Whitelist: Kioptrix - Level 1 (#1)

KIOPTRIX- Level 1 (#1)

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1 (#1)

- Kioptrix Level 1 (#1) can be downloaded from here:

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

- Once downloaded, extracted and opened with WMware:

2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.21, so it should correspond to the vulnerable machine Kioptrix:

- Scanning for versions and the operating system with Nmap:

- Going further with the SMB service running on port 139, using nbtscan:

- enum4linux yields information about the Samba version 2.2.1a:

- smbclient gives the same information:

- nikto provides interesting information about vulnerabilities related with outdated Apache and OpenSSL versions, and also about existing buffer overflows:

- To sum it up, the enumeration step gives us information about vulnerabilities related with outdated Apache and OpenSSL services, and also about running version of Samba.

- Let's exploit these vulnerabilities one by one.

3 - EXPLOITING OUTDATED VERSION Samba 2.2.1a

- Just Googling about potential Samba 2.2.1a vulnerabilities, we discover that there is a exploit for Samba versions below 2.2.8:

3.1 - Metasploit

- There are 4 Metasploit modules related to this vulnerability:

- Picking up the second one, specific for Linux operating systems, we discover that the exploit is called trans2open:

- Starting Metasploit and searching for trans2open:

- Using trans2open exploit:

- Setting remote host (192.168.1.21) plus the payload generic/shell_reverse_tcp with local host (192.168.1.17):

- Finally running the exploit, a reverse shell with root privileges is achieved:

3.2 - Searchsploit

- Another approach to the Samba vulnerability would be to use searchsploit, a tool that is linked to the database exploitdb.

- The search for Samba 2.2.8 yields the exploit 10.c:

- Copying 10.c to a temporary folder:

- Compiling 10.c:

- Running exploit 10 without parameters:

- In this case parameters would be -b 0 (Linux), - c 192.168.1.17 (Kali's IP), - p 139 (SMB port), and target 192.168.1.21 (Kioptrix's IP):

- Running the exploit with those parameters:

4 - EXPLOTING OUTDATED VERSIONS Apache 1.3.20 / OpenSSL 0.9.6b

- Googling about these vulnerabilities we discover that there is a exploit for Apache mod_ssl < 2.8.7 OpenSSL:

- Using searchsploit fo find any exploit:

- Let's use the 764.c:

- Copying the exploit to a working folder:

- There have been a lot of implementation problems with this exploit, due to the fact that it is a very old exploit.

- Interesting discussiona about how to implement it correctly can be found here:

http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
http://hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/

- In my case (Kali 2018.2) I have checked that for compiling this exploit it is better to use the package libssl1.0-dev version over libssl-dev

- Installing one version replaces the other one:

- Opening the exploit, just two modifications are needed:

- First, including these two additional headers:

- Second, replacing the original http location:

- Now, compiling with option -lcrypto:

- Running 764 without parameters:

- There are two potential valid OffSet for this exercises (0x6a and 0x6b), according to the operating system and Apache server version in use:

- Trying 0x6a the result is unsuccessful:

- Trying 0x6b the result is successful and a reverse shell with root privileges is achieved:

5 - POSTEXPLOITATION

- After the vulnerable machine has been successfully exploited we can perform several postexploitation tasks.

- For instance, capturing the flag by reading /var/mail/root: