Friday, June 1, 2018

Kioptrix - Level 1 (#1)

KIOPTRIX- Level 1 (#1) 

- Layout for this exercise:


The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix Level 1 (#1)

- Kioptrix Level 1 (#1) can be downloaded from here:,22/

- Once downloaded, extracted and opened with WMware:


- First, using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine Kioptrix:

- Scanning for versions and the operating system with Nmap:

- Going further with the SMB service running on port 139, using nbtscan:

- enum4linux yields information about the Samba version 2.2.1a:

- smbclient gives the same information:

- nikto provides interesting information about vulnerabilities related with outdated Apache and OpenSSL versions, and also about existing buffer overflows:

- To sum it up, the enumeration step gives us information about vulnerabilities related with outdated Apache and OpenSSL services, and also about running version of Samba.

- Let's exploit these vulnerabilities one by one.


- Just Googling about potential Samba 2.2.1a vulnerabilities, we discover that there is a exploit for Samba versions below 2.2.8:

3.1 - Metasploit

- There are 4 Metasploit modules related to this vulnerability:

- Picking up the second one, specific for Linux operating systems, we discover that the exploit is called trans2open:

- Starting Metasploit and searching for trans2open:

- Using trans2open exploit:

- Setting remote host ( plus the payload generic/shell_reverse_tcp with local host (

- Finally running the exploit, a reverse shell with root privileges is achieved:

3.2 - Searchsploit

- Another approach to the Samba vulnerability would be to use searchsploit, a tool that is linked to the database exploitdb.

- The search for Samba 2.2.8 yields the exploit 10.c:

- Copying 10.c to a temporary folder:

- Compiling 10.c:

- Running exploit 10 without parameters:

- In this case parameters would be -b 0 (Linux), - c (Kali's IP), - p 139 (SMB port), and target (Kioptrix's IP):

- Running the exploit with those parameters:

4 - EXPLOTING OUTDATED VERSIONS Apache 1.3.20 / OpenSSL 0.9.6b

Googling about these vulnerabilities we discover that there is a exploit for Apache mod_ssl < 2.8.7 OpenSSL:

- Using searchsploit fo find any exploit:

- Let's use the 764.c:

- Copying the exploit to a working folder:

- There have been a lot of implementation problems with this exploit, due to the fact that it is a very old exploit. 

- Interesting discussiona about how to implement it correctly can be found here:

- In my case (Kali 2018.2) I have checked that for compiling this exploit it is better to use the package libssl1.0-dev version over libssl-dev

- Installing one version replaces the other one:

- Opening the exploit, just two modifications are needed:

- First, including these two additional headers:

- Second, replacing the original http location:

- Now, compiling with option -lcrypto:

- Running 764 without parameters:

- There are two potential valid OffSet for this exercises (0x6a and 0x6b), according to the operating system and Apache server version in use:

- Trying 0x6a the result is unsuccessful:

- Trying 0x6b the result is successful and a reverse shell with root privileges is achieved:


- After the vulnerable machine has been successfully exploited we can perform several postexploitation tasks.

- For instance, capturing the flag by reading /var/mail/root:

- Acessing to /etc/shadow:

- Also, to get a bash on the local machine we could enable a listening netcat session, for instance at port 4444:

- Following the directions on this link a bash script can be used:

- The shell is eventually achieved at the attacker local machine: