{"id":168,"date":"2018-06-15T22:11:21","date_gmt":"2018-06-15T22:11:21","guid":{"rendered":"http:\/\/kibilogic.com\/?p=168"},"modified":"2018-06-15T22:41:50","modified_gmt":"2018-06-15T22:41:50","slug":"kioptrix-level-1","status":"publish","type":"post","link":"https:\/\/kibilogic.com\/?p=168","title":{"rendered":"kioptrix level 1 – vulnhub challenge"},"content":{"rendered":"

Open up kioptrix in one vm<\/p>\n

Open up kali in 2nd vm<\/p>\n

Both vm\u2019s are \u201cbridged\u201d<\/p>\n

Don\u2019t know anything\u2026username\/password<\/p>\n

We do know that the following services are running: (from the details provided on vulnhub)
\n \u2022 Apache
\n \u2022 OpenSSH
\n \u2022 RPC
\n \u2022 Samba<\/p>\n

\"\"<\/a><\/p>\n

When the OS boots up an IP is assigned. Use netdiscover to find hosts on the network.<\/p>\n

netdiscover -i eth0 -r 192.168.1.0\/24<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Identify services<\/p>\n

nmap -T4 -O -sV -sS 192.168.1.13<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Need to determine which of the services has an exploitable vulnerability\u2026lowest hanging fruit wins (could be one or more\u2026)<\/p>\n

one of the services running is Samba.<\/p>\n

Linux (UNIX) machines can browse and mount SMB shares. Note that this can be done whether the server is a Windows machine or a Samba server.<\/p>\n

An SMB client program for UNIX machines is included with the Samba distribution. It provides an ftp-like interface on the command line. You can use this utility to transfer files between a Windows ‘server’ and a Linux client. <\/p>\n

Most Linux distributions include the useful smbfs package, which allows one to mount and umount SMB shares<\/p>\n

\/usr\/bin\/smbclient -L host<\/strong><\/p>\n

smbclient –help<\/strong><\/p>\n

Where L, list shares available on the host and N, don\u2019t ask for a password<\/p>\n

smbclient -L \\\\192.168.1.13 -N<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Samba 2.2.8 and earlier versions have a buffer overflow vulnerability that could potentially allow an adversary to execute arbitrary code remotely. <\/p>\n

Launch Metasploit, msfconsole<\/strong><\/p>\n

Search Metasploit for any vulnerable samba modules, search samba<\/strong><\/p>\n

\"\"<\/a><\/p>\n

This exploit should work for versions of Samba between 2.2.0-2.2.8 (but it doesn’t<\/em>). <\/p>\n

First attempt was to try the Samba trans2open exploit for linux (can drop the exploit\/ part)<\/p>\n

\"\"<\/a><\/p>\n

Again, it did not work\u2026but turns out there is a public Samba exploit that does.<\/p>\n

Search kali\u2019s local repository for exploits, searchsploit samba 2.2<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Exit out of Metasploit <\/p>\n

Go to the location of exploit <\/p>\n

cd \/usr\/share\/exploitdb\/exploits\/multiple\/remote\/<\/strong><\/p>\n

Copy file to local directory and build<\/p>\n

cp 10.c \/some\/where\/local
\ngcc -o samba 10.c
\n<\/strong><\/p>\n

list samba command line options, <\/p>\n

\"\"<\/a><\/p>\n

Run samba exploit where -b=0 is linux, -c is the connectback ip address (kali box), and the host ip (kioptrix box)<\/p>\n

\"\"<\/a><\/p>\n

Happy \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

Open up kioptrix in one vm Open up kali in 2nd vm Both vm\u2019s are \u201cbridged\u201d Don\u2019t know anything\u2026username\/password We do know that the following services are running: (from the details provided on vulnhub) \u2022 Apache \u2022 OpenSSH \u2022 RPC \u2022 Samba When the OS boots up an IP is assigned. Use netdiscover to find […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-168","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"bridgette","author_link":"https:\/\/kibilogic.com\/?author=1"},"uagb_comment_info":6,"uagb_excerpt":"Open up kioptrix in one vm Open up kali in 2nd vm Both vm\u2019s are \u201cbridged\u201d Don\u2019t know anything\u2026username\/password We do know that the following services are running: (from the details provided on vulnhub) \u2022 Apache \u2022 OpenSSH \u2022 RPC \u2022 Samba When the OS boots up an IP is assigned. Use netdiscover to find…","_links":{"self":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=168"}],"version-history":[{"count":24,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/168\/revisions"}],"predecessor-version":[{"id":202,"href":"https:\/\/kibilogic.com\/index.php?rest_route=\/wp\/v2\/posts\/168\/revisions\/202"}],"wp:attachment":[{"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kibilogic.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}