VulnHub Writeup — Kioptrix #1
So today I pulled down Kioptrix’s first image and attached it to the same virtual subnet on my virtualization platform. I try to keep this as blackbox as possible, so ran Nmap in ping sweep mode (-sP) to determine the new host that was up. Once I determined the IP address, I did an Nmap scan for service version and OS detection (-sV -O). Looking at SSH, RPC, Apache and SMB I decided to do a few things. First, I was going to “burn to root” which is something I don’t usually like to do. However, after having run dirb against port 80 (dirb <IP> /usr/share/wordlists/dirb/big.txt) I saw that this was a cgi-bin server. SMB and CGI are things I don’t have very much experience doing, so second I decided o come back to those and look at them in greater detail.
Looking for low-hanging fruit, enum4linux showed that SMB was very open, and looking at vulns for the version gave me a few options, one of which allowed for remote code execution (RCE), and the ‘flag’ in this case was an email, which I found and it contained “If you are reading this, you got root. Congratulations.”
Nice and straightforward, #1 down, but a few todos:
- Create a writeup for encountering this type of host in an env, if this host is the only thing you encountered. This will require a few assumptions, such as understanding (or being able to determine with minimal probing into a customer’s private data) of what the use of this host is. Therefore, I’m making one up.
- Return for a greater understanding of SMB probing. I lucked out in that I grabbed an easy one through searchsploit, but why is the searchsploit version 2.2.8 when enum4linux returns 2.2.1?
- Perform cgi-bin investigation as well to gain an understanding of how that works.
- Validate XSS via Referrer as reported by Nikto
- Brush up on Webalizer file poisoning etc…
