So, I’m here with my second write-up for Vulnhub – Kioptrix Level 2 challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan for all devices connected on your network or you can use arp-scan your choice.

Arp-scan

Now we have our target IP Address let’s take a look which services are running on that server.

Nmap

These are the services running on targeted machine.

Port 80 is Running Apache httpd 2.0.52 (CentOS)

Let’s take a look, http://192.168.1.8

Remote System Administration Login, Username and Password field let’s take a look at page source might we find something interesting.

Nothing special but since we do not have any security checks on username and password field we can try SQLi.

BurpSuite

Below is the request which we’re sending and check the response we got.

Request:

Response:

So, it was simply SQL Injection (1′ or ‘1’ = ‘1).

We have tested manual SQL Injection. Let’s test SQLmap now.

SQLmap

It generated the payload for us!

Reverse Shell

There’s an another field to run a ping command and tested SQL Injection vulnerabilities again and found a simple ‘;‘ semicolon can be used to bypass this.

So this is what i did.

And i ran “nc -lvp 1337″ on my machine to get reverse shell.

Now we’re going after root access.

Root

By running LinEnum.sh script we couldn’t find anything interesting but you take a look at kernel version we have some exploits available for that kernel version.

Don’t Miss: A Guide To Linux Privilege Escalation

After doing Google searches found that this exploit might work so i gave it a try and it actually worked.

Don’t Miss: Linux Privilege Escalation Scripts

https://www.exploit-db.com/exploits/9545/