Kioptrix 2 – Lessons Learned

Rather than do a traditional walkthrough on most of these, I think I’ll just do a “lessons learned” type thing. That’s more useful for me, and honestly, the world doesn’t need another Kioptrix walkthrough.

So with the first one I feel like I was pretty much successful. I took a generic pentesting methodology and applied using the specific tools I had and it worked out well. With this one, things were a bit more tricky.

Mistake one: I didn’t use anything to enumerate out web pages on the site. So I spun my wheels on the services detected through nmap for much longer than I should have rather than just looking at the index.php page. One look and it becomes pretty clear that the entry point of this VM does not lie in analysis of tool feedback and research of vulnerabilities associated with software. A little SQL injection and you’re in, and given a prompt that runs the ping command. I was able to set up a reverse shell and now we’re in the box as the apache user. This is where the research comes in and reveals a privilege escalation vulnerability for the linux kernel.

Mistake two: I missed the hardcoded credentials in the index.php source code. If the objective is just to own the box, well that’s not of too much consequence. But the objective here is really just to get as much info as possible and missing that bit of data is instructive for the future.

So far, my objective has been to stay away from Metasploit and see what I can do manually and it has been working out. These haven’t been challenging but there are inefficiencies and things I miss so I need to shore that up. I’m making a playbook for these machines and making some adjustments based on my results. Next up: Kioptrix 3.

Kioptrix 1 – First up

Diving in, my hope is to run through some of these Vulnhub instances and practice enumeration, exploitation (of course), and documentation. The goal is to begin the OSCP course in about a month, coinciding with graduation time. In the meantime I also want to develop some proto-scripts for scripting enumeration, so the focus on enumeration for me. And we’re starting with Kioptrix 1.

First off, netdiscover, match the MAC to the MAC in the ESXi settings, acquire IP

And then nmap. Keeping it simple, just an -sV.

Got some services and right off the bat we have some candidates. But let’s flesh it out and do some nikto:

I followed this up with a bunch of nmap scans that I won’t bother postiing pictures of. Basically, enumeration scripts, including http-enum and a few smb-enum-* scripts. None really gave much information.

Nikto showed us a few directories and two accessible webpages, one the default Apache webpage and one a php page named test.php that doesn’t appear to do much. Looking at rpcbind, I checked out a suggestion found online to look for rpcinfo and check for mounts. No joy, but a worthwhile effort:

After that we look at our candidates from the scans. First we have the Apache version. We also have OpenSSH, which we won’t really talk about since there does not seem to be a publicly available exploit for this version. Next we have port 139, which means netbios, which means Samba most likely. We’ll use enum4linux to pull some more info there:

It’s a lot of text, but if you dig in there you’ll find that we are dealing with Samba 2.2.1a. And exploit-db has a lot to say about our Samba version. I pulled the exploit from that link and compiled (gcc -o samba_sploit 10.c) and it ran without a hitch.

Apache is a little more intense. The code on exploit-db doesn’t compile as is. Luckily an industrious young hacker has provided steps for updating the code, however you’ll find that it still won’t compile, complaining a lot about SSL2. Turns out you will need to install libssl1.0-dev (look in the comments) as well, and it then compiled nicely.

Running OpenFuck -h you get a long list of potential targets. Look for our Apache versions on the list (ignore the OS versions) and try them one by one. Process of elimination yields us this:

Nicely. Lessons learned: don’t give up if the exploit isn’t working, took a while to find the answer on the Apache vuln here. Also wish I had done a better job documenting. My intent is to get to the point that I am doing it in the OSCP format so I’ll be ready. Next up: Kioptrix 2.