Kioptrix
Finding Vulnerabilities
we used
sudo netdiscover -r 192.168.161.0/24
with our ip to find the vmware ipwe use
nmap -T4 -p- -A 192.168.161.130
to find all info about the system80/443 default webpage found with apache server running
Found that
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
We can use three tools for directory busting:
gobuster
dirb
dirbuster
Found usage subdirectory which disclosed following info: Generated by Webalizer Version 2.01
SMB Enumeration
SMB version found using metasploit- Unix (Samba 2.2.1a)
Then use smbclient to gain access to smb (can potentially contain valuable data) which led to find:
smbclient \\\\192.168.161.130\\IPC$
Access Denied
smbclient \\\\192.168.161.130\\ADMIN$
SSH Enumeration
We try to make a connection using:
ssh 192.168.161.130 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc
The output:
We do this to check for exposed banners(which could have ssh version or created by which companies etc).
SSL remote shell
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
is the one we targeting80/443 -> Found exploit - https://github.com/heltonWernik/OpenLuck
Exploitation
Undetected malicious activity
Passwords
SSH brute forcing
Using hydra
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.161.130 -t 4 -V
Using metasploit
Last updated