Kioptrix 1: Write-up

This post contains the steps to get a root shell with Kioptrix level 1 VM

This VM can he found here. Have a look to find even more VMs

Host discovery

First, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 


After getting the IP address, we need to do some fingerprinting.

nmap -sV

Fig. Nmap scan result

As I saw it in the scan report, I decided to scan on the port 80 and 443 with DirBuster and Nikto.

Here are the reports :

Fig. DirBuster Report on the port 80

Fig. Nikto report on ports 80 (HTTP) and 443 (HTTPS)

There was no vulnerable web application or any interesting file. However, the Apache version is vulnerable..

Exploitation with Apache OpenSSL Exploit

Thanks to Nmap result, I saw that the Apache version was vulnerable: Apache 1.3.20. Then, I decided to look on the internet and I found this expoit: Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuckV2.c)

I had issues with this exploit because it’s quite an old one and the instructions were outdated. You can follow the instructions here to update the exploit and run it on your computer. (Tested on Kali Linux).

We had information on the box and I did a grep to see what OS were vulnerable to Apache 1.3.20 :

Fig. Selecting the option (depending on the OS) for the exploit

Then, I tried the exploit :

Fig. Using OpenFuck Exploit after multiple attempts

Interesting files

We got the root shell and that was the goal of this VM. Then, you can do everything like get content of /etc/shadow.

Fig. Shadow file on the vulnerable server

Hope you liked it ! Cheers.

ps: I’ll add exploitation using Samba in the next few days. Keep tuned !

Copyright © 2017 - Paul A. (PaulSec). Powered by Octopress