Vulnhub virtual machine; On the path to OSCP this box offered Apache/OpenSSL vulnerability which led to a custom version of the exploit and an environmental problem and solution.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Initial setup:
This boot-2-root box is on the legacy side of things and there are a few things that need to be accomplished before you are able to boot this image (virtual box)
- add Kioptix vmdk harddrive to storage as IDE (this box does NOT like SATA - will kernel panic)
- disable audio
- change network adapter to PCnet-PCI II (AM79C970A) && Attached to Adapter
- disable usb
With this configuration you should be able to properly boot the box.
Enumeration
Searching for target:
1 |
|
target looks to be 192.168.56.103
Perform NMAP scan:
1 |
|
interesting to note that we have quite a few ports to examine.
Since this is an older box lets search for any open vulnerabilites pertaining to the Apache and its mod_ssl 2.8.4 OpenSSL.
searchsploit
1 |
|
interesting candidate: Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow
Based off the CVE: 2002-0082 There is a vulnerability pertaining to session cache code that fails to initialize memory using a special function that allows for a buffer overflow to execute arbitrary code.
source: https://nvd.nist.gov/vuln/detail/CVE-2002-0082
Exploit
Copy the exploit locally:
1 |
|
view source:
search for any random shell code and/if replace if needed.
compile source code:
1 |
|
looks to be missing some dependencies.
correction: above exploit requires updating and can be correctly found at this repository.
1 |
|
download the ptrace-kmod.c && start python SimpleHTTPServer in directory of file.
edit the external link at line 671
install dependencies:
1 |
|
compile:
1 |
|
Run exploit:
1 |
|
Search for which service you are attempting to exploit. Use the following syntax to continue.
1 |
|
Running exploit against box:
1 |
|
hung awaiting the race condition of the exploit. Good to see the exploit be pulled from the SimpleHTTPServer.
Root - Plot Shift
change of plans: Reverted back to website which I know it wont be able to be reached. At that point I performed the steps manually to change the term and get a bash shell.
1 |
|
bring me the root!