seekorswim My Security Blog

Kioptrix: Level 1.1 (#2)

10 May 2019 | Walkthroughs
vulnhub kioptrix sqli kernel exploit
VulnHub URL: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Hostname:
IP Address: 10.183.0.238


Information Gathering/Recon


The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.238.


Service Enumeration/Scanning


root@kali:~/Walkthroughs/kioptrix2# nmap -Pn -sT -sV --script=default,banner -A -oA kioptrix2 -p- 10.183.0.238
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 22:14 CDT
Nmap scan report for 10.183.0.238   
Host is up (0.0031s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE    VERSION   
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
|_banner: SSH-1.99-OpenSSH_3.9p1
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            821/udp  status
|_  100024  1            824/tcp  status
443/tcp  open  ssl/https?
|_ssl-date: 2019-05-12T00:05:23+00:00; -3h09m46s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
631/tcp  open  ipp        CUPS 1.1  
| http-methods:
|_  Potentially risky methods: PUT  
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
824/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
| banner: I\x00\x00\x00\xFFj\x04Host 'kali.homenet.dom' is not allowed to
|_ connect to this MySQL server
MAC Address: 00:0C:29:53:19:4C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.18
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -3h09m46s, deviation: 0s, median: -3h09m46s

TRACEROUTE
HOP RTT     ADDRESS
1   3.05 ms 10.183.0.238

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.97 seconds

Read more...

Kioptrix: Level 1 (#1)

10 May 2019 | Walkthroughs
vulnhub kioptrix mod_ssl samba
VulnHub URL: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Hostname: kioptrix
IP Address: 10.183.0.224


Information Gathering/Recon


The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.224.


Service Enumeration/Scanning


root@kali:~/Walkthroughs/kioptrix1# nmap -Pn -sT -sV -sC -A -oA kioptrix1 -p- 10.183.0.224
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-10 09:56 EDT
Nmap scan report for 10.183.0.224   
Host is up (0.0012s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION  
22/tcp   open  ssh          OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2019-05-10T13:58:35+00:00; +1m50s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/10%OT=22%CT=1%CU=32224%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5CD58418%P=x86_64-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=D2%TI=Z%CI=Z%II=I%T
OS:S=7)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=
OS:M5B4ST11NW0%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=FF%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=FF%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=FF%CD=S)

Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 1m49s, deviation: 0s, median: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   1.19 ms 10.183.0.224

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.78 seconds

Read more...

Lord Of The Root: 1.0.1

06 May 2019 | Walkthroughs
vulnhub port knock sqli sqlmap gdb pwndbg buffer overflow
VulnHub URL: https://www.vulnhub.com/entry/lord-of-the-root-101,129/
Hostname: LordOfTheRoot
IP Address: 10.183.0.214


Information Gathering/Recon


The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.214.


Service Enumeration/Scanning


root@kali:~/Walkthroughs/lordoftheroot# nmap -Pn -sT -sV -sC -A -oA lordoftheroot -p 1-65535 10.183.0.214
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-08 13:48 EDT
Nmap scan report for LordOfTheRoot.homenet.dom (10.183.0.214)
Host is up (0.0016s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 08:00:27:64:93:94 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.61 ms LordOfTheRoot.homenet.dom (10.183.0.214)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.62 seconds

Read more...