Next up in the Kioptrix series is Kioptrix 1.2 (#3), the third in the group which gets even more confusing with #4 and #5 being referenced as 4 in their downloads but I digress.  I think something is wrong with the image because I was expecting LFI from the vulnerabilities I found but LFI didn't work.  I ended up going a different route than what I think was the point of this lesson.  I just wanted to pop the box, be done with it, and move on to the next one -- hoping that it was just a one-off problem.

After I rooted the box, I found some creds, a setuid binary, and I think that was my route after getting in through LFI but I'd already popped the box, seemed like things were messed up, and there are more to conquer.  

A quick recap.

Scanning with Nmap:





Scanning with Nikto:

We've got a web port open and phpmyadmin to wack at.  

First, let's check out the web port:





Checking out the login page:





Going with the Metasploit avenue:





Setting up the handler, catching the shell, enumerating the OS:





Ubuntu 8.04 is vulnerable to the DirtyCow exploit:





I popped this box twice using the same route.  In my first attempt, I setup like I normally setup with the ssh session ready to go in another windows with the unstable fix already copied into memory.  Upon executing the exploit, I attempted to ssh into the box and I was unable to connect.  I've done this a million times so definitely not my first rodeo.  I don't know why, it just didn't let me in.  

Thinking quickly because I know that my time is running out before the server crashes, I backgrounded my meterpreter session, and I re-ran the low privilege shell exploit to get another session.  From there, I su to my user and I hit it with the unstable fix.  First time that's ever happened.  The whole box was wonky so I'll just move on.