Source: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
I took a little break to try out hackthebox.eu (which I highly recommend!). Unfortunately due to the member rules I won’t be posting any writeups for the vulnerable machines there. Also ended up switching over to Arch Linux on my main lab workstation so that ended up consuming a lot of time getting setup again.
I’m planning on going through the entire series of Kioptrix Vulnhub VMs as they’re often recommended as additional practice for OSCP. And with that…let’s get started on part 1 of the series!
Starting with the typical nmap host discovery scan to detect the IP:
nmap 192.168.111.0/24 -sP
Annnnnd…no machine was found. This is an older VM so I had to play around with the hardware settings in Virtualbox a little to get it to work. Changing the network adapter seemed to do the trick:
Looks good now and we have the target IP so let’s now do a OS an service scan against it.
nmap 192.168.111.101 -O -sV
Lots of open services! Curious what 32768 could be used for I did some googling and it’s often associated with a trojan called “Hacker’s Paradise”, Filenet TMS, and a few other things.
Let’s start by navigating to the HTTP site.
What we find is basically the default index page you get right after installing Apache. HTTPS version of the site is no different.
I haven’t done a lot of SAMBA exploitation yet so I figure this is a good opportunity to try that out. Within Metasploit’s AUX modules there’s a scanner that will return back the specific SAMBA version running.
Looking at Samba 2.2.x vulnerabilities on exploit-db.com I’m seeing a fair number of buffer overflow attacks. Let’s try this one written by H D Moore himself.
I tried a few more times, but that didn’t end up being successful. The other big exploit found in 2.2.x searches was for a remote code execution vulnerability with “trans2open”. There just happens to be a Metasploit module for this as well so let’s load that and give a try.
The exploit seemed to work but the Meterpreter sessions were dying pretty much immediately. I was using the default payload (linux/x86/meterpreter/reverse_tcp) and tried switching to “generic/shell_reverse_tcp” instead.
That worked immediately and we have our root shell!
At this point I poked around /home/ and found two user dirs: john & harold. Neither had anything interesting that I found.
/var/www didn’t seem to contain anything of note.
/root/ had an “anaconda-ks.cfg” in it.
I ran a locate on john, harold, root and that generated some good leads to follow which eventually led me to /var/spool/mail/. Files for john + harold were empty, but root…
Root had our flag! And that’s the end of part one…more to come soon.