“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”
Identify the IP address of Kioptrix machine Nmap Ping Scan
root@kali:~# nmap -sn 192.168.1.10/24Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017–05–11 14:34 EDT Nmap scan report for 192.168.1.1 Host is up (0.0031s latency). MAC Address: A0:63:91:F0:CC:4B (Netgear) Nmap scan report for 192.168.1.3 Host is up (0.072s latency). MAC Address: B0:DF:3A:DE:59:08 (Samsung Electronics) Nmap scan report for 192.168.1.4 Host is up (0.070s latency). MAC Address: B4:4B:D2:8C:6F:38 (Unknown) Nmap scan report for 192.168.1.5 Host is up (0.070s latency). MAC Address: 08:6D:41:BA:BD:EC (Unknown) Nmap scan report for 192.168.1.7 Host is up (0.072s latency). MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.) Nmap scan report for 192.168.1.8 Host is up (0.072s latency). MAC Address: 68:07:15:7A:EC:52 (Unknown) Nmap scan report for 192.168.1.11 Host is up (0.00023s latency). MAC Address: F4:0F:24:33:5E:D1 (Unknown) Nmap scan report for 192.168.1.12 Host is up (0.26s latency). MAC Address: 04:56:04:47:D4:5C (Unknown) Nmap scan report for 192.168.1.13 Host is up (0.093s latency). MAC Address: 68:37:E9:88:16:5F (Unknown) Nmap scan report for 192.168.1.15 Host is up (0.26s latency). MAC Address: 80:3F:5D:21:DC:73 (Winstars Technology) Nmap scan report for 192.168.1.17 Host is up (0.00027s latency). MAC Address: 08:00:27:46:D4:85 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.1.16 Host is up. Nmap done: 256 IP addresses (12 hosts up) scanned in 4.32 seconds root@kali:~#
Identify services running on Kioptrix
root@kali:~# nmap -sT -sV -A -O -v -p 1–65535 192.168.1.17Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017–05–11 14:48 EDT NSE: Loaded 140 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 14:48 Completed NSE at 14:48, 0.00s elapsed Initiating NSE at 14:48 Completed NSE at 14:48, 0.00s elapsed Initiating ARP Ping Scan at 14:48 Scanning 192.168.1.17 [1 port] Completed ARP Ping Scan at 14:48, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:48 Completed Parallel DNS resolution of 1 host. at 14:48, 0.01s elapsed Initiating Connect Scan at 14:48 Scanning 192.168.1.17 [65535 ports] Discovered open port 80/tcp on 192.168.1.17 Discovered open port 139/tcp on 192.168.1.17 Discovered open port 111/tcp on 192.168.1.17 Discovered open port 443/tcp on 192.168.1.17 Discovered open port 22/tcp on 192.168.1.17 Discovered open port 32768/tcp on 192.168.1.17 Completed Connect Scan at 14:49, 8.02s elapsed (65535 total ports) Initiating Service scan at 14:49 Scanning 6 services on 192.168.1.17 Completed Service scan at 14:49, 12.09s elapsed (6 services on 1 host) Initiating OS detection (try #1) against 192.168.1.17 NSE: Script scanning 192.168.1.17. Initiating NSE at 14:49 Completed NSE at 14:49, 7.56s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.01s elapsed Nmap scan report for 192.168.1.17 Host is up (0.00046s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= — | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName= — | Public Key type: rsa | Public Key bits: 1024.0 | Signature Algorithm: md5WithRSAEncryption | Not valid before: 2009–09–26T09:32:06 | Not valid after: 2010–09–26T09:32:06 | MD5: 78ce 5293 4723 e7fe c28d 74ab 42d7 02f1 |_SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33 |_ssl-date: 2017–05–11T22:49:18+00:00; +3h59m59s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_64_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 32768/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:46:D4:85 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9–2.4.18 (likely embedded) Uptime guess: 0.015 days (since Thu May 11 14:27:39 2017) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zerosHost script results: |_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s | nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | KIOPTRIX<00> Flags: | KIOPTRIX<03> Flags: | KIOPTRIX<20> Flags: | \x01\x02__MSBROWSE__\x02<01> Flags: | MYGROUP<00> Flags: | MYGROUP<1d> Flags: |_ MYGROUP<1e> Flags: TRACEROUTE HOP RTT ADDRESS 1 0.46 ms 192.168.1.17NSE: Script Post-scanning. Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Post-scan script results: | clock-skew: |_ 3h59m59s: Majority of systems scanned Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.86 seconds Raw packets sent: 20 (1.626KB) | Rcvd: 16 (1.338KB) root@kali:~#
There is one mod_ssl exploit that matches out version :- Apache/mod_ssl (< 2.8.7) OpenSSL — ‘OpenFuckV2.c’ Remote Exploit (2)
root@kali:~/Desktop/B2R# cp /usr/share/exploitdb/platforms/unix/remote/764.c . root@kali:~/Desktop/B2R# head 764.c /* * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ * * OF version r00t VERY PRIV8 spabam * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto * objdump -R /usr/sbin/httpd|grep free to get more targets * #hackarena irc.brasnet.org */#include
There is a note for updating the exploit. After making those changes and installing the necessary packages I still couldn't compile the exploit on my Kali machine. So instead of wasting time I tried to compile it on my Ubuntu machine and surprisingly it worked. The final exploit looked like this.
Kioptrix: Level 1 Walkthrough
Reviewed by 0x000216
on
Sunday, September 01, 2019
Rating: 5