Kioptrix (one of my favourite) challenges, isn;t it? We resolved the first three, so now it is the turn for fourth.

Scanning without aggressive mode :)








OK, four open ports.Let's start from web application.



















Nice, maybe it is opportunity to conduct SQL Injection attack? So, indeed there is SQLi vulnerability













We can use sqlmap but let's penetrate manually further. I run dirb




















Excellent! We can see /john directory - I have browsed it and there is john.php file, but unfortunately executing it I achieved nothing.












Wow, look at this! LFI? But let's come back to SQLi.






Great! Let's go deeper











Awesome, we have got credentials! So let's try log in via SSH













Very good, but we have limited access to shell. It is very helpful https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Wow!


















Are you surprised? I am! But we can't connect to our attacker machine from the target using i.e wget. Probably firewall block the traffic.

































Exellent! We are able to exploit UDF - http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/

So, I have changed iptables rules to accept all inbound and outbound traffic. Now we can download local root exploit, but we are clever and we don't need exploit to get root privileges.































Game over