VulnHub — Kioptrix level 1

Welcome to my new wirteup about how to solve VulnHub Kioptrix machine to get the root access.

This machine is consider the easiest level of VulnHub machiens and it’s for beginner who wants to take OSCP like me, I’m not an expert yet :D

At the first we will practice here on how to perform Port scanning, HTTP/HTTPS, SMB, SSH enumeration and deal with some kind of interesting tools like MetaSploit, Nmap, netdiscover, searchsploit and other tools. So let’s get started…

At the fisrt you can get download the machine from here https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

After setup it on the Vmware or VirtualBox, go to your Kali machine as it’s the main attacking machine for us.

If you don’t know how to setup it on virtualbox, see this story → https://medium.com/@obikag/how-to-get-kioptrix-working-on-virtualbox-an-oscp-story-c824baf83da1

Our Mindset or Methodology through this level

0. Recon or Information Gathering (Nmap info, IP address, Mac address, open ports, public vulnerabilities, system version, services information, etc)

  1. Enumeration (HTTPS, HTTP, SMB, SQL, etc)
  2. Exploitation (LFI, SQLi, Information disclosure, Privilege escalation, OS Execution, RCE, etc)

#0 Step

Check your IP address by using ifconfig command in your terminal.

The IP addresses may be different in your case

#1 Step

Check the connected devices on your network to get the machine’s IP by using netdiscover tool (built in with kali), the command which used is

netdiscover -r 10.0.2.1/24

Or by using my own tool which I used it because it not take more time like netdiscover, you can find and download it in here https://github.com/eslam3kl/Network_scanner

You’ll notice that the machine’s IP is 10.0.2.22 (It may change in your network)

#2 Step

After knowing the IP address of the machine try to open it in the browser and you’ll get the default web page like this

If you try to open any link of the links in this page you will not get any sensitive information so let us try to perform brute forcing in the directory by using tools like Dirsearch, Gobuster or Dirbuster

You can download Dirsearch from this link https://github.com/maurosoria/dirsearch

But unfortunately we don’t get any sensitive disclosure through the directories which we try to open. So for now we will look at the error messages like inertign any word in the directory like admin to get 404 error page, may be get important informaiton about the server or anything else

Try to insert http://10.0.2.22/admin and note the results

Now look at the information ! It’s the server version. Nice

Also don’t forget to check the automatic scanner like Nikto to get some of important information back to you like this

You’ll notice some of information like services or versions is outdate, server type and version, some of available directories, etc. For now note all this information, we’ll use if later.

That’s enough for this step, let us go to perform port scan

#3 Step

In this step we are searching of the open ports which we could use it to connect internally with the machine. We will use Nmap built in tool to do this task.

You’ll notice that the machine have 22, 80, 111, 139, 443 and 32768 ports are open. For this ports I think that 22, 139 and 443 is the most important ports in this list so we’ll search about this service’s version like OpenSSH, smb and mod_ssl

Note also the OS version is inserting in the end of the results, we also should note this information

#4 Step

We’ll start by searching about openssh vulnerabilities by using searchsploit built-in tool

You’ll notice multiple vulnerabilities which related to the ssh, so we’ll try to search about one which be the same version of our port machine 2.9p2 but unfortunately we didn’t find it. So what’s the next step ?

We’ll search by the same way about another vulnerable port, let’s start again with mod_ssl

Note that our mod_ssl version is 2.8.4 so we can use OpenFuck exploitation. Check the path /usr/share/exploitdb/exploits/unix/remote/ which is the path of the exploitation’s tool.

In the latest update of the Kali Linux this exploitation have more problems and you should use the update version from GitHub form here https://github.com/exploit-inters/OpenFuck

After downloading the updated version of the tool we will install it like this

After installing it, try to open it and insert the parameters which is required.

You’ll notice that depending on the version of our system we will use 0x6a or 0x6b. Try to use at first 0x6a and you’ll get this result, so the right one is 0x6b

Bingo! Now we have a root access on the machine by using mod_ssl port

Another method to get Root access

SMB Enumeration

If you notice in the Nmap results you’ll notice something called samba, so what’s this ? Samba or SMB (Server Message Block) is a service used to share files between multiple devices so we’ll try to access this port, but now we need to know the version of it at first because Nmap doesn’t gave us this info.

We’ll use Metasploit to get Samba version, open it by typing this command msfconsole and then search about smb you’ll found more results but note this result which called auxiliary/scanner/smb/smb_version which used to get the version of the samba server’s version

By typing < show info > you’ll know the information which you should insert like RHOSTS which you’ll specify it by this command

set RHOSTS 10.0.2.22

After typing this you should run the exploit by typing run

Nice! Now we know that the version is Samba 2.2.1a

we’ll go to search about any exploit related to this version by the latest techniques we’ve used in the first exploitation

You’ll find RCE exp. related to this version so change your directory to this directory and then compile it as follow

Now use -b 0 to brute force

Congrats again! Now you’ve root access

Congratulations bro ❤

Offensive Security Enthusiast