Kioptrix Level 1.3 Walkthrough
The attacker starts out with netdiscover to find the ip address of his target machine. Netdsicover finds the ip address of 172.16.158.133 for the new target.
The attacker then uses nmap to discover any open ports and see if any services are running on those ports.
The nmap scan reveals that port 80 is open and is running apache. The attacker then opens up his webbrowser and enters the target machines ip address into the browser. The website has a login page and no other content.
The attacker tries a simple sql injection attack on the login page, but it is unsuccessful. The attackers next step is to use tamper data to see where the login information is being posted to.
The attacker then uses the gathered post information and starts sqlmap. The attacker plugs in the gathered POST information into his sqlmap scan and uses the dump command to gather more information.
The sqlmap scan reveals two user names as well as passwords. The attacker then attempts to log in to the website with the gathered credentials. However, there is not much information once the attacker logs in.
The attacker then decides to ssh into the target machine using the credentials from the sqlmap dump. He is able to successfully ssh in but the shell appears to be limited.
The attacker then attempts to obtain a shell through sql injection.
The attacker was able to open up an os shell through sql injection. His next step was to find netcat and attempt to connect to the target machine through netcat.
The attacker then sets up netcat to listen on port 499 on the atttacking machine.
The attacker then connects to netcat through the sql os shell.
He succussfully connects. However, the shell still appears to be limited.
The attacker found a local root exploit that the target machine is vulnerable to. He sets up a python SimpleHTTPServer to host the file. However, he still needed a full shell.
After some google searching, the attacker discovers there may be a way to use a full shell using the command “echo os.system(‘/bin/bash’). It works!. The attacker then uses wget to download the local root exploit from the hosts SimpleHTTPServer. He then compiles the exploit.
*The following 32 bit binaries had to be downloaded in order to compile the exploit correctly.
The attacker then ran the local root exploit and found congrats.txt!