VulnHub: Kioptrix Level 1

Kioptrix Level 1 is one of the most easiest machines on VulnHub. It is usually the machine with which a large number of people get started with for their OSCP preparations.

Solving this machine is really easy.

Initial Enumeration

The first and foremost thing that we must do is start an nmap scan to check the services running on the machine and meanwhile check if there is some website is hosted by accessing the IP address via web browser.

All that can be seen that an Apache test page when we access the login page. The nmap results reveal a lot many things

It can be seen that ports 22, 80, 111, 139, 443 and 32768 are open on the machine. As Apache is running on port 80, we can start a directory traversal attack against the machine to find some hidden directory.

We can go through all the detected directories but can’t find any useful information or entry point to gain access to the machine.

Gaining Foothold

The next thing that we can do is start looking for vulnerabilities related to services running on the machine.

We can see an exploit for openssh 2.9p2 but does not appear to be exploited easily. The next thing that we can look for is Apache 1.3.20.

Here, we can see that this version of Apache is vulnerable to OpenFuckV2. So, we can copy that code, compile it and try to gain access to the machine.

We can check if there are any specific instruction specified to run the script

Here, it has been mentioned that we need to install libssl-dev before running the code.

In case if this does not install the requirement then first run the command sudo apt update --fix-missing

Once the requirement is installed, we need to compile the C code

Now, we can run the code simple by entering the command

This would return a list of codes for various Linux version (Apache versions) and we need to select the one appropriate for us. We know that the machine is running on RedHat and has Apache version 1.3.20. So, from that list we need to select the code for entry having similar configurations.

As per our requirements, we can find two codes

So, we can try both one by one.

So, the one with 0x6a does not appear to be working so we can try the code 0x6b.

And there we get direct access as root!

Some Key Points to Take Away

  1. Always look for vulnerabilities associated with various services running on the machine.

References

  1. VulnHub — Kioptrix Level 1: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
  2. OpenFuckV2: https://www.exploit-db.com/exploits/47080

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store