In this article we are going to solve a very interesting machine , Kioptrix Level 1. This machine is designed for beginners but with a little twist. we can download this machine from vulnhub.
Fist step is to find the IP address of the target and for that we use the command : netdiscover -i wlan0
Now by using the command nmap -A 192.168.43.8 we checked for the open ports.
As we can see that so many ports are open. So we first of all we decided to browse HTTP service.
This is the apache default page. we decided to find hidden directories and files by using the command : dirb http://192.168.43.8
We explored each directory but failed in finding anything useful then we start looking for some exploits on the internet related to port 22(SSH) but we failed here also. So we looked for another service that is HTTP/HTTPS version and its exploit on the internet and we successfully found a exploit on exploit-db .
click here to get the exploit. Now we compile the code as instructed in the exploit comment,but we an get an error.
we resolved this error by installing the package : apt-get install libssl-dev , we again try to compile the C code but we get more errors this time.
So we decided to search on the internet about these errors and found that we need to update this exploit by making some changes in the code. you can find the updated code here . Now we again try to compile the code but again we get some errors and to resolve them we install the package : apt-get install libssl1.0-dev and now finally we compile the code and we succeed this time!
click here to get successfully compiled binary. Now we run the binary as shown in the image.
Output is a little bit confusing but if we look at it carefully we observed that for every version there are different supported OffSet that we need to specify while running the binary. So in this list we searched for our version.
So we decided to use both the OffSet and we get the root shell by using the OffSet 0x6b .
Now its time time to search for our flag and we get our flag in the directory : /var/spool/mail/
This completes our challenge , if you know some other ways to pawn this machine then please contact us , you may get a chance to publish your write-up on our website.