We completed the first level of the Kioptrix challenge. Now, we have got to enter the next level of it. So, the link of the Kioptrix Level 2 is https://www.vulnhub.com/entry/kioptrix-level-11-2,23/. We will find an updated version of Kioptrix Level 2 from the link. For the installation and basic troubleshooting please refer to the previous posts.
Note: We can use the Linux commands inside
msfconsole as well. Therefore, you might see the
msf6 prompt in my machine which I have run as a root user. However, you can run those commands in your terminal.
As we know now, the first step is to gather as much information as we can. We can use the necessary tools like
recon-ng, etc. to do the job. Here, in this blog post, I will be using some of them. Firstly, let’s get the IP address of the attacker machine and target machine. In our case, since we are using NAT on the virtual machines, they are on the same network.
Let’s get our attacker’s IP address and network ID by the command
So, from the screenshot above, we now identified the CIDR range to be 192.168.19.0/24 which we will use further to find other alive hosts on the network. To know about CIDR range and subnetting, visit this link: How to subnet a network?.
Now, let’s find out the other alive hosts by the command
fping -aqg 192.168.19.0/24.
After that, let’s run
nmap to identify the running services on the target machine by the command
nmap -v -p- -A 192.168.19.130.
From the Nmap results, we know that there is an Apache web server of version 2.0.52 running on CentOS. Also, we identified that there is a MySQL database present which means there might be a working website. Likewise, there is a CUPS service running which relates to a printer driver.
So, this level of kioptrix might have a vulnerability in the website. Let’s visit the website if we can find anything.
Here, we found out that this website is meant for the system administrator to login. Now, we can guess that a system administrator will run some system level commands after logging into the website. Since we identified the OS of the target machine, we can be confident now that if we are somehow able to log into the website, we might get an access to the shell of the target machine but we are not sure.
In the next blog post, we will try to bypass the authentication and log into the website.