OSCP Series: Kioptrix Level 1

Another day, another challenge.

I am studying for the OSCP exam. I read the following boot-to-root is a good VM to root in preparation for the exam.

Anyway without further ado…

Note: I set Kioptrix and Kali to both Bridged, so both VMs are on the same network. Please make sure to do this or the walkthrough will not work.

Booting the Kioptrix machine we see the following…

Kioptrix_boot

Hmm… so we need to acquire root of this machine. And we’re presented with a login prompt.

Going to our Kali machine, we first need to find open the terminal and find the IP address of the Kioptrix machine.

To do this, type netdiscover followed by Enter.

For me, the IP address is 192.168.0.10, this will be different for you.

Now, let’s see which services are running on the Kioptrix VM.

Type nmap -sV (TCP scan) <IP_ADDRESS> in my case my IP address is 192.168.0.10.

Below is a screenshot:

kioptrix_services

We have the following services open – ssh, http, rpcbind, netbios-ssn, ssl/http, status

Let’s look at the http page and see if we can find something useful

Kioptrix_html

Nothing useful was listed here. Let’s go back to the services above and see if we can use another vector to find gems in the VM.

We see there’s a Samba server running on 139.

Maybe we can enumerate this server and get more information.

What can we use to enumerate?

There’s a useful tool called enum4linux which enumerate SMB servers for goodies.

Running the command enum4linux -a <IP_ADDRESS> we get:

Kioptrix_enum1Kioptrix_enum2Kioptrix_enum3Kioptrix_enum4Kioptrix_enum5Kioptrix_enum6Kioptrix_enum7Kioptrix_enum8

As you can see the tool returns a lot of data. The important pieces are:

  1. The server version of Samba server
  2. The different groups and users for the server

Looking at the output we see the Samba server is 2.2.1a

Let’s see if we can find an exploit for this server version.

Using searchsploit we have the following:

Kioptrix_SambaKioptrix_Samba2

OK, this looks promising.

Let’s try the first exploit. We need to copy the exploit to our current directory.

kioptrix_first_exploit

This is a perl program, so let’s see what we need to supply to get the exploit working:kioptrix_first_exploit2

We need to supply a target type, our ip, and a target ip. After supplying the correct information we have the following:

kioptrix_first_exploit3

The exploit didn’t work. Let’s try another.

Going back to the searchsploit results, the second exploit – Samba 2.2.8 – Remote Root Exploit, we see that it’s a c program.

First, let’s copy this file to our current location.

kioptrix_copy

Now we need to compile this file.

Using the gcc compiler, we can have a working exploit.

kioptrix_gcc

Let’s see what options we can use for this exploit…

kioptrix_sambaSploit

OK. We need to specify the platform (-b), it’s good to have the verbose (-v), and specify the host. Let’s see a screenshot of this.

kioptrix_remote

Score! We were able to gain a shell!!

OK, let’s see if we can find some goodies…

kioptrix_remote2

Looking at the bash history we see mail has been accessed.  Let’s try accessing the mail.kioptrix_remote4

Going to the inbox and reading the first message, we see the above message.

Score! We have successfully completed this boot to root!!

Advertisements