# Kioptrix ### Finding Vulnerabilities 1. we used `sudo netdiscover -r 192.168.161.0/24` with our ip to find the vmware ip 2. we use `nmap -T4 -p- -A 192.168.161.130` to find all info about the system 3. 80/443 default webpage found with apache server running 4. use `nikto` for vulnerable scanning![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c86a18cbc7130f82bee8515e5cf62cbffbcfc15d%2Fef32d07a47455559e2ab1fc5c553f634.png?alt=media) 5. Found that `mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.` 6. Information disclosure- Server version ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-591c22b3dc872ec862d179be8432df5cd107b0f6%2Fcf59a39635fbee9fd41a9100cf620d33.png?alt=media) 7. We can use three tools for directory busting: * **gobuster** * **dirb** * **dirbuster** 8. Found usage subdirectory which disclosed following info: *Generated by Webalizer Version 2.01* 9. Using masscan to find ports: `sudo masscan -p1-65535 192.168.161.130 --rate 1000` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3e8afde7867dbee0e165cb8adf7b3569b913f5ce%2F432d2d56a7933c25c5b37e07c7293236.png?alt=media) then we can do ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8ecda6483b7a1102030bfe10157e1214c01826d1%2F445b33ee0d68d5d342dc1df622cc5157.png?alt=media) This method is faster #### SMB Enumeration 1. SMB version found using metasploit- *Unix (Samba 2.2.1a)* 2. Then use **smbclient** to gain access to smb (can potentially contain valuable data) which led to find: * `smbclient \\\\192.168.161.130\\IPC$` * Access Denied * `smbclient \\\\192.168.161.130\\ADMIN$` * Requires password **THIS PATH IS A DEADEND** **POTENTIALLY OPEN TO trans2open exploit ** ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3e2069fa05ee3f6fab175fc89a8c62883e3dab4d%2F0d89ae7be60125619519c25982e627c1.png?alt=media) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-82a45047b6ab0792140242125873eb2a5b685129%2Fd18287db2bdbcacd73c6c60c0c42128b.png?alt=media) #### SSH Enumeration 1. We try to make a connection using: `ssh 192.168.161.130 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc` The output: ```The DSA key fingerprint is SHA256:lEaf2l45SOoTn6qFh/EObfveZjbgCPuTHIXBFtD9mY8. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.161.130' (DSA) to the list of known hosts. kali@192.168.161.130's password ``` We do this to check for exposed banners(which could have ssh version or created by which companies etc). #### SSL remote shell 1. `mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.` is the one we targeting 2. 80/443 -> Found exploit - ### Exploitation 1. We chose smb to exploit (trans2open using metasploit)![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-67d2696f473a13ab2b472720eb0b0047978ed54b%2F0b512f79cd0fa63cbd3bde3064fb05e9.png?alt=media) 1. Didn't work first time because of some payload issue. We were using staged \[\[Exploitation#Staged vs Non- Staged]]![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8d14a0d8ff1c61c4fd917f0241f5c1a156bc895e%2F76a2d9092401192ddeb0ac3d52ab4eef.png?alt=media) 2. We switch to non staged payload ( :( no meterpreter)![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8ca1dd0e722b4acf72e3448e2877b812aa55a35b%2Ffc8f783d92bc4141cc39db038910d5b2.png?alt=media) We gain root after running `exploit` 2. Using OpenFuck to manually exploit:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-907991a912c464e92a243591e7549d1657faa96f%2F30ab6bf63ff3536ebd428a18e809ef29.png?alt=media) 3. We got shell access with root privileges. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-53b78836f11780153aa0bc46059d7e504569b148%2Fac0925b5eb0b6f93b960a2e7e2a5774a.png?alt=media) 4. Undetected malicious activity #### Passwords We got root access and can access the passwd file:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-6c0280484a19ca32ae442d0bd2e9814ff8d2105d%2F4326f78abf3b7e3541561b9477665095.png?alt=media) **Note**: The passwd file no longer directly has the passwords Instead we see the shadow file in `/etc/shadow`:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ec8dfbe1db9d279e4074b23462fac60ac27213b6%2F167234f2884fd351688aef3099df5509.png?alt=media) #### SSH brute forcing 1. Using hydra `hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.161.130 -t 4 -V` 2. Using metasploit * use `SSH_Login` after search ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ae2112b170960680334297aaca9994fb4862ac71%2Fed1a3f0bed03f1c155eb3580fffa8e0c.png?alt=media) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-891678d1d926c45d7ff95f734c9db54ae41dabbe%2Fbf4802cb9508a10694880421906bdcd6.png?alt=media)