Kioptrix 1 VulnHub VM Walkthrough
I started with box with a netdiscover scan, found the IP was 192.168.0.130
netdiscover -r 192.168.0.0/24
Then ran an nmap scan and discovered some open ports
nmap -sV -Pn -vv -T4 -A -p- 192.168.0.130 –script=auth,brute,discovery,exploit,vuln -oN 192.168.0.130_nmap.scan
Apache version, some OS info and mod_ssl/openssl version
An open rcp port
NetBIOS and https
I continued my enumeration by running dirb against the webserver
I found a site, the Multi-Router Traffic Grapher. I looked up associated vulnerabilities, but didn’t find much 🙁
A Nikto scan picked up a few Apache and OpenSSL vulnerabilities
nikto -h http://192.168.0.130/
I searched for possible exploits in google and found a couple
I tried the second entry, openssl-scanner. The host came back as vulnerable!
This is a great tool if you have to scan an entire network quickly for this openssl exploit
I could use openssl-too-open and escalate privileges manually, but OpenFuck should do this for us 🙂
We execute openfuck with no options to find our OS/apache version
We have to use 0x6b for the exploit to work, and chose 40 connection because the exploit doesn’t always take right away. After we connected to a shell, openfuck downloads, compiles and executes ptrace-kmod to attempt privilege escalation to root. In our case it worked!
After getting root, I looked around the box for anything interesting… I noticed some files in /var/mail/ for a couple users on the box
After cding to the dir, I found a file named”root” which congratulated me for rooting the Vulnerable VM!