Tuesday, 7 February 2017

Kioptrix Level 1 (Via Web Vuln)

I have been absent from this blog for a while now.  This is mainly due to the festivities, family and work. Now everything has calmed down, I can start "playing" again.  I decided to ease back into things with the Kioptrix series from Vulnhub.  This series is aimed to be easy and to be honest the first one was, "however" I ended up looking way to deep and not thinking simple!!

So first things first.

Let's start by using Netdiscover to see what IP the VM is on:

Netdiscover shows .132 is my IP of choice.

I'll NMap ports 1-65535 this IP using grep to show open ports, I do this to get a cleaner output than just running NMap:

Now I have something to play withI'll check out ports 80 & 443 first:

Port 80 & 443 give an apache test page.  I'll try dirb to see if anything is hidden.

Nope, there's nothing there.  I'll see if it's vulnerable in someway by using Nikto.

It's time to start reading.

After sifting through the various vulnerabilities that Nikto had found, I came across this exploit:

Open Fuck

What a charming name!!!

This exploit gave me an absolute headache.  As I am using Kali 2 rolling, the version of SSL is higher than that of the exploit.  So after a lot of digging and faffing, I managed to get it working.  Here's how I did it:

apt-get install libssl1.0-dev

This installs the older version of the SSL library. Once this was installed I could compile the exploit.

wget https://www.exploit-db.com/download/764

Once the exploit had downloaded, there was still work to do, I followed the guide here Exploit Update to update the file.

I then compiled the exploit:

gcc -o pwn 764 -lcrypto

This gave me my executable exploit to run. This exploit needed parameters in order to run correctly namely:

I needed to run 

./pwn <the os type> <ip> -c <open connections>

I ran:

./ pwn 0x6b -c 40


I am....


There is another way to get (G)root via SMB so sit tight for round 2!!

No comments:

Post a Comment