Kioptrix Level 1 CTF Walkthrough - Boot-To-Root

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Laughter] hey guys hacker exploit here back again with another video and welcome back to the ctf series uh and in this video we're going to be looking at the kyoptrix series or the kayak tricks collection uh now this was suggested uh to me uh or by you guys on twitter uh essentially this set of vms or ctf challenges essentially focus on um real uh well what i would call real world penetration test uh testing scenarios and uh this is what people recommend you do if you're preparing for a course or a certification like oscp all right so you can see i'm starting from the first one these characteristics level one to i think level three and then a later update that was released in 2014 of 2015. i'm not too sure quite old but i actually gave them a go and to be honest yes this really does cover the um the important bits of penetration testing so i just did it like a few minutes ago and it took me about i would say about 25 minutes if i timed myself i had a few hitches uh especially with a compilation of exploits and that is primarily why i'm doing this video is because this will really uh help you understand how the compilation of exploits can really affect uh your your overall experience with a ctf challenge or in this case uh you know if you're performing a penetration test all right so you can see that the uh chi optrix uh vm challenges okay optics vm images are easily are easy challenges the object of the game is to acquire root access by any means possible except actually hacking the vm server or player the purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation the uh there are more ways than one to successfully complete the challenges uh and definitely so i haven't actually found all the ways but uh my way uh it took quite a bit of time because it involved uh of use the use of an exploit on one of these services as we'll look at all right so i have the vm running right now uh card tricks level one and uh just before we get started for those of you who recommended that i do the vms live i think i have a better idea i think i should actually do a live stream of me doing an actual uh vm from vaughn hub or hack the box uh if if that's if that's what you want so let definitely let me know in the comment section down below uh you can find all the links that i've used to any of the exploits and the sites are in the description section so there you are all right so the first thing i'm going to do is i'm going to use netdiscover and in this case uh my my vm is on vmware so you will see that netdiscover does actually show the machine on vmware there we are the ip given to it is 192.168.1.106 all right so i'll keep i'll copy that and we can open up zenmap now for those of you asking why i use zenmap i use it so that i can essentially explain to you guys the results and as you can see i'm not reading any results from anywhere now right from the start i usually like running the uh service enumeration and regress an aggressive scan sorry about that and i usually run this then primarily after this scan is run what i then move on to is i perform an intense scan on all tcp ports if i still can't or wasn't able to enumerate enough i then move on to udp ports we'll be looking at some of the advanced vms like node node is another one that you guys requested that is the next one and then we'll continue with the characteristics series of the characteristics collection they're just i think about three more left so i'll also be working on those if you guys want me to all right so i'm just gonna wait for this scan to complete uh in the meantime we can actually move on to um to actually uh we can use enum for linux uh for our number for our enumeration sorry about that uh enum for linux and uh i'll use the ipv192.168.1.106 let's also enumerate some stuff from there and uh yeah it looks like we got some information here so enum for linux is to enumerate everything in regards to a linux system and i'll try and explain as much as i can uh you know from the results now of course there's a lot of information that is being gathered here and we'll probably need quite a while to go through it so i'll also make a video on how to use enum for linux and also taking a look at windows boxes as well because uh i've as you've probably noticed i've been only going through linux ones so i'll also be taking a look at that all right so enum for linux completed and uh let me just try and explain everything so essentially what it was able to enumerate you have your target information uh the rid range username password which means there probably is uh on an rpc server running here you have the known username so you have admin and the administrator root uh standard guest and krb tgt something interesting there we then have the nb stat information as you can see which was essentially smb uh information and this will give you uh information in regards to the work groups nothing important there we then have the um the smb server here we can see that it is using samba but uh one thing that i did see is it was not able to enumerate the version of samba so uh definitely we have somewhere running here but again we were not able to enumerate the the software version so nothing good there or nothing helpful there and going through this yeah we we weren't able to find anything else so definitely we have the smb port running here and we know they're running it's running samba but of course we were not able to enumerate anything there we have the groups on the system which is great always good so we have administrators and the standard users guests power users etc uh nothing else over here let's take a look at my uh my nmap scan here now uh for those of you actually wondering why i went to enum for linux first well i just like running em for linux if a scan is taking long and that's something you guys have also pointed out with the vms on hack the box uh or you know on on volnub uh vms uh usually the nmap scans take uh quite a while because these servers are under some sort of load but but for some reason i don't know why this scan is taking so much time let me just wait for this to complete and i'll get back to you when it's done all right so the scan is just completed and um as you can see right over here we're able to enumerate quite a lot of ports and services the first one we have is open ssh version 2.9 uh p2 we then have a web server running on port 80 we have an apache it's running apache sorry apache 1.3.20 and we were able to enumerate the version or the operating system here we can see it's running red hat linux and it's also running open ssl uh this uh now when we talk about the rp uh the rpc port here uh we were able to enumerate from enum for linux that we can log in using a null session so let's try and uh and log in um you know using the null session and see if we're able to enumerate so we know it is running samba but again uh we we are not able to um to enumerate the version uh we all we are also running uh port 443 which is essentially ssl or the https protocol uh nothing special there we'll take a look at the web server right now uh and we have um a tcp port uh the rpc port open on port 32768 uh i wasn't able to actually find anything with that port but again they are i think there are about three ways you can get root from my research with this box uh but yeah uh let's start uh let's start by taking a look at the web server here so i'm just gonna open this up and i will start off by 192.168.1.106 and let's see what we will find so yeah the default web page uh of apache uh let's test uh if we have any robots.txt if you have any robots.txt file here nothing over there uh so we can now move on to our port 443 like that and we get a bad request so of course we have to change the protocol like so and uh yeah default um we get the default page here um we get the default apache uh installation page uh so now i'm just going to run a dub um i'm just going to run a quick derb on it uh and we'll we can also start uh we can also log in using our null session with the rpc client all right so dub http and 192.168.1 uh 0.1.106 and we hit enter and uh yeah looks like we are getting some some sub domains uh or sorry some some directories here cgi bin so that looks like a pretty standard uh type of apache configuration except we have a root and uh the operator here yeah so the manual that's pretty much just just the standard apache installation so let's take a look at the operator link and uh yeah we do not have permission to access the operator okay uh let's take a look at root if we're able to access anything from here nothing here as well all right so nothing right over there we're gonna wait for the uh for dub to complete uh and in the meanwhile we can actually start with our rpc client so let me just open up my terminator here and also just try and increase the font size so you guys can see what's going on so rpc uh client so we knew that we can get a null session if i just show you where i actually was able to enumerate that from uh usually it's always good to test it even if you're not if you don't get uh the uh the information back in regards to uh how how in regards to the credentials and whether or not you can actually log in so here we are you can see it allows sessions using the username um in the null username and the null password so pretty standard stuff there and now if we look at the rpc client we use a a blank username and a password and we specify the host 0.1.106 and we hit enter and that's a null password and voila you can see we have the rpc client here so i'm just going to try and run some enumeration commands so in users i believe that's one so yeah pretty much nothing we can enumerate from the rpc client or essentially all the important commands in regards to user enumeration are not displaying anything back so yeah we're definitely not going to find anything in there okay so uh let's go back to to derb and um and let's see what's uh what we're able to get so i'm just gonna go all the way to the bottom here and uh yeah we got um we got a few directories here we have the uh well the one right over here um manual mrtg and yeah those are pretty pretty standard apache apache standard apache installation files so nothing there let's take a look at our nmap scan here and let's try and see any of the other services that we could target uh we have open sh 2.9 so you can use search split for that so i'm just going to try and run that so uh so exploit open sh 2.9 let's see if we can find anything there uh nothing over there let's see any we can get any uh any exploit based on the version two uh so yeah we definitely have a version two exploits here but again nothing really interesting we have one over here and we have the kerberos version but that's definitely not where what we're using and again they're really not any exploits now for ssh it's very unlikely uh that you will find um any open ssh exploits as you can see these are pretty much all the ones that exist now of course you can just get rid of the two operator and that's pretty much all of them and uh yeah most of them as you can see like i've come across the version 6.8 uh or 6.91 this is very good for previous if you if you ever do run into that so just a quick tidbit for you yeah version six i've seen it running on quite a few uh boxes uh but that's up to you to check that out so yeah and really nothing from openssh uh let's take a look at um let's take a look at the at the web server so you can see it's running an apache web service you can also run a search exploit on that so apache 1.3.20 um so i'm just going to run that over here so search plate apache 1.3.20 nothing from there oh yeah we do have a root directory access actually tried to run this um i tried to run this exploit but i had a few issues with running the actual pearl file as it did have issues with its library so i wasn't able to execute that and in any way this was essentially just going to give us root directory access which as you've probably already known there is nothing in that apache server the apache server is simply there just to to try uh to essentially lead you into a rabbit hole with the exploits available for apache that is uh now when we took when we look at the uh the modest cell which is essentially uh two various configurations of modest cell and open ssl uh if we just perform a quick search uh well i tried to run a search plate on this but for some reason we were not able to enumerate any any significant anything of the significance so if we run a quick google search for this you know just a quick google search right over here and uh we can just type paste that in and we just search for an exploit for this you can see that the first exploit that comes into um that comes into into into our display is we have the apache mod ssl and uh the appropriate version but anything less than uh version 2.87 and that is the open f i will actually i really don't want to use any profanity in my videos uh but let me know what you guys think about that so this is the exploit that i used so it's the apache mod uh ssl uh well the modest assault version anything less than this version number right over here which we know is suitable for us because our version is version 2.4. let me just check that again for some reason my memory isn't very good when i'm recording yeah so 2.8.4 uh so yeah we are less than that version which means we can actually use this now i did try and use the open f version one but that didn't work because that was my first uh that was my source my first type of uh or my first inclination was to use version one which also works with openssl but uh it requires mod ssl as well so um we can see that uh we can use this exploit so what you can do now is you can simply just uh you can you can essentially just copy the exploit or you can you can look for the error for the um the exploit database id number here so we have it right over here and then you can use search split which is what i recommend and uh yeah so let's do that right now so i'm just going to search for it uh with search flight so we'll use search plate uh okay we can just use the open f um terminology here and there we are we have the open f version two which is a c file which means we are going to uh we aren't going to need to compile it and it is a remote buffer uh buffer overflow of course if you look at the details in regards to the exploit it will essentially give you a root shell now when it comes down to compilation i had a very interesting experience with this my compilation failed about 10 times and that's because this exploit is is outdated but i actually found a way of updating it myself if you follow the update right over here which will tell you how to update it this really did not work for me uh now this compilation method does work with the uh l crypto library over here so that does work no worries about that but i'll show you what happens uh this update uh essentially updating the open f exploit this really does not work so i had to find my own way of updating it and luckily i was able to update it so yeah that was pretty cool all right so um what we're going to need to do now is we need to copy that exploit to our desktop which is version 2. so let me just highlight that so i know where i am so i'm just going to copy that sorry uh user share and we have exploit uh exploit db and that is in under exploits and unix oops exploits unix and that is the remote uh remote 764.c764.c and we want to copy that to my desktop right over here and once that's done uh we can just uh move into my desktop well i actually did not need to specify the root directory there but in any way we have the exploit right over here so if i was to try and uh to compile it right now without uh without actually updating it to what it should be you'll see that i'll get a few errors here but before that let's use nano and just inspect the exploit so you can see it'll give you the note right over here telling you to opt to follow the github link right over here to to essentially update it because the compilation will not work so let's actually copy the compilation code right over here with the new compiler and i'm just going to exit and we can just paste that in and if we hit enter you can see whoop sorry about that we need to specify the correct exploit name which in this case is not open f it is 764.c so 764 and we hit enter and you can see we're going to get a lot of errors here now these errors are independent in the fact that we do need to include a few new libraries uh over here so uh to do this i actually have them right over here and you can you can use this if you want i'll also upload this exploit to my github repository with the update because yeah it took me a while to get it updated now um primarily after fixing the um or after updating the exploit what you will need to do is you will need to install a few a few libraries with the aptitude package manager and one of the first one is the uh the ssl the the developer ssl library which i have right over here so i'm just going to copy the the code and i'll just paste that in here so you want to install the uh the ssl a developer library and i'm just going to hit yes right over here and we're just going to wait for that to complete the installation for some reason it's telling me to uh to upgrade it so there we are let that complete and um yeah it's pretty much updating it to the latest version this is extremely important because if you try and compile this exploit on kali uh i'll guarantee that you will get errors and trust me this was the real headache especially with the exploit given the fact that this virtual machine kyotrix one was created such a long time ago uh we really need to be updating uh many of these exploits for them so it'll also be a very good exercise in regards to exploit updating and compilation so we need to now install the uh i think the version one or ssl version one at the developer library for that as well so we can actually compile it now i haven't understood why we need to update these libraries but hey i'm just following what we needed to do now when it comes down to uh to um to updating the exploit we need to change a few things with the exploit file so i'm just going to open this up with the text editor because i want to explain a few things here all right so the first thing we need to do is we need to include a few more libraries and these are found right under the um right under the openness libraries as well so you can include them right over there all right so again i have them right over here uh just on my other monitor just uh let me just copy them and you can copy them as well but i will have the updated exploit on my repository so if you are doing this virtual machine you can do it now part of compilation isn't a part of this uh a part of this whole process in regards to this virtual machine remember this is supposed to be an a very easy virtual machine now because of the fact that it's outdated and we are forced to update the exploit for one of these services it's very good practices is it so what you want to do is you want to add these open sl libraries uh once you have um once you have added them we now need to uh we need to search for a specific uh we need to spread a search for a specific line here that essentially gets the w get command here that gets the exploit or the p trace k mode uh c uh the the uh the p trace k mode c file uh so we need to just also change that w get uh url to the one that i'm going to be pasting right over here and yeah let me just do that right now and i'm just going to paste that right over there and let me just make sure that's all all right uh yeah that's all fine and that is going to also compile that while we're performing the exploit or was actually commented uh so what you want to do now is you want to save that and once that is saved you want to go back into our terminal here and now when it comes down to compilation again we're just going to run the simple compilation code uh so i'm just going to we don't need to install any of that so we're just going to call it uh the open f exploit and we're going to use the l crypto library and donate enter now don't worry if you get these errors right over here if you get the specific error telling you that uh the argument in regards to the um to the i'll just call this an os code was not uh from was from an incompatible pointer type don't worry about that error this is pretty much all to do with the exploit itself now if we list the files you can see that we have the open f exploit uh i was about to slip there i was about to say it so we have the open f exploit now if you run the open f exploit which i recommend that you do something interesting is going to happen here it's essentially going to display all the codes i really don't know what to call them you have the uh supported offset which uh it's really not shell code but just the version in regards to what uh what version of uh of apache uh you're running and the operating system in our case we know we're using uh we are using the um let me just check again i always keep on forgetting trying to keep all of this information in my head we are using red hat linux which is running apache 1.3.20 so we're just going to search for that version and i'll show you how to run the exploit which again it does tell you how to do if you are interested so you can see uh the usage is the uh the openf uh elf file the target and you can specify the port but i since ours is configured correctly we don't need to do that and we have the range here and you can specify that as well so we're just going to search for red hat linux and we're going to search for the apache version here so just give me a second uh red hat apache version 1.3 point uh and i think i've forgotten it again 1.3.20 yes that was the one and i think i found it right over here yeah there we are right at linux and you want to make sure using the zero times 6b i did try the 0x6a for some reason that is one variant of it the one that worked for me was this one right over here so we're using red at linux uh 7.2 apache 1.3.20 and we're using the second variant of that okay so when it comes down to running the exploit uh we need to essentially just specify the exploit with its name and we're using the zero times six b uh the zero time six b variant and we now need to specify the the target 192.168.1.106 and uh we now need to specify the range or the amount of connections we want to make if it says if you are not sure just to leave it at 50 and that's what i did i just leave it at 50 and i'm going to hit enter and it's going to start a connection range of 0 to 50 and once that is done it should establish an ssl connection spawn a shell and uh looks like we are done and once the uh the p trace k mode was executed compiled well sorry was compiled and executed we should have a shell here so i'm just going to list the files in there and yeah we get ap file which i'm not sure what it does of course i'm still experimenting with this machine it looks like that was an output file but for some reason we do not have the permissions which is confusing because if i type id we have root access which means we have successfully owned this uh system and that was simply how to how to own or phone um chiropracts version one which is very simple but as i said if you would have done this probably like three years ago when the exploit did not need an update you can see how simple it was to perform but the the specific reason actually made a video of this machine is because we needed we needed to update the exploit and we also uh needed to compile it and uh very very good exploit and if i just print my my current working directory we can see we're in the temp file and we don't need to display any flag because there isn't one and yeah that's simply how to get root on character x1 it was uh quite a simple one when you look at it uh you know from the larger picture but the primary thing that i wanted to teach you guys here or to explain to you guys was the use of or the importance of compilation of exploits and how exploits do work if you know how to how to edit them and update them because many of you actually complain that exploits don't work and they do work if you know how to update them or how to make the necessary changes to apply to apply it to your working environment all right so i hope you guys enjoyed this video or you found value in it if you did please leave a like down below if you have any suggestions or questions let me know in the comment section on my social networks or on my website and i'll be seeing you in the next video peace guys [Music] you

Info

Channel: HackerSploit

Views: 43,925

Rating: undefined out of 5

Keywords: hackersploit, kioptrix, kioptrix level 2, kioptrix 1, kioptrix 1.1, kioptrix level 1.3, kioptrix 1.2, kioptrix 4, kioptrix level 5, kioptrix level 3, kioptrix level 4, kioptrix level 1 walkthrough, ctf walkthroughs, ctf walkthrough defcon, mr robot ctf walkthrough, ctf hack the box, hacking, kali linux, compiling exploits, vulnhub walkthrough, hacker exploit, vulnhub kioptrix

Id: Qn2cKYZ6kBI

Channel Id: undefined

Length: 27min 29sec (1649 seconds)

Published: Sun Sep 23 2018