Today, we are going root a really simple machine of VulnHub, This machine is old and has bunch of ways of rooting but it helped me learn alot of different concepts, Hope it is helpful for you too…Special thanks to Heath Adams and TCM Security Ethical Hacking Course, All I have learnt is from his course…alright without any further ado let’s jump into it Shall we!
So we need to find the ip address of this Machine first what we can do is since I have this machine set as NAT and I can go and run the following command on my Kali Box to see what is the IP of the Kioptrix box
Kioptrix ip : 192.168.30.129
Let’s do a nmap scan and see what we find:-
Now we see Port 22: SSH, Port 80/443 and Port 139 are the imp ones and Port 111 rpcbind isn’t all that imp, so we ll start with the enumeration of Port 80 first let’s see the site.
This is what we find at the site, now we can see its a static page and going through different links we find that in documentation we got Server version and this shows poor hygiene.
we can do alot of things like directory bruteforcing or running a nikto scan to find more about what kind of vulnerabilities this box has in store for us.
we have found so directories as well but we are not going that route, you can explore that and let me what you’ve got take it as your exploration grounds, moving on let’s research about this mod ssl and apache version known exploits.
Now this exploit doesn’t work so we are going to use Github version of this exploit.
GitHub - heltonWernik/OpenLuck: OpenFuck exploit updated to linux 2018 - Apache mod_ssl < 2.8.7…
Original is OpenFu*&%$#, I change for something more elegant This Exploit ( https://www.exploit-db.com/exploits/764/)…
and Let’s move on to SMB enumeration, so we know its Samba let us try to find its version using a metasploit module.
So using this module we’ll try to find out the smb version and then see if there is some exploit available using searchsploit although we can use Google but let’s use this built in tool.
we know SMB version its Samba 2.2.1a, Searching for known exploits
we got a exploit that is Linux x86 and gives us remote code exec (RCE) so and on top of that its there in Metasploit.
so we found the exploit let’s use it
so here we are going to change the payload because its a staged payload and it wouldn’t work and we didn’t found a non staged meterpreter payload so linux/x86/shell_reverse_tcp has to do it.
here we set the options i.e., set rhosts and run the exploit and at the end we can see it that we got root access….CONGRATULATIONS!!!! WE DID IT, now i have left the apache exploit intentionally try it and let me know how is it and i would love to know other ways to root this box….