VulnHub : Kioptrix Level 1

1. Executive Summary

Kioptrix level 1 is playground for beginner like me. It has more than one way to root the machine. Based on my finding there are two ports which can lead us to gain root access. There are port 139 — SMB 2.2.1a and 443—apache 1.3.20.

2. Description

In order to be connected to my other VM (Kali Linux 2020.4), the machine need to have “little” modifications. Before performing the modification, it is essential to download the Kioptrix Level 1 in VulnHub. After your download is success you will have your machine still in .rar package, therefore you must unpack the file.

Later, open your Kioptrix Level 1.vmx in any text editor. (In my case since I’m using MacOS, I only use TextEdit).

Change value of :

ethernet0.networkName = “Bridged” to ethernet0.networkName = “nat”

You can use find “Bridged” to make yourself easier. Do not forget to save your change of the .vmx file before you continue. Now that we have modified the machine, we can start play!

BRING IT ON!!!!

The question that raised on my head when I saw Kioptrix machine is what the IP address of the machine. If it was some other machine, you can just type ifconfig or ipconfig to know the IP address but on the Kioptrix Level 1, once you turn on the machine, they only give you login command line.

In other words you need to get this machine “identity” through somewhere else. As I mentioned earlier in preface we need to connect the machine to other machine.

Open your other machine terminal or in my case my kali, and put this command :

netdiscover

Note : netdiscover is an active/passive ARP reconnaissance tool, initially developed to gain information about wireless networks without DHCP servers.

From previous step, we got Kioptrix IP address through netdiscover which is 192.168.29.4.

By using nmap command in bellow, let’s scan the IP.

nmap -T4 -A -v -oA kioptrix1 192.168.29.4

From the screenshot we found there are six ports that are open. The ideal way to find “flag” or root the machine is looking at every open ports.

In this port, I try to enumerate ssh service by trying to log in to ssh as root without input any password.

ssh root@192.168.29.4

And as expected Kioptrix’s ssh did not allow anonymous login. So in order to get in, I try another way using hydra.

I used hydra to brute force ssh login using common ssh username and common ssh password.

Sadly, there is no valid credentials found. But if you are bit more patient than me, you could try another list of username and password (it will take long time so prepare some snack).

When machine open port 80 usually it use for the web application, so to ensure this assumption I access the IP address on my firefox browser.

Unfortunately there is only a default apache page.

I use gobuster to list the directory inside the address, I mean nobody know if the default page actually covering something suspicious right?

From the screenshot we figured out there are three directory found but it has status code 301 which means permanently moved.

I tried to access the directory but it only give me the blank page with continous re-connecting so I decided to give up on this port.

By using nmap I tried to take more closer look on port 111. This port is spesifically famous of NFS service, a protocol used to access files over a network. Sadly I have to give up on this too because it did not give me any interesting bait.

If you have experience on rooting machine, you probably will not miss this port because based on my experience when you found port 139 open, it is like game over.

Side note : While enumerating this port, I found issue, where when I used smbclient or another script to find out the SMB version installed on the machine.

When I run this command

smbclient -L=192.168.29.4

It will give me an ugly output, “smbclient :protocol negotiation failed: NT_STATUS_IO_TIMEOUT”.

So after surfing on the internet, I discover that this issue happen because of my kali and luckily I also found way to fix this.

If you are facing the same issue with me you can add this command inside /etc/samba/smb.conf under the global section.

client min protocol = NT1

Now back to samba!

I re-run my smbclient command, in hope to get this machine’s samba version. However it did not give me the answer. So I used this python script to obtain it and success!

The installed version of samba is 2.2.1a. Following this matter, I search the suitable exploit using searchsploit and found this powerful exploit.

Before running the exploit, I compiled the c code into executable file name sambarce.

gcc -o sambarce 10.c -lcrypto

And yup rooted!

Now that we already login as root, our mission is not completed yet. We have to dig more to find the flag. At first I was in /tmp directory, if you do not know /tmp is used for saving files that will dissapear when the machine is turned off, so I tried to get into /root directory and list all the files inside it. (include the hidden ones).

From all hidden files found in root directory .bash_history caught my eyes. When you open your shell, Bash will save its history list to the disk by appending the contained entries to your .bash_history file.

To access this file, you can just input command in below :

cat .bash_history

From every list command in .bash_history, I found “mail” command is the most suspicious. So I run the command and discover there are two mails. Without understanding the column of the mail, I just open all the mails.

The first mail looks like good bye message or some people said this is Kioptrix’s flag.

Since we already login as root, I also change the password for root so that I can login through Kioptrix itself.

I change root password by input:

passwd

Try to input the new registered password into kioptrix machine. See if you got mail notification! ☺️

From the nmap result, we discover there is apache service (apache 1.3.20 red hat | mod_ssl/2.8.4) run on the kioptrix machine.

I search for the exploit of the mod_ssl using this command:

Searchsploit mod_ssl

It give me link to this c code exploit. After I download the exploit and run it, it give me error so I’m back to internet to find the reason.

And I discover from another walkthrough that the code need some modification.

  1. Add Headers
  • #include <openssl/rc4.h>
  • #include <openssl/md5.h>

2. Update the URL

3. Replace Parameter

  • Search for get_server_hello
  • Scroll down to line 961
  • Replace unsigned char *p, *end; with const unsigned char *p, *end;

After modifying the exploit, you required to install libssl1.0-dev so that the exploit can be run.

apt-get install libssl1.0-dev

Now we are set to go, do not forget to compile it back to executable file.

gcc -o OpenFuck 764.c -lcrypto

Run the exploit:

./OpenFuck | grep 1.3.20

From the screenshot in above, there are two version that is suitable for our apache version: 0x6a and 0x6b.

Since I dont quite understand the difference, i tried all, first I run 0x6a.

./OpenFuck 0x6a 192.168.29.4

The shell is closed so fast, so I tried the other one which is 0x6b by running this command on my terminal.

./OpenFuck 0x6b 192.168.29.4

And rooted!

Since we are on the shell, I also extract “etc/passwd” and “/etc/shadow”.

By using unshadow, I combine file /etc/passwd and /etc/shadow to create 1 file with username and password details.

I forgot to screenshot this process but here is the command:

unshadow kioptrix1_etcshadow.txt kioptrix1_etcpasswd.txt > password.txt

Later we use this file to crack the hash. There are two famous hash cracker tools, john the ripper and hashcat.

I already tried using both of this tools but sadly I can’t crack the hash. Maybe if some of you succeed on cracking the hash for user john and harold, you can give me a nudge in comment, thank you ☺️☺️☺️

purple enthusiast