Kioptrix: Level 1.3 (#4) – Walkthrough

By Homeless | Walkthrough
January 7, 2018 3 Comments

This is the final box of the Kioptrix series.Last 3 box is sample and nice but this one is little more harder than older box.Ok. talk is cheap.

Start scanning my network with netdiscover.

Target ip is 192.168.1.1, Normally scan the target with nmap version detected.

Let’s me check http first and scan dir dir with dirb.

I found the login page and try with sql login query bypass.

Username admin and password is ‘ (single quote). it show the sql error. I understand that it is sql vulnerable to exploit.

now open sqlmap and grep all data from database;

Grep table from member database;

Grep columns from members table

Final dump the data from columns.

we already notice ssh open. So try to login with this info. Remember all password to try login to get the flag more faster.

Login success but not working well, so i try to bypass the shell. echo os.system(‘/bin/bash’)

Yes it work. Awesome 😉 . and add some fixed to work well for terminal.

Now i know the mysql password is empty with user root. In this step, i try to root the kernel  but gcc not install.  So let’s try another method. I search the process that running with root access.

yes. I found mysql is running as root access.

Ok Try to login at mysql.

it work and i search google how to root from mysql. and i found the nice trick

Mysql also can run as terminal with sys_exec function. So i try to add root permission to my current account.

Got Root!. Nice trick and love to root. Finally, we need to show POC  to read flag file.

Thanks for reading. Happy Hacking..

3 People reacted on this

  1. I love to read all of your walk-through and make practicing. If you will free please share MACME Bank OWASP and I really want to read how you do through this. Thank a lot for your sharing and always respect!

Leave a Reply:

Your email address will not be published. Required fields are marked *