This post contains the steps to get a root shell with Kioptrix level 1 VM
This VM can he found here. Have a look to find even more VMs
Host discovery
First, we need to discover where the machine is on our network. To do so, let’s use Nmap:
nmap -sP 192.168.1.1/24
Fingerprinting
After getting the IP address, we need to do some fingerprinting.
nmap -sV 192.168.1.2
Fig. Nmap scan result
As I saw it in the scan report, I decided to scan on the port 80 and 443 with DirBuster and Nikto.
Here are the reports :
Fig. DirBuster Report on the port 80
Fig. Nikto report on ports 80 (HTTP) and 443 (HTTPS)
There was no vulnerable web application or any interesting file. However, the Apache version is vulnerable..
Exploitation with Apache OpenSSL Exploit
Thanks to Nmap result, I saw that the Apache version was vulnerable: Apache 1.3.20. Then, I decided to look on the internet and I found this expoit: Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)
I had issues with this exploit because it’s quite an old one and the instructions were outdated. You can follow the instructions here to update the exploit and run it on your computer. (Tested on Kali Linux).
We had information on the box and I did a grep to see what OS were vulnerable to Apache 1.3.20 :
Fig. Selecting the option (depending on the OS) for the exploit
Then, I tried the exploit :
Fig. Using OpenFuck Exploit after multiple attempts
Interesting files
We got the root shell and that was the goal of this VM.
Then, you can do everything like get content of /etc/shadow.
Fig. Shadow file on the vulnerable server
Hope you liked it ! Cheers.
ps: I’ll add exploitation using Samba in the next few days. Keep tuned !