Kioptrix 4 walkthrough

Arp scan: (To find how many devices connected)— → arp-scan -l

Nmap-scan:

• On Port 22, SSH Service is running with version OpenSSH 4.7p1
• On Port 80, HTTP Service is running with version Apache httpd 2.2.8
• On Port 139 and 445, the NetBIOS service is open which means we can easily enumerate SMB for any public-facing sharing as well as usernames.

Directory Bruteforcing:

Enum4linux:

As you can see, we got 5 usernames (john, loneferret, nobody, robert, root). Let’s try to connect the SMB shares on Kioptrix with the help of the following command:

Sql Injection:

let’s go ahead and attempt SQL Injection by typing username as john & password as ‘ or ‘1’=’1

You can do the same with the other users.

Let’s try to do SSH with username john and password (MyNameIsJohn) by typing the following command in your terminal.

Ssh connection:

echo $PATH

echo $SHELL

Connection closed, so connect ssh using credentials once again.

To bypass this limited shell, there is a simple trick/code

Command:

ssh john@192.168.1.41

echo os.system(“/bin/bash”)

Okay! now that we have more access as you can see, we are now able to execute pwd command which tells your present working directory and whoami,ls-la commands

→environment variable that specifies a set of directories, separated by a semicolon

What does var/www mean?

/var/www/html is just the default root folder of the web server. You can change that to be whatever folder you want by editing your apache.conf file (usually located in /etc/apache/conf )

To check whether mysql service is running or not, type

ps -ef | grep root | grep mysql