[Vulnhub] Kioptrix 4 (1.3) Write-up

5 min readMar 8, 2022

this article is the write-up for kioptrix 4 (1.3).

the IP address is 192.168.1.14.

Scanning

i first ran nmap:

nmap -T4 -p- -A -n -sS -oN nmap.tcp 192.168.1.14
Nmap scan report for 192.168.1.14
Host is up (0.00055s latency).
Not shown: 39528 closed tcp ports (reset), 26003 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: E4:A4:71:5B:71:E7 (Intel Corporate)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 5h59m59s, deviation: 3h32m07s, median: 3h29m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2022-02-16T11:51:26-05:00

there seems to be 3 services running in TCP mode: HTTP, SMB and SSH.

HTTP: SQL Injection

first page has a login form on it so i started running wild with it right away and used ' in username and password to see if there any error:

and it was successful! looks like we do have a SQLi:

i then tried using admin as the username and ‘ OR ‘1’=’1 as the password to bypass it and i was kinda successful in bypassing it:

i tried using other usernames too but wasn’t really successful! i wondered if the username is wrong and went to enumerate another service: SMB.

SMB: Finding dear John

time for some SMB!

Fixing errors

i couldn’t list the shares using smbclient at first then after searching in google i found out that i had to append these lines to make it work, so if you do have a problem then you can probably fix it using these:

client min protocol = CORE                                                                                          
client max protocol = SMB3

make sure to place them below global section.

Using enum4linux

listing shares didn’t really have any interesting stuff so i didn’t bother taking a screenshot so i used enum4linux and came across these users:

dear John helped me bypass the form properly.

Back to HTTP

i tried using john as the username as the same payload that i used last time for password and could login into it properly and get a password:

SSH: Using John, again

so as there was really nothing on SMB to use john credentials on, i tried using SSH to access the system:

Getting out of restricted shell

but it seems limited! using echo $SHELL i found out that it’s kshell but it’s pretty limited as i could only use few commands that didn’t really help me except echo ! i couldn’t even go into other directories. i searched the web for bypassing restricted shells but none helped me and then i came across this website and thought of using echo os.system(‘/bin/bash’) since i had echo available and got out of the restricted shell:

Privilege Escalation

time for privilege escalation now.

Robert

i went into /var/www directory to see if there is anything interesting, i came across robert folder and cat ed robert.php and found mysql credentials:

i used the credential to login to mysql and queried the databases:

then queried members database:

at first i thought robert’s password is a base 64 hash but after trying to decode i figured out that it isn’t. i then used it to change user to robert and i was successful:

i should note that i tried using robert instead of john in the web server and i could use robert instead of john to access the system but it didn’t really matter as robert didn’t help me escalate my privileges.

MySQL

after searching and searching i came across MySQL user defined function or UDF for short which is just user defined functions to extend MySQL’s capability.

the first requirement was to check services to see who is mysql ‘s owner and it was root so the first condition is cleared:

i then used mysql to see if there is any interesting UDF:

there is sys_exec which lives up to its name and is used to execute system commands, i tried testing it by running select sys_exec("mkdir /tmp/test"); :

it was successful! you can do a lot of things using this function and what i did was to add a nice line to sudoers file: