Kioptrix 1.1

File name is Kioptrix level 2 - CentOS 4.5

The vuln machine

0. Get machine's IP

sudo netdiscover -r <IP> to scan our network for devices (found 4 hosts - kali, host, vuln machine, vmware)

1. Enumeration

1.1 Enumerate services

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -p- 192.168.204.129
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-02 12:57 +08
Nmap scan report for 192.168.204.129
Host is up (0.0021s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            962/udp   status
|_  100024  1            965/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2021-12-02T17:58:00+00:00; +13h00m29s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
965/tcp  open  status   1 (RPC #100024)
3306/tcp open  mysql    MySQL (unauthorized)

Host script results:
|_clock-skew: 13h00m28s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.84 seconds

1.2 Enum4linux

┌──(kali㉿kali)-[~]
└─$ enum4linux 192.168.204.129                                                                                                                                                          130 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Dec  2 13:27:08 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.204.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.204.129    |
 ======================================================= 
[E] Can't find workgroup/domain

 =============================================== 
|    Nbtstat Information for 192.168.204.129    |
 =============================================== 
Looking up status of 192.168.204.129
No reply from 192.168.204.129

 ======================================== 
|    Session Check on 192.168.204.129    |
 ======================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

1.3 Checked http apache webserver at port 443

By right should always check web vulnerabilities last

2. Exploit Action

Here we begin exploiting every attack vector possible : ssh, apache httpd, rpcbind, mysql

2.1. OpenSSH

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

SSH failed to work due to unavailable suitable attack vectors.

┌──(kali㉿kali)-[~]
└─$ searchsploit openssh                                                                                                                                                                255 ⨯
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                                                                                        | linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                                                                                          | multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                                                                                            | freebsd/remote/17462.txt
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read                                                                                                      | linux/local/258.sh
Novell Netware 6.5 - OpenSSH Remote Stack Overflow                                                                                                          | novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite                                                                                                                  | linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                                                    | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                                              | linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One                                                                                                           | unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow                                                                                                  | linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)                                                                                                        | unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)                                                                                                        | unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service                                                                                                  | multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                                                                                        | linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                                                                                             | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                                                                                     | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration                                                                                                                        | linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                                                                | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                                                                      | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                                                        | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                                                    | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                                                        | linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files                                                                                                                  | multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident                                                                                                         | linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool                                                                                                           | linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration                                                                                                                       | linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                                                                                        | multiple/remote/3303.sh
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

2.2 Apache webserver

80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))

Searchsploit apache version

Searchsploit hacks

searchsploit -x <path of exploit> : opens the source code of exploit file
searchsploit -u : update searchsploit from expoitdb database
searchsploit -p <path of exploit> : copies exploit to clipboard
searchsploit -m <path of exploit> : copies exploit file to your directory (REMEMBER TO cd or create new dir for this!)

┌──(kali㉿kali)-[~]
└─$ searchsploit apache 2.0.52
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution                                                                                             | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner                                                                                           | php/remote/29316.py
Apache 2.0.52 - GET Denial of Service                                                                                                                       | multiple/dos/855.pl
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow                                                                                                  | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                                                                            | linux/webapps/42745.py
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation                                                                                            | linux/webapps/44498.py
Apache CouchDB < 2.1.0 - Remote Code Execution                                                                                                              | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service                                                                                                         | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                                                                        | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                                                                                  | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                                                                                  | unix/remote/47080.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal                                                                                         | linux/webapps/39642.txt
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities                                                                                                          | multiple/webapps/18329.txt
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting                                                                              | multiple/remote/35735.txt
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution                                                                                      | multiple/remote/44556.py
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)                                                           | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)                                                                                               | multiple/remote/17691.rb
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection                                                                                          | multiple/webapps/44583.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing                                                                                                           | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal                                                                                                         | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)                                                                                                   | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)                                                | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)                                                | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC)                                                                                                | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution                                                                            | linux/remote/34.pl

mod_ssl is an optional module for the Apache HTTP Server. It provides strong cryptography for the Apache v1. 3 and v2 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) cryptographic protocols by the help of the Open Source SSL/TLS toolkit OpenSSL. This fits our purpose :

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)

# Download the exploit to our makeshift directory

Do always try to read the source code to see requirements for exploit, there's so many things you can learn from reading scripts!

For this we stored it in ~/home/searchsploit_stuff as OpenFuck.c

note the requirements of libssl-dev (apt-get install libssl-dev)
Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto (replace OpenFuck.c with the name of your downloaded exploit .c file)

TO BE CONTINUED

PreviousVulnhub Machines NextTryHackMe

Last updated 4 years ago

hashtagThe vuln machine

hashtag0. Get machine's IP

hashtag1. Enumeration

hashtag1.1 Enumerate services

hashtag1.2 Enum4linux

hashtag1.3 Checked http apache webserver at port 443

hashtag2. Exploit Action

hashtag2.1. OpenSSH

hashtag2.2 Apache webserver

hashtag # Download the exploit to our makeshift directory

hashtagTO BE CONTINUED