Kioptrix: Level 1 (#1) walkthrough

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of…

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/


Enumeration

  1. Get the IP of the Target Machine.
Finding My Vuln Machine using netdiscover.

2. All time favourite — NMAP

sudo nmap -p- -T4 -A 192.168.103.142

We can see the following services:

— 22 ssh

— 80 http

— 111 rpcbind

— 139 netbios

— 443 https

It’s time to dig deeper. ;p


More Enumeration 🕵️‍♂️

  1. SSH
Our version is 2.9p2. Hence, we can only do User Enum.

2. HTTP + HTTPS

Apache 1.3.20 🎃

I can see that it is using Apache 1.3.20 + mod_ssl 2.8.4 on RedHat Linux.

3. RPCBIND

A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111.

Searching Exploit

Searchsploit output

Let me decode the command — searchsploit apache 1.3.20 | grep remote | grep -v windows

I am saying getting only the apache 1.3.20 applicable exploits from searchsploit. Then filtering the “remote” (if you need to attack the machine remotely) and not inc. windows since we know it is linux.

Additionally, we know that we have mod_ssl module is already installed in the Apache server. Hence, we can guess that OpenFu🤫 exploit might work for us.


Exploiting

Here comes the most fun part…👨‍🎤

We can now compile the exploit code locally and try to run it.

  1. get the exploit file to my working directory and make changes👽.
change 192.168.103.178:8000 to your <ip>:<port>

2. Compile it

  • Requirements: libssl-dev ( apt-get install libssl-dev )
    * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto

3. Get the parameters for the executable.

  • box = 192.168.103.142
  • port = 443
  • target = 0x6a or 0x6b

4. Execute

Failed…😢

Let me try with 0x06b

Got into the system…🥳


“Supreme excellence consists of breaking the enemy’s resistance without fighting.”
Sun Tzu, The Art of War