Greetings! I thought I would take to a break from March Madness (go Duke!) to make a post about attacking another system downloaded from VulnHub. This one is called Kioptrix Level 1, so let’s get started!
I had some trouble getting Kioptrix to talk to my virtual network on VirtualBox, so I switched over to VMWare.
Let’s boot up both our Kali system and the Kioptrix VM and see if we can find it on the network. We can run netdiscover on our attacking system to see what we have.
There it is! Kioptrix is located at 192.168.64.159. Now let’s scan it with nmap to see what services and ports are open.
We have a few options here! The one that stands out to me is port 139, netbios-ssn. As we can see, under the version column, it says Samba. That’s great! However we’ll need to know what version of Samba it is. We’ll load up metasploit for this, and use a specific scanning auxiliary. Let’s start with a simple search for smb once in the msfconsole.
We’re going to get a lot of options back, but let’s focus on the module auxiliary/scanner/smb/smb_version.
The only option we need to set is the remote host, which will be 192.168.64.159. After we run the exploit, we get what we’re looking for! Samba version 2.2.1a! This is perfect, because now we can start looking for a specific exploit. We can do this through metasploit, but I wanted to use another tool, called searchsploit, for finding an exploit. Searchsploit is essentially a command-line tool for the website ExploitDB, but it’s local on our system!
Okay, to get started, we just need to type in “searchsploit” followed by the name of the service we’re trying to exploit, in this case “searchsploit samba”. We can try to narrow down our results further by being more specific. Here, I looked for samba 2.
We still get lots of exploits returned, so let’s try to find one. The exploit Samba < 2.2.8 Linux – Remote Code Execution looks promising, so let’s copy it over to our system.
Now that it’s copied over, we’ll need to change the permissions on the exploit using chmod.
Our next step will be to compile the exploit! We can do this with a tool called gcc.
Here, I just named the compiled exploit “kiop”, but feel free to name it whatever you like. Let’s try to run the exploit! Doing a simple “./kiop” command will return the switch options for this exploit.
Alright, we’ll have to specify the platform and IP address, so let’s do that!
Exploit successful! We can see that we have root access!
Kioptrix Level 1 was a simple enough box to attack and get root access, but it was still very enjoyable!
Thanks for reading!