After running the Kioptrix virtual machine, the IP address of the machine can be searched through the "netdiscover" that searches for the current network address.
It shows that the machien's IP is 192.168.64.134. The result of the port scan for this IP is as follows.
It can be seen that a total of six well-known ports have been opened. And i used enum4linux command to check credential information about host. I got three ID (robert, john, loneferret).
Let's get into the 80 port.
There is a login page, and I tried SQLi in this site with user john.
It works! And I got john's password. Let's use ssh to get into the host.
But it seems it's a limited shell. The shell only allows eight commands, including "echo". We can use echo command to open a new bash shell.
Now we are going to get root shell. I found there is a mysql configure information in checklogin.php.
I could use this credential to login into mysql and check more information.
After a brief gathering of information, I found there is some function in mysql database.
I can use sys_exec function to create a copy of "/bin/bash" and set its SUID bit so that we can access that copied binary as root.
Now let's execute the /tmp/getroot to get root privilege.
'Penetration Test' 카테고리의 다른 글
| Kioptrix Level 3 (0) | 2023.12.21 |
|---|---|
| Kioptrix Level 2 (1) | 2023.12.21 |
| Kioptrix Level 1 (1) | 2023.12.20 |
