Purpl3 F0x Secur1ty

Security Research.

29 March 2019

VulnHub - Kioptrix 1

by purpl3f0x

This one is going to be fairly short and sweet. It was a pretty simple box found over at vulnhub.

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Vulnhub is a site that hosts downloadable VMs that are CTF-style challenges. You'll need VMware to host them, and the drive space, but the upshot is that you don't have to worry about network latency or VPNs.

Initial scans with SPARTA don't show too much, but there are some pretty common attack vectors here. Samba is usually pretty ripe for the picking, and having a look around websites can reveal some vulnerabilities.

Unfortunately, there isn't a whole lot running on the web server side of things. I did find some directories with "gobuster" but in the end they were just rabbit holes, or in other words, dead ends that were meant to waste time and/or frustrate the attacker.

So let's go back to Samba. My version of Kali doesn't properly grab the banner for some reason, so I have to use a metasploit module to get the version:

auxiliary/scanner/smb/smb_version

This stood out to me like a sore thumb. I've seen this version of Samba in my PWK labs, and I know for a fact it's vulnerable. A quick search using "searchsploit" in Kali yielded many results, but the only result that worked for me was this exploit here.

Compiling it was very straight forward, I used the command "gcc 10.c -o Sambaexploit" and got a fully compiled binary.

Execution consists of providing the target (Choices of Linux, MacOSx, SunOS, and "other"), and the IP address of the target.

It was just that simple to get root. A more robust shell was spawned by typing "/bin/bash -i"

Looks a bit better now.

There is a "flag" on the box, or rather, just a congradulatory message that can only be read by the root account.

The same vulnerability is also exploitable with metasploit, using the module "linux/samba/trans2open". The meterpreter payload didn't work but the "linux/x86/shell/reverse_tcp" did. It resulted in the same outcome, instant-root.

My enumeration turned up a second vulnerability in the version of "mod_ssl" that the server was running. It was running version 2.8.4, which is vulnerable to a buffer overflow attack. There is an exploit out there eloquently named "OpenFuck", but for the life of me I could NOT get it to work. What I was able to determine is that this is just a very old exploit written in obsolete C code, because every attempt to compile it failed. To make sure I wasn't going crazy, I "cheated" and looked at other people's write-ups of this box. In their write-ups, they can compile this exploit with no issues and also get instant-root using it, but these write-ups are from several years ago.

So that's it, short and sweet like I said. Kioptrix1 is meant to be fairly simple and straight-forward, an entry-level box, so I didnt expect more. There are higher-level versions that are more difficult however, and I'll be tackling those soon.

tags: Pentesting - VulnHub