VulnHub Writeup — Kioptrix #1

sic arie
sic arie
Jul 20, 2017 · 2 min read

So today I pulled down Kioptrix’s first image and attached it to the same virtual subnet on my virtualization platform. I try to keep this as blackbox as possible, so ran Nmap in ping sweep mode (-sP) to determine the new host that was up. Once I determined the IP address, I did an Nmap scan for service version and OS detection (-sV -O). Looking at SSH, RPC, Apache and SMB I decided to do a few things. First, I was going to “burn to root” which is something I don’t usually like to do. However, after having run dirb against port 80 (dirb <IP> /usr/share/wordlists/dirb/big.txt) I saw that this was a cgi-bin server. SMB and CGI are things I don’t have very much experience doing, so second I decided o come back to those and look at them in greater detail.

Looking for low-hanging fruit, enum4linux showed that SMB was very open, and looking at vulns for the version gave me a few options, one of which allowed for remote code execution (RCE), and the ‘flag’ in this case was an email, which I found and it contained “If you are reading this, you got root. Congratulations.”

Nice and straightforward, #1 down, but a few todos:

  1. Create a writeup for encountering this type of host in an env, if this host is the only thing you encountered. This will require a few assumptions, such as understanding (or being able to determine with minimal probing into a customer’s private data) of what the use of this host is. Therefore, I’m making one up.
  2. Return for a greater understanding of SMB probing. I lucked out in that I grabbed an easy one through searchsploit, but why is the searchsploit version 2.2.8 when enum4linux returns 2.2.1?
  3. Perform cgi-bin investigation as well to gain an understanding of how that works.
  4. Validate XSS via Referrer as reported by Nikto
  5. Brush up on Webalizer file poisoning etc…
)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade