Table of Contents

Setting Up the Vulnerable Machine
Enumeration: The First Step in Ethical Hacking

• Using Nmap and Dirbuster

• Identifying Vulnerabilities

Zeroing in on Samba

• Using Nikto to Scan for Vulnerabilities

• Identifying the Samba Vulnerability

Exploiting the Samba Vulnerability

• Gaining Root Access

Uncovering an OpenSSL Vulnerability

• OpenSSL Overview

• OpenLuck Exploit

• Linux Kernel Overview

• Escalating to Root with a Kernel Exploit

Conclusion

KIA ORA, FRIENDS!

I'm always excited to share my knowledge and experiences with others. In my recent YouTube video, I dove into the world of ethical hacking, and now I'm turning that video into a comprehensive blog post. If you're new to ethical hacking, this guide is perfect for you. We'll cover the basics, and I'll share some tips and tricks I've learned along the way... as well as the mis-hacks!

Before we begin, I want to apologize for the delay in releasing this content. I've been busy with a new job and haven't had the time to be creating. However, I'm back now and excited to share this tutorial with you!

Setting Up the Vulnerable Machine

To get started, you'll need to set up a vulnerable machine. I recommend using the Kyoptrix vulnerable machine, which you can download from here. To install it, follow these steps to the letter:

* Select the host-only adapter instead of the bridged adapter

* Change the adapter type to PCNet or PCI2

It's essential to follow these steps carefully, as the installation process can be a bit tricky. If you're unsure, you can always refer to the tutorial on the Ultimate Pentesting Guide.

Enumeration: The First Step in Ethical Hacking

Once you've set up your vulnerable machine, it's time to start the enumeration process. Enumeration is the process of identifying open ports and services on a target machine. In this case, we're looking at the Kyoptrix vulnerable machine, which has several open ports, including:

* Open SSH

* RPC

* Samba (SMB)

* Old Apache

We'll focus on these ports and see if we can find any vulnerabilities. I'll also share some tips on how to use tools like Nmap and Dirbuster to aid in the enumeration process.

Using Nmap and Dirbuster

To start the enumeration process, I used Nmap to perform a quick ping sweep. This helps identify the IP addresses on the network and ensures that our target machine is still at the same IP address.

Next, I used Dirbuster to scan for open directories and files. Dirbuster is a powerful tool that can help you identify potential vulnerabilities in a target machine.

As you can see from the output, we've got some interesting results. We've identified an index page, as well as two directories that are listable. We'll take a closer look at these directories and see if we can find any vulnerabilities.

Identifying Vulnerabilities

One of the directories we identified is the "multi-traffic grapher" directory. This directory contains some Perl files, which could potentially be vulnerable to exploitation.

We'll also take a look at the OpenSSH port and see if we can find any vulnerabilities. After some research, I found a potential vulnerability that allows for username enumeration.

This is just the beginning of our ethical hacking journey. We've identified some potential vulnerabilities, and now it's time to start exploiting them.

Zeroing in on Samba

Using Nikto to Scan for Vulnerabilities

We'll use Nikto, a web server scanner, to identify potential vulnerabilities on the target machine. Nikto can scan for server and software misconfigurations, default files and programs, insecure files and programs, and outdated servers and programs.

Identifying the Samba Vulnerability

The Nikto scan reveals a potential vulnerability in the Samba service. We'll use the SearchSploit tool to find an exploit for this vulnerability.

Exploiting the Samba Vulnerability

We'll use the Metasploit framework to exploit the Samba vulnerability. We'll set up a payload and configure the exploit to connect to the target machine.

Instant Root Access!

After exploiting the vulnerability, we would normally gain root access to the target machine. But the exploit took us straight to root level! We take a look around /var/spool/email/ and find the flag file, which contains a congratulatory message!

I sure stumbled getting there, though! (Watch the video.)

Uncovering an OpenSSL Vulnerability

After reviewing the NMAP scan results, I noticed the old OpenSSL version was something to keep an eye on. So I did a quick DuckDuckGo search and found a write-up on an exploit targeting this version. Now, I won't say the original name of the exploit out loud since it's not exactly family-friendly... we'll follow this poster's lead and call it "OpenLuck". But the key is that it's taking advantage of a vulnerability in how OpenSSL handles the SSL v2 protocol during the client-server handshake.

What is OpenSSL?

OpenSSL is a crucial tool for securing online communications. Ironically, it is intended to provide a way for applications to encrypt data and ensuring that even if someone intercepts the communication, they won't be able to read it. This is known as an Adversary in the Middle attack (or "MitM", depending on your study material).

The SSLv2 Protocol Handling Issue:

This OpenLuck exploit targets a vulnerability in how OpenSSL handles the SSLv2 protocol. SSLv2 is an older, deprecated version of the Secure Sockets Layer protocol, which was used for securing online communications but has been found to have several vulnerabilities. The specific issue occurs during the negotiation of the SSLv2 protocol between a client and a server in a handshake. A malicious client can send specially crafted data to the server, exploiting the server's weakness in handling the client's key value during this negotiation phase.

There are two key components to this exploit:

1. Buffer Overflow: Imagine a bucket (buffer) that can hold a certain amount of water (data). If you try to pour more water into the bucket than it can hold, the excess water spills over the sides. In this analogy, the bucket is a buffer and the water is the data. So, if a program tries to store more data in a buffer than it's designed to hold, the extra data can "spill over" into adjacent areas of the computer's memory. This can cause the program to behave unexpectedly.

2. Protocol Handling Issue: Specifically with SSLv2, the issue is not just about overflowing a buffer but also about how the protocol negotiation is handled. A malicious client can send specially crafted data to the server during the SSLv2 negotiation phase, exploiting the server's weakness in handling the client key value.

By exploiting a vulnerability like this, a threat actor may be able to execute arbitrary code as the vulnerable server process. Even though the privileges are limited to the process' permissions, this can still potentially lead to a complete takeover of the system... as you're about to see in this next part of the video.

The key to protecting against exploits like OpenLuck is keeping software up to date. When vulnerabilities are discovered, developers usually release patches to fix these weaknesses. Applying these patches to the affected asset promptly can prevent the exploit from working. Also, disabling or avoiding the use of outdated and insecure protocols like SSLv2 is crucial for maintaining the security of online communications. Obviously, this entire demonstration is using assets and vulnerabilities that are very old and obsolete... but this principal holds true to vulnerabilities even only just discovered last week. You gotta patch it.

As a buffer overflow exploit, it may naturally take several attempts before success. I just lucked out that it only took me one.

Escalating to Root with a Kernel Exploit

Okay, so now that we have a foothold, let's see if we can escalate our privileges all the way to root. I bookmarked a page with some kernel exploits for the 2.4.7 kernel version we're dealing with. We find more details on the "ptrace k-mod" exploit here.

What is the Linux kernel?

The Linux kernel is the core part of the Linux operating system. It manages the system's hardware resources and provides services to applications running on the system. Think of the kernel as the "brain" of the operating system.

What is a kernel module?

A kernel module is a piece of code that can be loaded into the kernel to add new functionality or modify existing behavior. Kernel modules are like plugins for the kernel. This modularity is part of Linux's appeal to people

We set up an HTTP server on the attack box, and host the code for the ptrace k-mod exploit there. Then, with our foothold from OpenLuck, we can use wget to pull the code down to the target machine. I needed to exit and go back in a few times before gaining root access, but I did not make any other changes to get there!

Conclusion

In this post, we've covered the steps to exploit a Samba vulnerability on the Kioptrix virtual machine. We've used several tools, including Nmap, Dirbuster, Nikto, and Metasploit, to identify and exploit the vulnerability. I hope you've enjoyed this tutorial and found it informative. If you have any questions or comments, please don't hesitate to reach out.

KIA ORA!