Monday, June 4, 2018

Kioptrix - Level 1.1 (#2)

KIOPTRIX- Level 1.1 (#2)

- Layout for this exercise:


 - The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1.1 (#2)

 - Kioptrix Level 1.1 (#2) can be downloaded from here:,23/

- Once downloaded, extracted and opened with WMware:


- First, using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine Kioptrix:

- Scanning for versions and the operating system with Nmap:


- Connecting from the browser's attacker the web server answers with a login page, where we can try an SQL injection:

- The injection is successful, leading to a ping application:

- Pinging to the attacker's IP:

- Trying a Command Injection, it is also successful:

- Setting a listener session with netcat at the attacker's side:

- Following the directions on this link a bash script can be submitted as a Command Injection:

- The reverse shell is eventually achieved at the attacker's local machine:

- However, let's notice that we have a shell just for the user apache, not with root privileges, so we need to start a privilege escalation process to get a root shell.


- From the previous scanning whe know that the running operating system is Linux with kernel 2.6:

- Googling for Kernel 2.6 vulnerability for privilege escalation:

- There are some exploits useful for that purpose, for instance this one:

- Using searchsploit to locate the exploit:

- Copying the exploit 9542.c to a testing folder:

- Now, setting a simple server on port 8080:

- Remembering that the shell was working at the /var/www/html directory, what usually does not have the needed pemissions to be written:

- However, the directory /tmp does usually have permission to be written, so it is better to use /tmp as a destination for downloading the exploit 9542.c from the attacker's side to the victim's side, where the exploit will be run:

- Now, we've got the exploit at the victim's machine:

- Another option would be to download the exploit to /tmp from the original website, using the option --no-check-certificate to avoid checking the server certificate against the available certificate authorities:

- Compiling the exploit:

- Running the exploit the root privileges are achieved immediately:


- With the root privileges we have access to the whole filesystem, for instance the passwords file, what could be potentially decrypted:

- Also, checking the index.php we find the code that explains the SQL injection vulnerability, due to the lack of proper sanitization:

- Also, hardcoded credentials for a user:

- These credentials allow us to enter the MYSQL database:

- There are 3 databases:

- Going with the first one:

- There is a number of tables:

- Trying to get information from the table user we discover some credentials for root and john:

- In the same way:

- Going to the other database:

- Showing the tables:

- Selecting the table users:

- Another interesting source of information is the hidden file .mysql_history because sensitive information such as the text of SQL statements containing passwords might be written to it:

- Opening .mysql_history interesting credentials are found for users like john or admin: