Kioptrix level 2
Vulnbub is perfect place to practice hands-on experience for pen-test. I personally recommend do most of vulnhub lab before registering PWK(OSCP) course.
Kioptrix level 2 : https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Easily download the virtual machine image from the link, set up the network into Bridge or NAT (depends on your preference)
(kioptrix level2 img)
0. Find the ip address
– netdiscover : active/passive network scooping tool, Kali and Backtrack already have it as default. If you
If you prefer GUI rather than CLI, there’re other netscan program for Windows(including Wireshark or netscan)
– netscan on windows: https://filehippo.com/download_softperfect-network-scanner/71274/
After getting target’s IP address, type the address on the browser and see if it has any default web page. The website is simply showing login page. Let’s gather more information with enumeration and scanning tools
1. Enumeration/ Scanning
– nmap or zenmap : web scanner
– nikto : scanning webserver with OSVD details
– dirbuster : finding available directory via bruteforcing based on a directory wordlist file.
2. Website login page
– XSS (Cross Site Scripting) : not working
– SQL Injection : Getting into next page with SQL injection
Once you bypass authentication process with SQL injection, you can see “pingit.php” page, which ping input ip address (Have you checked DVWA before?).
Let’s try to print out /etc/passwd value on the page, see if the command injection is working after typing ip address and semicolon(;)
You can check id , by typing id, but it’s showing as apache. To get a root access, we need to find exploit to get privilege access.
eg) $ python commix.py –url=”http://192.168.88.135/pingit.php” –data=”ip=127.0.0.1E&submit=submit” –auth-url=”http://192.168.178.2/index.php” –auth-data=”uname=admin&psw=%27+OR+1%3D1–+-&btnLogin=Login”
*Please don’t forget to encode/decode your value (uname and psw) to use it on URL https://www.urlencoder.org/
*If you just prefer using Kioptrix Apache admin page (ping page),
Let’s find any information regarding to OS and kernel with cat command
1) Kernel information > “192.168.88.131; cat /proc/version“
Result : Linux version 2.6.9-55.EL (firstname.lastname@example.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
2) OS information > “192.168.88.131; cat /etc/redhat-release“
Result : CentOS release 4.5 (Final)
3. Search any available privilege escalation
There’re other tools that you can install and use it to find exploit such as Searchsploit or Findsploit “https://www.exploit-db.com/searchsploit/”, if you prefer details information about exploit, CVE or Exploit-DB website would be better
4. Download vulnerable /exploitable source code
Since it’s apache access, can’t download the files on /root or /home, so we hav to find the directory where the apache can access to with “find” command
Download it via $ wget command from exploit DB, (some of exploit code may already in your kali machine)