[Vulnhub] Kioptrix 2 Write-up

this article is kioptrix level 2's write-up.

Enumeration

i used netdiscover to get the IP address of kioptrix machine and it was 192.168.1.9

Scanning

i used nmap to scan the machine and found ports open:

nmap -T4 -p- -A -n -sS -oN nmap.tcp 192.168.1.9
Nmap scan report for 192.168.1.9
Host is up (0.00030s latency).
Not shown: 65528 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            623/udp   status
|_  100024  1            626/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2022-02-13T12:25:53+00:00; -2h09m39s from scanner time.
|_http-server-header: Apache/2.0.52 (CentOS)
626/tcp  open  status   1 (RPC #100024)
631/tcp  open  ipp      CUPS 1.1
|_http-title: 403 Forbidden
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
3306/tcp open  mysql    MySQL (unauthorized)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

HTTP

i checked the HTTP website first and the homepage was as follows:

homepage

a login page and as the machine had 3306 port open for MySQL used SQLi to get inside and i was successful:

SQLi

the next page that opened asked for an IP to ping it and show the results to me so i filled it with:

and hello was written to the screen so code injection is successful, next i searched for a bash reverse shell and placed that instead of echo hello :

reverse shell

Privilege Escalation

i then searched for ways to escalate my privileges:

MySQL

i searched through index.php and found an interesting line:

index.php

i tried to su to other users but was not successful:

switching to other users

so i used it against what it was really intended for: MySQL

connecting to MySQL

next i queried databases:

databases

i then used webapp database and queried its tables:

webapp tables

selecting * from users!

i used these against the users and root user but was not successful so i tried other ways to escalate..

Linux Version

i used uname -a to find the linux version and found an exploit for it.

i downloaded it and then uploaded it to the target machine to compile it there and ran it:

HTTP server

downloading the file

compiling

running the exploit

and i got root!

whoami result

and that’s it for this article. happy hacking!

kioptrix write-ups:

level 1 write-up

kioptrix 3

kioptrix 4

kioptrix 5