Kioptrix Level 1.3 Walkthrough

The attacker starts out with netdiscover to find the ip address of his target machine. Netdsicover finds the ip address of 172.16.158.133 for the new target.

Image description

The attacker then uses nmap to discover any open ports and see if any services are running on those ports.

Image description

The nmap scan reveals that port 80 is open and is running apache. The attacker then opens up his webbrowser and enters the target machines ip address into the browser. The website has a login page and no other content. Image description

The attacker tries a simple sql injection attack on the login page, but it is unsuccessful. The attackers next step is to use tamper data to see where the login information is being posted to.

Image description

Image description

The attacker then uses the gathered post information and starts sqlmap. The attacker plugs in the gathered POST information into his sqlmap scan and uses the dump command to gather more information.

Image description

Image description

The sqlmap scan reveals two user names as well as passwords. The attacker then attempts to log in to the website with the gathered credentials. However, there is not much information once the attacker logs in.

Image description

Image description

The attacker then decides to ssh into the target machine using the credentials from the sqlmap dump. He is able to successfully ssh in but the shell appears to be limited.

Image description

The attacker then attempts to obtain a shell through sql injection. Image description

Image description

Image description

Image description

The attacker was able to open up an os shell through sql injection. His next step was to find netcat and attempt to connect to the target machine through netcat. Image description

Image description

The attacker then sets up netcat to listen on port 499 on the atttacking machine.

Image description

The attacker then connects to netcat through the sql os shell.

Image description

He succussfully connects. However, the shell still appears to be limited.

Image description

The attacker found a local root exploit that the target machine is vulnerable to. He sets up a python SimpleHTTPServer to host the file. However, he still needed a full shell.

Image description

After some google searching, the attacker discovers there may be a way to use a full shell using the command “echo os.system(‘/bin/bash’). It works!. The attacker then uses wget to download the local root exploit from the hosts SimpleHTTPServer. He then compiles the exploit.

Image description

*The following 32 bit binaries had to be downloaded in order to compile the exploit correctly.

Image description

Image description

The attacker then ran the local root exploit and found congrats.txt!

Image description

Written on December 7, 2015