Total Pageviews

Sunday, August 8, 2021

KIOPTRIX SERIES PENTEST : WalKthrough level [I]

Hi everyone!, jajajaj So far so good,

Today we are going to execute a pentest over kioptrix labs, in that case we found 4 machines with Unix operative system. 
The dificult of explotation increase for each machine but we can define it like easy explotation level. 
All target machines are mounted over virtual environment on my local machine and the process is executed for learning purposed on my OSCP certification way.



KIOPTRIX LAB LEVEL [I]

In this machine we exploit a remote vulnerability of samba service SMB V2 2.8 version with a directly intrusion and privilege escalation, as you can see on the following video:

RECOGNITION PHASE:

NETWORK DISCOVER:

We can use a couple of tools  in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol  as you can see below:



The other tool is  netdiscover, with the same concept but using an interface like parameter:



NMAP:

On this step from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.

kali@kali:~$ nmap -sC -sV -T4 -n -v 192.168.1.104 -oN target_machine
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 08:55 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating Ping Scan at 08:55
Scanning 192.168.1.104 [2 ports]
Completed Ping Scan at 08:55, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 08:55
Scanning 192.168.1.104 [1000 ports]
Discovered open port 139/tcp on 192.168.1.104
Discovered open port 443/tcp on 192.168.1.104
Discovered open port 22/tcp on 192.168.1.104
Discovered open port 111/tcp on 192.168.1.104
Discovered open port 80/tcp on 192.168.1.104
Discovered open port 1024/tcp on 192.168.1.104
Completed Connect Scan at 08:55, 1.11s elapsed (1000 total ports)
Initiating Service scan at 08:55
Scanning 6 services on 192.168.1.104
Completed Service scan at 08:55, 11.04s elapsed (6 services on 1 host)
NSE: Script scanning 192.168.1.104.
Initiating NSE at 08:55
Completed NSE at 08:56, 50.53s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.03s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Nmap scan report for 192.168.1.104
Host is up (0.67s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after:  2010-09-26T09:32:06
| MD5:   78ce 5293 4723 e7fe c28d 74ab 42d7 02f1
|_SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33
|_ssl-date: 2021-08-08T06:58:12+00:00; +1m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)

Host script results:
|_clock-skew: 1m48s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   MYGROUP<00>          Flags: <group><active>
|   MYGROUP<1d>          Flags: <unique><active>
|_  MYGROUP<1e>          Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)

NSE: Script Post-scanning.
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.99 seconds


The conclusion of nmap scan is that we found the following open ports with the services:


 

exmaple nmap --script smb-vuln* [target-IP]
 

EXPLOTATION:

On the exploitation phase we are going to check all services and versions that there are open on the victim machine.

22: ssh

kali@kali:~$ ssh root@192.168.1.104
Unable to negotiate with 192.168.1.104 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

It's seems that the target machine has an error with the cryptography configuration for make an encrypted connection.

80: http and 443:https







It seems that there are no web implemented over http server apache with version 1.3.20, over protocols http and https. 


111/1024: rpc service


On this chance we neither connect with the rpc service.

139: SMB 

And finally we detect the vulnerable service, but we found an error when make an SSL negotiation with the target server .





In that exploitation phase without use metasploit, we are looking for the specific exploit for this vulnerable service:



For example the previous selected that match with the service version and operating system on the target machine.

Download:




Modify name and compile:


Exploit execution:



Spawn a reverse shell form victim machine to remote attacker machine:



And this is all for this lab level, I hope that you visit the next walktrough level[||], on my next post in the same blog, [https://roadtooscp-f0ns1.blogspot.com/] and we'll keep in touch.

with kind regards, f0ns1

at
Location: España

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...