Kioptrix-1.1(#2)

Walk through of Kioptrix level 2

Overview: This Kioptrix VM Image are easy challenges. The objective of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Here we Will follow the hacking methodology. Lets Start:

Information gathering

In order to hack a System, first we need to have the some information about the target such as ip address. So in-order to find the ip address of the vm, we will use netdiscover.

command: # netdiscover -r 10.10.10.0/24 (since i know my system, all the vm are at this range)

since ip with 1,2,254 are reserved, so the target vm ip is 170.

Scanning and Enumeration

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
824/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)

Since It is a web server, I began to visit for any sensitive info, but it had only login page, so i intercepted its request in burp and tried to login. I used following payload and found that it is vulnerable to sql injection.

Then I got access to into admin page . Since from the above info gathering i knew that it was a linux server (centos) and it had option to ping the system so i tried to exploit this behavior. I tried to list the users using the following command.

From the command, i got the following response from the server.

Lets sets setup the netcat listner in our system and make connection from the server using bash reverse shell.

Figure: Attacker System
Figure: Victim Server

Note: Here 10.10.10.167 is the attacker ip and 8080 is the port on which attacker is listening. After pressing submit we get the connection on console.Lets see who we are logged in as:

So we wanted to be of higher privileged user so, first lets see the kernel version.

It is a 32 bit old kernel. Let’s search for exploit on the internet. Found 9542.c named exploit in exploit-db.

First lets move to the /tmp folder and download that exploit in that server using wget command. Directly we cannot download because of ssl error so first download it into your attacker box and then host it in local server using python(You may use apache too).

simpe httpserver on attacker box
on server shell

lets compile it using the following command:

command: gcc 9542.c -o anyfilename

now run the compiled code using ./exploit

Now we got the reverse shell. So lets verify.

Finally we get the root access. Congratulation you did it successfully. Now you are a root user.

Certified Ethical Hacker(Master) | Security Analyst | Bug Bounty Hunter