OSCP Series: Kioptrix Level 2

Another day, another challenge.

In today’s post we’re going to solve Kioptrix Level 2.

Let’s get started.

After booting the machine, we see the following:


This screen is very similar to level 1 click HERE if you missed that.

Let’s begin.

First, let’s enumerate using nmap, with the command nmap -sV <IP_ADDRESS>. In my case it will be nmap -sV

Below is the screenshot I have:


We have a number of ports open. Let’s look at port 80 (http) and see what we can find.

Going to http://<IP_ADDRESS> (substitute IP_ADDRESS with your IP address)

We see the following screen:


A login screen… let’s see if we can do an authentication bypass by doing a SQL injection.


Entering the username of admin and password of ‘ OR ‘1’=’1′–

Success! We were able to complete an authentication bypass. Now we’re presented with a web console to ping a machine. So let’s ping.Kioptrix_webpage_console_Level2

Entering our IP address and pressing the submit button we see that the web page pings our machine.



Let’s see if we can complete one or more commands in succession. This vulnerability is called command injection, as the attacker can enter arbitrary commands to read and write to the server.



We see this application is vulnerable to command injection as we were able to ping our machine and list the contents on the server.

Let’s see if we can use the command injection vulnerability to get a remote shell.

Going to Google and typing in “remote shell commands” the following screenshot is from the first result.


As you can see this web page lists different ways to gain a remote shell a server. Let’s use the first command, and see this will be successful for us.

First we need to get our IP address.

Entering the command in a terminal ifconfig we will get our IP address, which is what we need for our remote shell.

The below screenshot is mine:


The next two steps need to be completed at the same time.

Going back to the web console, we’re going to enter the above remote shell command, changing our IP address, to the IP address from our ifconfig command. As well as change our port to the port listed in our netcat command (note the port can be anything, I just picked 4444 as it’s easier for me. It could be 1234, 2222, etc.)


Now we need to start a listener, the below screenshot is used with netcat


After pressing the submit button from the web console, we have the following screenshot – our remote shell worked! we see that we’re connected ( is the Kioptrix machine and is my machine). You’ll notice that when we list the directory it matches the above screenshot from the command injection inside the web console.

Continuing on let’s see the server version we’re running. See screenshot below.Kioptrix_webpage_uname_Level2

Opening a new terminal, let’s go to searchsploit and see how many exploits we can find for this version.Kioptrix_webpage_searchsploit_1_Level2Kioptrix_webpage_searchsploit_2_Level2Kioptrix_webpage_searchsploit_3_Level2Kioptrix_webpage_searchsploit_4_Level2Kioptrix_webpage_searchsploit_5_Level2Kioptrix_webpage_searchsploit_6_Level2

There are A LOT of exploits, as I was pretty lax on the search results. Let’s use exploit 9545.c as it lists the version number and it also use CentOS (which we saw during the enumeration phase) exploit.

Let’s copy the exploit to the current directory – see screenshot below.


Since we’re working with a web server, we need to move our exploit to the Apache folder and start Apache. See screenshots below.


Now let’s try to download our exploit. The first time doesn’t work as one we didn’t specify the file, and we get a permission denied – screenshot below.


Let’s try to change the directory to the /tmp folder and see if we can download our exploit.Kioptrix_download_file_success_Level2

We were successful! Our exploit was downloaded.

Let’s compile our exploit, and give it the name of exploit. See screenshot below.Kioptrix_compiling_exploit_Level2

Running the exploit and entering the whoami command we’re now root. W00t! Kioptrix_whoami_root_Level2

Let’s see if we’re truly root – let’s read the /etc/shadow by entering the following command cat /etc/shadowKioptrix_etc_shadow_Level2Kioptrix_etc_shadow_2_Level2

We’re able to view the /etc/shadow file, which means we’re truly root.


OverTheWire: Natas Level 2 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going to solve level 2 from the Natas wargame.

Let’s begin.

Going to the following link we see:


We’ve acquired the password for level 2 from the level 1 challenge (screenshot below):


Entering the username of “natas2” and password from the above screenshot we see the following:


Nothing on the page, eh… I don’t believe that.

Let’s try, right click view source and see what we get.


We notice there’s an image source of a pixel.

Clicking this link we see:


It truly is just a pixel. What if we remove the “pixel.png”? Maybe there are other files on the system. Let’s try it.

Removing the “pixel.png” and pressing Enter we see:


We see an extra file – users.txt. I wonder what’s in it.

Clicking users.txt, we noticed that it lists the different username and passwords. The one we want is the fourth row – natas3. We’ve found natas3 password!