Over the next 5 blog posts I intend to write up how to fully compromise the famous Kioptrix series of Boot 2 Root VMs. This post will detail the compromise of the first VM in the series, Kioptrix Level 1. As mentioned in the banner above, there are numerous ways to compromise this box, I will not be exhaustively demonstrating every method of compromising the VM, just the method I use.
the sC flag to NMap is “script scan” which executes pre-canned scripts to get some more information about the running services.
Essentially though there are services running on –
- 22 (SSH)
- 80 (HTTP)
- 111 (RPCBind ??)
- 138 (Samba)
- 443 (HTTPS)
- 1024 (RPC ??)
Not much to see here really, we’ll investigate index.html, manual, mrtg and usage in a second. But first of all we run…..
A few interesting things here, especially the remote buffer overflow exploit which could lead to remote shell. If nothing better crops up during our app analysis then this is a good avenue to investigate.
Web App Enumeration
Yielded nothing apart from https behaving strangely (redirecting to localhost? proxy shenanigans?) and a version of Webaliser vulnerable to XSS.
Yielded nothing useful apart from the fact that it allows anonymous logins and has a group named MYGROUP. After trying a few brute force attempts to make stuff happen (using msfconsole) and a thorough enumeration using smbmap and enum4linux I gave up on SMB.
EDIT: After finishing off this box it transpires that exploit DB has a remote code execution exploit available for the version of Samba running on the box. I should have checked this first, and will do next time.
In the end, Nikto had already given us the answer that the mod_ssl implementation in the web server was woefully out of date and was vulnerable to some exploits.
We use searchsploit to look for mod_ssl and grab an exploit which looks useful, I chose the “OpenF***” exploit because I’d came across it previously and remembered it was effective.
After copying the source code somewhere safe and performing the fixes mentioned here
(also changing the URL for the ptrace-kmod exploit from a remote URL to my Kali Box’s local Apache server, because I don’t run allow these VMs to connect to the internet.) we have a working exploit.
After some trial and error I found the correct offset for the Kioptrix box to be 0x6b (note: run the binary multiple times using 0x6b until it works, it may not work on the first attempt.)
Which leads us to –
Done! We can now cat the /etc/shadow file –
I really enjoyed working on this VM. My background and “expertise” is in web application penetration testing, so it’s refreshing and useful to gain more experience with infrastructure penetration testing too. Thanks LoneFerret!