CTF Walkthroughs, VulnHub

VulnHub – Kioptrix: Level 1 Walkthrough

March 29, 2021 | by Stefano Lanaro

Introduction

This was a really easy Linux box that involved exploiting known vulnerabilities in outdated versions of the Apache web server software and the Samba service in order to gain root access. No privilege escalation was required.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

This has revealed a few open ports, the next steps would be to start enumerating Samba and HTTP.

Enumerating Samba

Using the SMBClient tool to enumerate open shares

Unfortunately no open shares were found, apart from the default ones. While running the command, Wireshark can be used to inspect the request further and identify the Samba version:

Using the SearchSploit tool to identify known exploits with the current version of Samba:

This has identified a few potential exploits that could be used to gain remote access to the machine.

Enumerating HTTP

Performing an initial Nikto scan against the web server:

This has revealed Apache is most probably vulnerable to several known exploits due to its outdated version.

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

No useful directories or files were found unfortunately.

The previous Nmap scan has revealed the webserver is running Apache 1.3.20. Using the SearchSploit tool to identify known exploits with the current version of Apache:

The “OpenFuck” exploit affects Apache web servers under version 2.8.7 using the mod_ssl module, which is used to provide SSL and TLS support.

Exploiting Samba

Cloning the exploit, compiling it using GCC and viewing the available options:

running the exploit with the following arguments:

  • -b to specify the platform, in this case Linux
  • -c to specify the IP address to connect back to
  • the target host’s IP address

This has provided a root-level shell.

Exploiting HTTP

Cloning the updated version of the OpenFuck OpenSSL exploit, compiling it and viewing the usage:

Running the exploit with the following flags:

  • The target, which in this case is 0x6b, RedHat Linux 7.2 (apache-1.3.20-16)2
  • The target IP address
  • The number of open connections to attempt

This has granted a root-level shell.

Conclusion

This was one of my very first capture-the-flag challenges and although looking at it now it is indeed pretty trivial and does not even cover basic privilege escalation, it was still lots of fun nonetheless and definitely a great learning experience.