I am going through the OSCPLike Vulnhub list from the netsecfocus group before I take my third attempt at my OSCP Exam. You can find the NetSecFocus Vulnhub Trophy Room Google Doc by joining Mattermost and going to the Vulnhub and CTF channel. The Machines listed in Red on the Doc are the most OSCP like Machines.
I started up Virtualbox and Created a pfsense router that all my traffic would pass through for my Virtualbox Lab. I always Start my Enumeration by creating a folder on my Desktop named like kioptrix_1.1 so I have a place to dump pictures and scan output for reports and blog posts as well as notes. I used to use keep not but I’ve moved on to keeping everything in Cherrytree if I have to have pictures directly attached. If not everything is done in markdown and posted to a private Github notes repo. I feel like this is the easiest way as I can always just git clone my notes and start working from anywhere.
For this VM I launched the tool Sparta which combines various tools with a Java gui front end. I use this sometimes so I can have a visual map in front of me. Sparta started a discovery scan on the targets IP address and found several services and ports. I find it handy as you can wrap any tool you want into your initial scan via config. The Github link for sparta is Github if you want to read the docs! It comes with Kali by default.
Looking at the Above output I see
- 22 SSH like normal and a Version number OpenSSH 2.9.p2 (protocol 1.99)
- 80 HTTP Old Apache version 1.3.20 and mod_ssl/2
- 111 RPCBIND
- 137 NETBIOS-NS Samba nmbd
- 139 NETBIOS-SSN Samba smbd
- 443 HTTPS Old Apache version 1.3.20 and mod_ssl/2
- 32768 STATUS
From the above, there are some things we can dig into further. We see that port 80 and 443 tell us that it is unix/red-hat. We can google Version numbers like OpenSSH 2.9p2 we can also look for samba exploits on port 137 and 139. Most of the time nowadays I start with web applications with apache being such an old version. I googled Apache 1.3.20 and used searchsploit. I tried to searchsploit apache but too many results or not enough were coming back. I narrowed it down to the last part mod_ssl/2 I don’t see this a lot.
Okay some easier output to sift through. I know I don’t want DOS so that gets rid of first 2 results. I am not looking for hardware or windows exploits. That leaves me with 3 exploits to look into.
So we look at all Three
- cat /usr/share/exploitdb/exploits/unix/remote/21671.c
- cat /usr/share/exploitdb/exploits/unix/remote/764.c
- cat /usr/share/exploitdb/exploits/unix/remote/40347.txt
764.c looks to be the most promising exploit out of the bunch I never compile or run an exploit without reading the code first. I know this is particular exploit needs some updating from reading the header at the top of the code.
Upon compiling and running the exploit you can use id and you will be root.
Looking back at the box and looking at how other people got root. There was a Metasploit way that was really easy. Using this exploit it took no time to root the machine. Since I am trying to these OSCPLike Vulnhub machines I will always try to do everything without Metasploit. I have found that I get a better understanding of what I am doing without Metasploit as well, especially when learning.