Kioptrix

In keeping with the preparation of the OSCP we have another vulnerable server. There are at least 4 of these all varying with difficulty. We will begin with the first one and work our way through the rest of them. These were recommended by a reddit poster the link has been posted on my blog. Let's get going with these and find out what we don't know. 

 

Kioptrix: Level 1 / we will be using method 1 of this server

Finding what services are open on this server. Using nmap we can accomplish this task:

For the sake of space I have cut out the long output from nmap. The command that I used was sudo nmap -vv -Pn -A -sS -T 4 -p- 172.20.10.13
|_sshv1: Server supports SSHv1
80/tcp    open  http        syn-ack ttl 64 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     syn-ack ttl 64 2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/http    syn-ack ttl 64 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
 

We can see that this server is running Apace 1.3.20. But let's keep enumerating, speaking of enumerating let's use enum4linux. 

enum4linux -a 172.20.10.13

 ======================================== 
| OS information on 192.168.80.132 |
 ======================================== 
[+] Got OS info for 192.168.80.132 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.80.132 from srvinfo:
 KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
 platform_id : 500
 os version : 4.5
 server type : 0x9a03

Again for the sake of space I've picked one vulnerability and that's the Samba 2.2.1a. Doing research I found this exploit on exploitdb. https://www.exploit-db.com/exploits/764/

Let's fire up metasploit and search for CVE-2003-0201. Choose exploit/linux/samba/trans2open

Next we need to edit the settings for this exploit. Make sure to add the right RHOST and RPORT. We also want to make sure we use the shell_reverse_tcp and also set the proper settings for out machine. Next we go ahead and exploit and BOOM! Check what kind of access we have and we clearly have root access.

 

Level 2 coming soon.