VulnHub — Kioptrix: Level 2


Download the Kioptrix VM from and use RAR to expand the compressed file. Since my Host machine is Linux (Ubuntu 16.04), I launched VMWare Player and selected the updated “Kioptrix Level 2.vmx” file.

Exploiting SQL Injection:

After completing the initial information gathering, I decided to explore the Kioptrix Apache server by connecting to the web site via a web browser.

Exploiting OS Command Injection:

Since the Ping utility script works, the next step is to determine if the code is vulnerable to command injection.

· bash -i>&: invoke bash with an interactive option

· /dev/tcp/ redirect the session with the /dev/tcp device file

· 0>&1: use the standard output and redirect it to the standard input

Exploiting Privilege Escalation:

Continuing with the reverse shell, I needed to gather additional information about the Kioptrix system. So, I issued the command cat /etc/*-release to determine the OS version.

Exploiting MySQL:

I realize that this section is a bit of a rabbit hole. However, I am using this opportunity to explore and learn as much as I can versus rooting and moving forward.

Exploiting CUPS:

In researching vulnerabilities for CUPS 1.1, I did not find any useful exploits in attempting to root the Kioptrix system.

Capturing the Flag:

The VulnHub site notes stated that the flag is in a text file. However, I was not able to locate the flag using the find command.


While in a shell, it is a good practice to capture the /etc/passwd and /etc/shadow files for later use with a password cracker.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store