Thursday, June 7, 2018

Kioptrix - Level 1.3 (#4)

KIOPTRIX - Level 1.3 (#4)

- Layout for this exercise:


The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.3 (#4)

- Kioptrix Level 1.3 (#4) can be downloaded from here:,25/


- Once downloaded, extracted and opened with WMware:


- First, using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine Kioptrix:

- Scanning with Nmap:

- Using nbtscan:

- enum4linux discovers that there are at least 5 users: nobody, robert, root, john, loneferret.

- dirb scans the structure of the website:

- Connecting directly to the web server there is a Member Login:

- Images: 

 - john user's webpage:


- Let's discover if there is a chance of SQL injection:

- According to the server's answer the file /var/www/checklogin.php holds interesting information about the login process, what could be of use later:

- Entering a basic SQL injection:

- Surprisingly, the password for user john is revealed: 

- Same thing for the user robert (beware of its base64 encoded appearance, it could be misleading):

- However, there is no successful result for the rest of the users, for instance for user root:

- Now, let's use the credentials for connecting via SSH with users john and robert

- It seems that the available shell is very limited:

- All information about lshell and how to bypass it:

- Trying to get a better shell with os.system('/bin/bash'):


 - Checking what's inside the /home directory:

- It is interesting to see that there are some references to a MYSQL database:

- Trying to enter the database with root privileges, we have the gift that the administrator of the database forgot to set a password for the user root: 

- Showing databases:

- We discover the same username/password information that already knew: 

- From the enumeration step we know that /var/www/checklogin.php has information about the login process:

- Opening /var/www/checklogin.php there is no password for root, as expected:


- So, the conclusion is that the mysql database can be run with root privileges and no password.

- The approach to achieve Privilege Escalation will be to take advantage of the fact that the database is being run as root with no password.

- We can run a User Defined Function (UDF) to execute commands on the underlying operating system:

lib_mysqludf_sys is an UDF library with functions to interact with the execution environment in which MySQL runs.

Luckily, we already have it installed

- Otherwise it could be downloaded from here:

- One of the UDF funcions is sys_exec, what executes arbitrary commands like for instance usermod -a -G admin john , modifying the user john's account by appending it to the admin group, and giving him root privileges:

- Now, a root shell is achieved: 


- Going to the /root folder: