vulnhub series: level 1 kioptix

Profile personly

Vulnhub is a platform shooter that offers many vulnerabilities.

Personal learning goal: 1. It is convenient to learn more types of vulnerabilities. 2. Create a 0SCP rule.

Download Link

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Workspace

Kali:192.168.44.128

Purpose: NAT mode

Special note:Some friends cannot obtain the IP address of the target machine after opening the virtual machine

Here is a special description: Edit »Kioptix Level 1.vmx“Ethernet0.netWorkName=”nat

Related knowledge point:

  • Samba 2.2.1A buffer overflow

  • Samba RCE

  • Apache / MOD_SSL buffer overflow

  • msf_search_samba_version (module)

  • searchsploit

0x00, collect information

Finding Lead: NMAP -SP 192.168.44.0/24

98826ea32530dc62f89d43e84fedbcc8

Port scan: NMAP -SV 192.168.44.132
1814cbc16f5dae96ca215a207fdb213c

0x01、apache/mod_ssl

Use kali to fetch nobody: nobody – h 192.168.44.132

Scan result

3f418bdc7926f93a630672f24fb039f2

Try to use

https://www.exploit-db.com/search?cve=2002-0082

5a77f242c18d7da86642b92441dacdc1

Perform according to the prompts

apt-get install libssl-dev

gcc -o 47080 48080.c -lcrypto

Target machine version -0x6d -redhat Linux 7.2 (Apache -1.3.24)

ff2bb5e3c2b5744175b02374bc6a412a

0X02、Samba

Because NMAP did not check the Samba version

Use the Metasplo T module to scan the Samba version

e790400c2d66e0c1cc517f73e34b6421

7779fb311fb41d04fbff1ec11d1dfe83

searchsploit samba 2.2.1a
21729679e072deb55ff9539838d84b3d

1) trans2open (using metasploit)

b67805ce7c5f4ba037302eccf41d43b7

payload tuning:

9fc20a19cbca942463db00037c11d33d

2) Remote code execution

Group Exp/Query options

6c975ec18349e8659ca8b5506db2afba

Run ./samba -b 0 192.168.44.132

944e14b201a3c2af3336651034afee10

Welcome to the big guys fix, if there are places, please advise.

This is my first blog post. vulnhub series will be updated from time to time.

I am eating. Thanks for reading and patient correction!

Leave a Comment