[VulnHub] Kioptrix Level 1 Walkthrough

01 Jul 2020

[VulnHub] Kioptrix Level 1

Kioptrix is part of a multi-level pentesting OS series and today we’re going to start with Level 1. We’ll work our way through to the higher levels together, so let’s dive right into the first one!

The Kioptrix Level 1 VMWare image can be downloaded via VulnHub


Enumeration

Tool: arp-scan

Since the Kioptrix machine is on our local network, we’ll have to scan any connect hosts in order to find the IP address. For this task we’ll be using arp-scan, it will send an ARP request to every IP address on the local network and records if any devices respond to the initial request.

Syntax: arp-scan -l

Flag Description
-l Equivalent to –localnet, it will scan the local subnet for active hosts.

ARP scan
Scan the local network for any live hosts

Based on the scan results, we have two possible IP addresses that could be the Kioptrix machine, so how do we distinguish which one? We’ll run a quick nmap scan of both IP addresses and it should give us an answer.

Tool: Nmap

I ran a quick nmap scan (with no options) just to get an idea of which one we’re dealing with. As you can see, my scan for 192.168.10.13 came back positive and we can be fairly confident that this is the Kioptrix machine. With that done, we’d like to scan the Kioptrix machine again in some detail and check on the services it’s running.

Nmap scan to find the Kioptrix machine
Ran a quick nmap scan of both targets to confirm the Kioptrix machine IP address.

Clicking around the website didn’t yield too much, so we’ll take a look at any potential hidden pages we don’t have access to normally.

Syntax: nmap [options][target]

Useful nmap options

Option Flag Function
-p Specify the ports to scan. Can be a single number or a range (eg. -p 1-2000). Using the option -p- will scan all ports from 1-65535. If you don’t use this option, nmap will scan the top 1000 most common ports
-A Will perform all available scans: OS detection, version detection, script scanning, and traceroute. This can be a time-consuming process.
-v Verbosity is optional. You can use it to receive updates about the scan process and other information while nmap is running
-Pn Treat the target as online (skip host discovery). This can be useful if nmap says the host seems down when using a regular scan

I decided to just got for the -A flag to make the command simpler, but feel free to experiment with other flags from the man page to suit your needs. Make sure to keep these scan results handy in your notes so it can be referred back to later.

Detailed nmap scan
Scan the Kioptrix machine in more detail.

From this quick scan, we can see already a lot of information come in to work with. It’s also running Apache 1.3.20/mod_ssl 2.8.4 which looks out-of-date and doing a quick search on Google reveals that we may already have an attack vector.

Seems like we already found vulnerabilities related to:
Apache mod_ssl < 2.8.7: OpenLuck Remote Buffer Overflow

We’ll make note that this tool may work against the Kioptrix machine and come back to it later, but we want to continue enumeration to ensure we don’t miss anything. I’ll be running through some more enumeration steps, so feel free to skip down to the Exploitation section if you’d like to see OpenLuck in action.


More enumeration

Port 80/443: HTTP/HTTPS

Web services are generally full of information and potential vulnerabilities, so it’s important we take a look into it as well. We’ll use Nikto, a web vulnerability scanner that can give us more insight.

Tool: Nikto

Syntax: nikto [options] -host [IP address]

Nikto scan results
Once again, we see mod_ssl 2.8.4 come up and is vulnerable to a remote buffer overflow. This gives us confirmation that the OpenLuck exploit we found is on the right track.

Tool: Gobuster

Syntax: gobuster dir [options] -u [target] -w [wordlist] -x [file extensions]

Another directory busting tool available that can help us find any unlisted directories or pages we otherwise won’t be able to see. Previously I used Dirbuster since it runs recursive scans, but I thought we could try a different tool this time. Use whichever tool you like best as there are multiple ways to achieve the same goal.

Gobuster scan on Kioptrix
Gobuster results
/div>

The Gobuster scan came back with a few interesting items at the bottom, the test.php page and the /usage directory. We’ll go into both for a look.

Hidden Test.php page
Hidden test.php file on Kioptrix: 192.168.10.13/test.php

Kioptrix Usage Statistics
Hidden Usage stats for Kioptrix: 192.168.10.13/usage

We can see that the Kioptrix usage page utilizes a software called Webalizer. Another Google search reveals that it’s likely vulnerable to a buffer overflow attack, but not much information about the exploit itself. We’ll note it down and keep it on the backburner for now.

Port 139: SMB

SMB (Server Message Block) is a network file sharing protocol that allows computers to read/write to files from a server. The Linux platform running SMB is called Samba and we’ll take a look if there’s a potential vulnerability here.

Tool: Metasploit

Module: auxiliary/scanner/smb/smb_version

Metasploit comes with a multitude of different exploits, scanners, and other tools. We’ll use it to quickly scan for more information like the version number since nmap wasn’t able to pick it up. Run the smb_version module and set the RHOSTS to the Kioptrix machine. Then it’s as simple as running it.

Metasploit SMB version scanner
Scan Kioptrix to find the SMB version number

The scan shows that Kioptrix is running Samba 2.2.1a and after another Google search, we find out that it’s also vulnerable to Remote Buffer Overflow attacks.

Port 22: SSH

I generally don’t have much luck finding vulnerabilities in SSH unless we somehow snagged credentials somewhere else. From the nmap scan earlier, we know that the SSH service is running OpenSSH 2.9p2 (protocol 1.99). Plugging that into searchsploit, we see it’s mostly just Username enumeration tools and not much we can work with.

What we can try is to check the SSH for any service banners with more information about the machine, company, etc. First, we’ll try connecting to the Kioptrix machine. In my case, I ran into an error with no matching key found. It provides me with key options and adding it in gets us one step further. Repeat the step with the cipher and we’re able to successfully negotiate a SSH connection.

SSH remote connection
Check SSH for any banner information

Bummer, no banner… However, with all the information we’ve gathered thus far, we can try exploiting the machine via both the mod_ssl and the Samba vulnerabilities. In the article I’ll only be going through the OpenLuck exploit method.


Exploitation

Download the OpenLuck exploit from the Github page and compile it according to the provided instructions. Once it’s compiled (mine is compiled with the file name OpenLuck), we’re ready to fire it up.

We’ll have a list of different parameters to choose from based on the host machine OS. From the Nmap scan, it mentioned that the server is likely running Red-Hat in the http-server-header line. We’ll go ahead and try 0x6a and 0x6b first since the Apache version matches Kioptrix as well.

Tool: OpenLuck

Syntax: ./OpenLuck target box [port] [-c #]

Let’s do a quick breakdown of the syntax we grabbed by running the OpenLuck program

Flag Description
target Enter the offset value provided in the list (we’ll try either 0x6a or 0x6b)
box The IP address of the Kioptrix machine
port Leave it blank for port 443, or enter in the specific SSL port number
-c Set the number of connections (set to 40-50 if unsure)

First we’ll run it using the 0x6a offset to see if we can get a shell:

Run OpenLuck with 0x6a offset
Run 0x6a to see if we’re able to spawn a shell

No dice on this one, although it looked like it tried to spawn a shell before the connection died. No worries, we can still try the other one: 0x6b.

Running OpenLuck again with 0x6b offset
Run OpenLuck again with the 0x6b offset

Looks like it’s working with the 0x6b offset, it says that it’s spawning a Suid shell. My output looks a bit funky after running it multiple times, but it still works.

Running OpenLuck again with 0x6b offset
Run OpenLuck again with the 0x6b offset

There’s likely a flag on the machine (as many CTF machines do), so we’ll see if there’s anything for us here. We can use the find command to search the system for any root files:

Syntax: find / -type f -user root -name root 2>/dev/null

A quick breakdown of the command:

Flag Description
find / Using the find command, we start looking for all files starting from the root (/) directory
-type f Search for files that are owned by the root user
-user root Specify the object type we’re looking for (eg. f for file and d for directory)
-name root Find a file with the name ‘root’
2>/dev/null Remove any error messages from the output

Finding the Root Flag
Found a hidden message for Kioptrix Level 1

Nice! Congratulations on getting root, and see you in the next Kioptrix level.