Monday, May 30, 2016

Boot-To-Root KIOPTRIX Level -1

I am starting a series of post writing about most important and useful Vulnhub challenges. In this post we can take a look into Kioptrix vulnerable VM.
This Kioptrix VM Image are easy challenges. The object of the game is to acquire
root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability
assessment and exploitation. There are more than one way to successfully complete the challenges.
Netdiscover | arp –n: To discover the vulnerable IP
Nmap : To get all open ports and versions
Nikto : Get a list of web based vulnerabilities.
Msfconsole: Exploiting via metasploit

How it’s done:
Download the Kioptrix level 1 VM and import it to the virtual box. Once it’s done and make sure the network has enabled and configured properly.
Netdiscover | arp –n:
Once the VM is up and running we need to find the IP of the vulnerable Linux OS. We can use Netdiscover and arp to get the IP address. The same came be accomplished via nmap too. Netdiscover finds all IP’s and its associative MAC address. We can identify the target OS along with its MAC address assigned in the VirtualBox.
>arp –a –n
>nmap 192.168.*.*/24 -n -sP | grep report | awk '{print $5}'
Once the IP has been discovered the attacker needs to know the list of open ports and its associated services. We can use nmap to achieve those. We can scan all ports and we can also determine what the OS which is running in the target is. This will help us to understand the different vulnerabilities and the security weakness in the target.
Nikto is one of the awesome tool which helps in finding the web based vulnerabilities in the target system. We can see there is an open port for http, we can use Nikto to find apache based vulnerability and try to exploit them. Nikto -host
We can see there are lot of open vulnerabilities suggested but we can take issues related to OpenSSL (mod_ssl/2.8.4) and the samba services. Upon searching over the internet I came to know that there are exploit available for the OpenSSL (mod_ssl/2.8.4). Please follow the below steps to achieve it.
Once the openfuck.c has been compiled as per the instruction, we can run the. /openfuck compiled binary with the offset and the IP as its arguments. As we already knew that Kioptirx is based on "Apache/1.3.20 (Unix) (Red-Hat/Linux)" from the above nikto binary and execute it as below.
We can use the next attack Samba service (139/tcp open netbios-ssn Samba smbd). Though we know the host has samba vulnerability but it’s needed to know what the version of samba server installed is. This can be achieved as below.

As they say there are always more than 1 way to exploit, we can use the exploit available in the url if samba service is running in the remote host machine but as with the present scenario, the service was not running so we choose a different method to exploit.
Exploiting via metasploit: