Skip to main content

Kioptrix Level 2

Kioptrix Level 2 is a little more complicated than Level 1, as you might have guessed.

$ netdiscover -i eth1
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.2.1        0a:00:27:00:00:00      1     60  Unknown vendor        
 10.0.2.2        08:00:27:35:b3:5d      1     60  PCS Systemtechnik GmbH   
 10.0.2.3        0a:00:27:00:00:00      1     60  Unknown vendor           
 10.0.2.7        08:00:27:54:d2:b2      1     60  PCS Systemtechnik GmbH

Run nmap as usual, but on port 80 there is a login form that loaded into Firefox so it might be worth it to check on that first. Use Burpsuite and Firefox with the Foxyproxy extension set up for Burp.

With Foxyproxy ready and Intercept on in Burp, go to Firefox, type something like “admin” for the username and “test” for the password, hit Enter. In Burp we will see this:

...

Tags

Kioptrix Level 1

After you find the vulnerabilities inside Kioptrix Level 1, the path to root should arrive quickly. Here are two methods to root the machine, remote code execution and remote buffer overflow (samba trans2open).

Get the IP address:

$ netdiscover -r 10.0.2.1/24                            
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 10.0.2.1        52:54:00:12:35:00      1      60  Unknown vendor
 10.0.2.2        52:54:00:12:35:00      1      60  Unknown vendor
 10.0.2.3        08:00:27:1f:b8:8b      1      60  PCS Systemtechnik GmbH
 10.0.2.11       08:00:27:a8:3b:ba      1      60  PCS Systemtechnik GmbH
$ ping -c 1 10.0.2.11 
PING 10.0.2.11 (10.0.2.11) 56(84) bytes of data.
64 bytes from 10.0.2.11: icmp_seq=1 ttl=255 time=2.15 ms
--- 10.0.2.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.154/2.154/2.154/0.000 ms

Scan with nmap:

...

Tags