VulnHub | Kioptrix Level 1

Anas Ibrahim
6 min readSep 12, 2022

--

Kioptrix Level 1

Hello guys , This is the easiest machine on VulnHub , So i decided to solve it to share knowledge with you and i hope you like my methodology

The machine will learn you how to scanning open ports using Nmap and how to exploit the vulnerable services on these ports to get directly root access on the machine.

Let’s start our journey

My methodology in this machine : (IP info — Mac address — Port scanning — Public Vulnerabilities — Enumeration — Exploitation)

machine link : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

After installing it on your VMware , you need to know the IP of it

You can use nmap with -sP option to know the live hosts

or you can use netdiscover tool which is built-in kali to know the live hosts

sudo netdiscover -r 192.168.1.1/24

The output was

So our IP which hostname called VMware, Inc (192.168.1.104)

so , i created a simple script using bash to grep all the live hosts on my network

#!/bin/bashnmap -sP 192.168.1.1/24 | grep "for" | cut -d " " -f 5

The output was

live hosts

The machine ip is 192.168.1.104

Scanning using Nmap

Nmap is a great tool which built-in kali , Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications.

sudo nmap -sV 192.168.1.104 -o nmap_scan

The machine has open ports like 22,80,111,139,443,1024

I think that 22,139,443 is the most important ports and so we’ll search about service’s version like openssh , smb , mod_ssl

Navigate to http://192.168.1.104 in your browser

I didn’t find any thing interesting or sensitive, so try to fuzzing directories with tools like (gobuster — ffuf — diresearch)

i used diresearch with this command to grep the successful status code

sudo dirsearch -u 192.168.1.104 --full-url --exclude-status=404,403,401,500

I didn’t find any thing sensitive from these directories

#Enumerating HTTP

I used nikto vulnerability scanning with the help of the following command -> nikto -h http://192.168.1.104

nikto

so , i found that the version was vulnerable with CVE-2002–0082

#Exploiting HTTP

After scanning i noticed that the server version is Apache/1.3.20 mod_ssl/2.8.4

Search on google about (mod_ssl/2.8.4 exploit) or using searchsploit tool which built-in kali

the version vulnerable with remote buffer overflow and the exploit called openfuck

This an exploit i found it on github https://github.com/exploit-inters/OpenFuck

openfuck exploit

After downloading the repo and installing it , then use this command to exploit the vulnerability

run the exploit ./OpenFuck to know which brute force belong to the vulnerable version (Apache-1.3.20)

0x6a -> RedHat Linux 7.2 (apache-1.3.20–16)1

0x6b -> RedHat Linux 7.2 (apache-1.3.20–16)2

-c range of [40–50] -> Number of connection.

I found that 0x6a and 0x6b belonged to the vulnerable version, so i can try both of them

./OpenFuck 0x6a 192.168.80.145 443 -c 40

Unfortunately it’s not working . so try to replace 0x6a with 0x6b and 40 with 50

./OpenFuck 0x6b 192.168.80.145 443 -c 50

It’s the right one and i get a root access by using mod_ssl port

root access

whoami => root

Congratulations ..

Another way to get a root access on the machine

Let’s scanning rpc port and work on it to test if it vulnerable or not

scanning rpc

So , i did’t find anything sensitive or interesting

Navigate to scan smb port to know if it’s version vulnerable or not

#Enumerating Samba

I will use smbclient , it’s a command line tool similar to a ftp connection while smbfs allows you to mount a SMB file share

smb server using anonymous login

smbclient scan

I found that there are 2 file shares IPC$ & ADMIN$

Login with anonymous and try to open file share IPC$

smbclient scan

I didn’t find any thing in file share IPC$ , so when i tried to login with anonymous on ADMIN$ , the connection failed

The version which appear in port scanning was samba smbd , so to know the right smb version , i used metasploit to know the version , then search on smb_version module in msfconsole .

Finally i get the right smb version (Samba 2.2.1a)

samba 2.2.1a

#Exploiting Samba

This version may be vulnerable to trust this , i searched about samba 2.2.1a exploits on google and i found it has a CVE-2003–0201

I used searchsploit tool to find exploits and i found remote code execution for this version

samba exploits

to know the path of this exploit on your machine , use this command

searchsploit -p 10.c

Navigate to this path => /usr/share/exploitdb/exploits/multiple/remote

gcc -o exploit 10.c => the exploit will be in file called exploit with executing permession

./exploit -b 0 192.168.1.104

-b 0 used for brute forcing

root access

Congratulations , you get root access

Another way to get root access from samba 2.2.1a

Ths exploits the buffer overflow found in samba versions 2.2.0 to 2.2.8

I tried to use this exploitation which called trans2open , so this exploit has been written by using ruby language

Then i found this exploit in metasploit and i used this module exploit/linux/samba/trans2open and complete the options

Wow , i get shell for the third time and i changed password to login in kioptrix level 1 with new password

login with username = root and my new password
I passed kioptrix level 1

Congratulations , I hope you like the write-up

Thanks for reading

LinkedIn

--

--

Anas Ibrahim
Anas Ibrahim

No responses yet