Sep 12, 2022

6 min read

VulnHub | Kioptrix Level 1

Hello guys , This is the easiest machine on VulnHub , So i decided to solve it to share knowledge with you and i hope you like my methodology

The machine will learn you how to scanning open ports using Nmap and how to exploit the vulnerable services on these ports to get directly root access on the machine.

Let’s start our journey

My methodology in this machine : (IP info — Mac address — Port scanning — Public Vulnerabilities — Enumeration — Exploitation)

machine link : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

After installing it on your VMware , you need to know the IP of it

You can use nmap with -sP option to know the live hosts

or you can use netdiscover tool which is built-in kali to know the live hosts

sudo netdiscover -r 192.168.1.1/24

The output was

So our IP which hostname called VMware, Inc (192.168.1.104)

so , i created a simple script using bash to grep all the live hosts on my network

#!/bin/bashnmap -sP 192.168.1.1/24 | grep "for" | cut -d " " -f 5

The output was

The machine ip is 192.168.1.104

Scanning using Nmap

Nmap is a great tool which built-in kali , Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications.

sudo nmap -sV 192.168.1.104 -o nmap_scan

The machine has open ports like 22,80,111,139,443,1024

I think that 22,139,443 is the most important ports and so we’ll search about service’s version like openssh , smb , mod_ssl

Navigate to http://192.168.1.104 in your browser

I didn’t find any thing interesting or sensitive, so try to fuzzing directories with tools like (gobuster — ffuf — diresearch)

i used diresearch with this command to grep the successful status code

sudo dirsearch -u 192.168.1.104 --full-url --exclude-status=404,403,401,500

I didn’t find any thing sensitive from these directories

#Enumerating HTTP

I used nikto vulnerability scanning with the help of the following command -> nikto -h http://192.168.1.104

so , i found that the version was vulnerable with CVE-2002–0082

#Exploiting HTTP

After scanning i noticed that the server version is Apache/1.3.20 mod_ssl/2.8.4

Search on google about (mod_ssl/2.8.4 exploit) or using searchsploit tool which built-in kali

the version vulnerable with remote buffer overflow and the exploit called openfuck

This an exploit i found it on github https://github.com/exploit-inters/OpenFuck

After downloading the repo and installing it , then use this command to exploit the vulnerability

run the exploit ./OpenFuck to know which brute force belong to the vulnerable version (Apache-1.3.20)

0x6a -> RedHat Linux 7.2 (apache-1.3.20–16)1

0x6b -> RedHat Linux 7.2 (apache-1.3.20–16)2

-c range of [40–50] -> Number of connection.

I found that 0x6a and 0x6b belonged to the vulnerable version, so i can try both of them

./OpenFuck 0x6a 192.168.80.145 443 -c 40

Unfortunately it’s not working . so try to replace 0x6a with 0x6b and 40 with 50

./OpenFuck 0x6b 192.168.80.145 443 -c 50

It’s the right one and i get a root access by using mod_ssl port

whoami => root

Congratulations ..

Another way to get a root access on the machine

Let’s scanning rpc port and work on it to test if it vulnerable or not

So , i did’t find anything sensitive or interesting

Navigate to scan smb port to know if it’s version vulnerable or not

#Enumerating Samba

I will use smbclient , it’s a command line tool similar to a ftp connection while smbfs allows you to mount a SMB file share

smb server using anonymous login

I found that there are 2 file shares IPC$ & ADMIN$

I didn’t find any thing in file share IPC$ , so when i tried to login with anonymous on ADMIN$ , the connection failed

The version which appear in port scanning was samba smbd , so to know the right smb version , i used metasploit to know the version , then search on smb_version module in msfconsole .

Finally i get the right smb version (Samba 2.2.1a)