Monday, January 30, 2017

Kioptrix Level 1

I figured I would start easy and move on from there. While I have done this one and several others before I have not written about it. Starting out I relied on ready through walkthroughs myself. It’s a good way to learn. 

One thing I have seen is many people tend to show what they did, but they don’t explain why and how they came up to the solution. Since I’m not the first to write about this I figured I would add some explanation on how I figure things out, and the why.   

So here is my take on Kioptrix level 1:

First off I fired up my VM environment. This is done on my Gaming desktop. Its a beast so it can handle a few VM's running.

I already know the IP address the Kioptrix 1 is running on. but I don't know anything else about it. 

First things first I fire up nmap and perform a quick scan:


nmap can provide a lot more detail then just that. By running a more intensive scan your able to get a lot more information about the target:

#nmap -T4 -A -v

We have the following running:
SSH version 2.9p2
Apache 1.3.20 & mod_ssl 2.8.4, OpenSSL 0.9.6b
rpcbind 2
netbios-ssn samba smbd

Only the test page shows up when opening up a web browser directed at Kioptrix level 1.
Now taking these services to the internet to any exploits

Here I find a few exploits for Apache 1.3.20, I'll check for a web-page later.
For Samba Kali has a tool for it: enum4linux


Among a lot of other information, we get the samba version:

ExploitDB doesn't show anything for samba 2.2.1. Luckily a search for samba 2.2 came up with a lot. Kali also has exploit database built into it. 

Searchsploit can be explained in the above link. Its simple to use and offers a lot information. Left column of the search results shows what the exploit is, and the right column is where to find it.

Doing the same search (for samba 2.2) I get a good list of things to try:

The first few jump out at me, so I'm going to try them.

 After waiting 20 minutes I decided to leave this terminal open and try another exploit. I went with the remote root exploit.

Since its written in C I compile then run this exploit:
#gcc 10.c -O samba10c
#./samba10c  -b 0 -v

 ....And I'm in!

No comments:

Post a Comment