Kioptrix 1 – First up

Diving in, my hope is to run through some of these Vulnhub instances and practice enumeration, exploitation (of course), and documentation. The goal is to begin the OSCP course in about a month, coinciding with graduation time. In the meantime I also want to develop some proto-scripts for scripting enumeration, so the focus on enumeration for me. And we’re starting with Kioptrix 1.

First off, netdiscover, match the MAC to the MAC in the ESXi settings, acquire IP

And then nmap. Keeping it simple, just an -sV.

Got some services and right off the bat we have some candidates. But let’s flesh it out and do some nikto:

I followed this up with a bunch of nmap scans that I won’t bother postiing pictures of. Basically, enumeration scripts, including http-enum and a few smb-enum-* scripts. None really gave much information.

Nikto showed us a few directories and two accessible webpages, one the default Apache webpage and one a php page named test.php that doesn’t appear to do much. Looking at rpcbind, I checked out a suggestion found online to look for rpcinfo and check for mounts. No joy, but a worthwhile effort:

After that we look at our candidates from the scans. First we have the Apache version. We also have OpenSSH, which we won’t really talk about since there does not seem to be a publicly available exploit for this version. Next we have port 139, which means netbios, which means Samba most likely. We’ll use enum4linux to pull some more info there:

It’s a lot of text, but if you dig in there you’ll find that we are dealing with Samba 2.2.1a. And exploit-db has a lot to say about our Samba version. I pulled the exploit from that link and compiled (gcc -o samba_sploit 10.c) and it ran without a hitch.

Apache is a little more intense. The code on exploit-db doesn’t compile as is. Luckily an industrious young hacker has provided steps for updating the code, however you’ll find that it still won’t compile, complaining a lot about SSL2. Turns out you will need to install libssl1.0-dev (look in the comments) as well, and it then compiled nicely.

Running OpenFuck -h you get a long list of potential targets. Look for our Apache versions on the list (ignore the OS versions) and try them one by one. Process of elimination yields us this:

Nicely. Lessons learned: don’t give up if the exploit isn’t working, took a while to find the answer on the Apache vuln here. Also wish I had done a better job documenting. My intent is to get to the point that I am doing it in the OSCP format so I’ll be ready. Next up: Kioptrix 2.