Kioptrix VM image: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Aim : To get to the root of the machine.
Difficulty Level : Easy
As always, we would start with the initial scan to see the open ports on the target machine. I have shifted from “nmap” to “rustscan” for this initial investigation.
rustscan -a 10.0.2.15 -u 5000
There is a web-server running on port 80. Also , we should do some vulnerability scan. This time I would use a new tool in my arsenal : “Owasp Zap” .
In the alert section we can see:
Running an automated scan on the target ip , we see the machine is vulnerable to an SQL Injection attack. Going to the site in browser and trying the most basic form of SQL injection attack we get a successful login:
We get a box saying ping the machine, this turns out to be vulnerable to remote code execution/command injection .
So , my first aim here was to get a reverse shell on this machine, using pentest monkey reverse shell cheatsheet :
Our aim now is to escalate our privilege and get root. Let’s get some info about the system and OS version:
We would now look for this exploit online. Luckily we got one with good reputation:
So , our main aim here is to execute this piece of code on the target machine. I tried directly downloading this code on the victim machine through wget/curl, but it didn’t worked.
So we will spawn a server , and download on victim machine through that:
WE ARE ROOT. we have accomplished our mission here.
Topics/Command Covered:
i) wget/curl
ii)SQL Injection
iii) uname , cat /proc/version , cat /etc/*release
iv)file sharing with the help of python SimpleHTTPServer
v)Netcat
vi)privilege escalation
Black as My Coffee 