Kioptrix 4 walkthrough
Arp scan: (To find how many devices connected)— → arp-scan -l
Nmap-scan:
- On Port 22, SSH Service is running with version OpenSSH 4.7p1
- On Port 80, HTTP Service is running with version Apache httpd 2.2.8
- On Port 139 and 445, the NetBIOS service is open which means we can easily enumerate SMB for any public-facing sharing as well as usernames.
Directory Bruteforcing:
Enum4linux:
As you can see, we got 5 usernames (john, loneferret, nobody, robert, root). Let’s try to connect the SMB shares on Kioptrix with the help of the following command:
Sql Injection:
let’s go ahead and attempt SQL Injection by typing username as john & password as ‘ or ‘1’=’1
You can do the same with the other users.
Let’s try to do SSH with username john and password (MyNameIsJohn) by typing the following command in your terminal.
Ssh connection:
echo $PATH
echo $SHELL
Connection closed, so connect ssh using credentials once again.
To bypass this limited shell, there is a simple trick/code
Command:
ssh john@192.168.1.41
echo os.system(“/bin/bash”)
Okay! now that we have more access as you can see, we are now able to execute pwd command which tells your present working directory and whoami,ls-la commands
What does var/www mean?
/var/www/html is just the default root folder of the web server. You can change that to be whatever folder you want by editing your apache.conf file (usually located in /etc/apache/conf )
To check whether mysql service is running or not, type
ps -ef | grep root | grep mysql