Hack The Kioptrix Level-1.3 (Boot2Root Challenge)

This Kioptrix 4th VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

You can Download it from here and run install in your VM.

Penetrating Methodologies

  • Network sccaning (netdiscover, Nmap)
  • Directory brute-force (dirb)
  • Login Form SQli
  • Spwaning tty shell
  • SUID Privilege escaltion
  • Get root access and capture the flag

Lets start!!

Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.106 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.

Since port 80 is open so without wasting time we use dirb for directory brute-force attack and enumerated /john as a directory which could give something valuable to us.

Consequently we explored URL http://192.168.1.106/john in the web browser and notice john.php file. Awkwardly I didn’t found any treasured from inside this file.

Further, I came back to its home page and it was login page as shown below. Here we can try sql injection for login.

So I simply enter following and get login successfully.

And welcomed by following web page which serves actual credential for the user “john”

Since we port 22 is open for ssh and we have enumerated following credential so let’s try to login to access tty shell of victim’s machine and then execute below commands.

Username: john

Password:  MyNameIsJohn

Then view its file and directory list where you will get checklogin.php file; open it for further step.

By read it we conclude that mysql user name is root with No password.

Now let try to login into mysql server with the help of following command and try to execute some malicious query through it.

 By the mean of mysql we are trying to enable SUID bit for find command.

Now move to /tmp directory and execute following command for root access.

Yuppieee!!! We finished this task and complete the challenge……………………………

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *