This is the beginning of my journey towards OSCP & this blog post is the first step from the TJnull Vulnhub VM list for practice . Check the full list from here.
First let’s import the VM , you can get the VM from here . I’m using VMware to run virtual machine but you can use VirtualBox . After importing the VM the next step is to find the ip of the kioptrix but there was some issue in kioptrix level 1 as it was not detected by kali Linux . The only solution that worked for me is by deleting the current network adapter and assigning a new network adapter to the kioptrix VM.
Now that the issue is resolved let’s find the ip , there are multiple ways for this task but I like it doing in two ways . First one is using netdiscover and 2nd one using nmap . The commands are following .
sudo netdiscover -i eth0nmap -sn 192.168.28.0/24
Now that we got the ip it’s time for a nmap scan , we will do it in @ippsec style
- -sC : is for default script
- -sV : is for version detection
- -oA : is to store in all format in the nmap/kioptrix1 directory
we got a bunch of ports with services running now let’s do some enumeration . Let’s start with webpage which is running on port 80.
And it was showing the default apache web page . Now let’s do some web directory enumeration . I like to use gobuster but you can use your favorite tool for this task .
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3- medium.txt -u http://192.168.28.129/ -t 10
- dir : is for directory listing
- -w : is for wordlist path
- -u : is for url
- -t : is for thread count
But there is nothing informative in the web page . Now let’s do some SMB enumeration that is running on port 139 .
For the SMB enumeration I use different tools as sometimes you can get different results from there . When I try to connect the SMB I got error .
After 5 to 6 trial I left the tools and used nmap nse script for smb vulnerability scanning .
sudo nmap --script smb-vuln* -p 139 192.168.28.129
And there is nothing interesting here .
Now it’s time to get back to our nmap scan result for next step . We can see that https service which is running on port 443 uses a openssl 2.8.4 , as it a old machine before jumping into google search let’s do a quick searchsploit.
We found a remote buffer overflow attack . Let’s quickly compile and run the exploit .
It requires 4 parameters .
- target : you can get the target in source code . For our case we use 0x6b
- box : ip address of the box
- port : we will use 443
- -c : the value is 40
And after running we get the root shell .
Key Learning from this Box :
- Try to enumerate each services , there may be a vulnerable version of service running on the box .
