This post contains the steps to get a root shell with Kioptrix level 2 VM
This VM can he found here. Have a look to find even more VMs
First, we need to discover where the machine is on our network. To do so, let’s use Nmap:
After getting the IP address, we need to do some fingerprinting.
Fig. Nmap scan result
As I saw it in the scan report, I decided to scan the port 80 with Nikto.
Fig. Nikto report on ports 80 (HTTP)
There was no interesting file or any ‘obvious’ vulnerability. So, I decided to check the Web application.
When you arrive on the Index page, you have a login page. No Stylesheet file, etc. So I decided to check if the login form was vulnerable to SQL injection..
Fig. Testing SQL Injection in Login form
Bingo, it was !
Thanks to this flaw, we had access to a “admin panel” to launch ping commands. Seems there might be a Command Execution vulnerability.
I tried using payload like :
And guess what ? It worked !
Then, let’s get the
Fig. Command injected to display /etc/passwd
And the result :
Fig. Output when using the Command exec to display /etc/passwd
After this, we were able to launch commands on the system but the shell was under apache’s user. No privilege..
The final step was to find a local root exploit that we could use.
uname -a command, I found a corresponding exploit : Linux Kernel 2.6 < 2.6.19 – (32bit) ip_append_data() ring0 Root Exploit
However, we didn’t have write access in the current folder, so let’s download it in
Moreover, a fun trick would be to get a PHP Reverse Shell. Download it, change the configuration, send it using Netcat / wget like this :
On your host machine :
And using the command execution vulnerability, download the file:
And launch the shell :
And you got a reverse shell (:–)) on your machine :
1 2 3 4 5
Then, download the Root exploit, compile it, run it and you’re root.
Fig. Exploit worked and we’re now root
Then, we read the /etc/shadow, crack the password etc.
Hope you liked it and good evening !