I'm taking The Cyber Mentor's Practical Ethical Hacking Course on Udemy and during the scanning and enumeration chapter, we started scanning Kioptrix Level 1. I've played around with Kioptrix before and was already prepared to root the machine in a quick two-step, even though that's not part of the section. To do this root, you'll need a VMware player to run Kioptrix level one, which you can download from VulnHub. Get it running and find the IP address. I had a little difficulty with this as I couldn't just pick it up with netdiscover on my network and had to do an nmap ping scan to discover hosts on my vmnet8 interface rather than my local network. Once I had the IP I poked around a bit, looked at the default webpage the server was hosting, ran dirbuster etc, but really got into it running nikto. Although an nmap scan showed an smb share hanging out, which is usually where I'd start probing, nikto showed this: 
Wait what? I can pop a shell? Let's look up the vuln.
Evidently these are way way way outdated versions of Apache and mod_ssl with a vuln that goes back to 2002. Also this sounds familiar. I've already exploited this on a box somewhere and have the exploit on my Kali box. For whatever reason this isn't already implemented in metasploit, but exploit code is available on Exploit-DB and its called OpenFuck Classy I know. It's in C and needs to be compiled with gcc to run, but I already had it from the last time I used it. ./OpenFuck 0x6b 172.16.XXX.XXX 443 -c 40 and what do I get?
Well I'm root already, no pivoting or privesc, just an easy rooted box. While I'm here I better grab some treasure.
Hashes to crack for later! Fun!
