Kioptrix 1 VulnHub VM Walkthrough

I started with box with a netdiscover scan, found the IP was 192.168.0.130

netdiscover -r 192.168.0.0/24

Then ran an nmap scan and discovered some open ports

nmap -sV -Pn -vv -T4 -A -p- 192.168.0.130 –script=auth,brute,discovery,exploit,vuln -oN 192.168.0.130_nmap.scan

SSH version

Apache version, some OS info and mod_ssl/openssl version

An open rcp port

NetBIOS and https

I continued my enumeration by running dirb against the webserver

dirbuster

I found a site, the Multi-Router Traffic Grapher. I looked up associated vulnerabilities, but didn’t find much 🙁

A Nikto scan picked up a few Apache and OpenSSL vulnerabilities

nikto -h http://192.168.0.130/

I searched for possible exploits in google and found a couple

I tried the second entry, openssl-scanner. The host came back as vulnerable!

This is a great tool if you have to scan an entire network quickly for this openssl exploit
I could use openssl-too-open and escalate privileges manually, but OpenFuck should do this for us 🙂

We execute openfuck with no options to find our OS/apache version

We have to use 0x6b for the exploit to work, and chose 40 connection because the exploit doesn’t always take right away. After we connected to a shell, openfuck downloads, compiles and executes ptrace-kmod to attempt privilege escalation to root. In our case it worked!

After getting root, I looked around the box for anything interesting… I noticed some files in /var/mail/ for a couple users on the box

After cding to the dir, I found a file named”root” which congratulated me for rooting the Vulnerable VM!