Kioptrix: Level 1

Root Access Based Challenge Walkthrough

Posted by Dennis on August 21, 2019

Getting Started

In this tutorial, I will demonstrate how to gain root access to the virtual machine "Kioptrix: Level 1" from Vulnhub. Link to the VM download can be found here.

Part I: Reconnaissance

After downloading the virtual machine and adding it to my network, I began an ARP scan with netdiscover to see what IP addresses's were available on the network. Note: by default, the network adapter for the VM comes in "bridged" mode. I changed this default and switched over to NAT to share my host's IP address and to not have it on the physical network.

Command syntax _> netdiscover -r

After learning the IP address of Kioptrix, I ran nmap to discover any ports or services that would be of interest. There is a neat nmap script called "nmapAutomator" created by user "21y4d" on github that will automate the process for us and save us some time. You can get his awesome script here. I executed the nmapAutomater script and added the option "All" which essentially runs all the scans consecutively. Below you can see that the nmap scan found multiple services and ports open.

Command syntax _> ./ All

Below is more detailed information generated by nmapAutomator regarding the ports/services. What's great about this script is that you can leave it running in the background to find out even more things about Kioptrix. It already seemed to me at this point that there were going to be multiple ways of getting into this machine and it came down to which one caught my eye first :)

Part II: Enumeration

I noticed in the nmap automation scan that an Apache server was running mod_ssl 2.8.4. I decided to use searchsploit to see if anything would come up for Apache mod_ssl versions.

Command syntax _> searchsploit mod_ssl

There were a few exploits named (you know what...) and they were compatible with the Kioptrix Apache version. I copied the exploit path to another directory and began compiling 'Open****v2.c'. The file in the exploit lists libssl-dev as being a requirement so I needed to run the installation command before exploiting Kioptrix.

Command syntax _> sudo apt-get install libssl-dev

After installing the required dependencies, I compiled the program as 'gcc Open****.c -lcrypto' and was given a file in return named "a.out". I executed the file and the exploit began.

Command syntax _> gcc OpenFuck.c -lcrypto Command syntax _> ./a.out

I updated my settings based on the Apache version (1.3.20) and launched the exploit. As a side note, in the options there were two versions available for 1.3.20, 0x6a and 0x6b. 0x6a did not work for me so I tried 0x6b and was successful!

Command syntax _> ./a.out 0x6b 443 | whoami = root :)

With root access, there were a number of various attacks we could have performed going forward. I won't necessarily be perfoming each attack but just briefly touching on the various types of attacks that were possible as the objective was to only gain root access.

Now that we had established a connection to Kioptrix, we could potentially begin enumarating user accounts on the system and perform a dictionary attack to gain access to the credentials. We can find additional users on this machine by using "cat" to view the contents of the /etc/shadow file. Users "john" and "harold" were found in the shadow file.

I copied the shadow.txt and passwd.txt files to my Kali box and used "John The Ripper" to crack the password. Before cracking the passwords for the users, I used a utility called "unshadow" to combine the shadow.txt and passwd.txt files into a format that John can read. Command syntax _> unshadow passwd.txt shadow.txt > passwords.txt

Command syntax _> john --wordlist=/usr/share/wordlists/sqlmap.txt passwords.txt

There are a number of wordlists included in Kali that you could use to attempt to crack the password. For this demonstration, I used the 'sqlmap.txt' file. Once the session was completed, I could use john with the --show flag to view the cracked passwords. Moving onwards, I used rpcclient to create a login session being that port 139 netbios-ssn was running a Samba server. Rpcclient is a tool for executing client side MS-RPC functions. I tried a couple of login attemps as "kioptrix" and "root" but was unsuccessful. After messing around for a bit, I attempted to enter null characters in the login "". I was able to get in like this.

Command syntax _> rpcclient -U ""

"srvinfo" gave me a small amount of information. I decided to use smbclient to try and connect to the Kioptrix machine and see what version of Samba was running.

Command syntax _> smbclient -L

Finally, I also managed to find a XSS attack after running a nikto scan on Kioptrix. The nikto scan picked up that Apache was vulnerable to XSS via the "Expect" header. I launched Burp Suite and configured my loopback proxy settings on Mozilla Firefox.

Command syntax _> nikto -host

I added "expect" and an alert to see if XSS would work...

Looks like that worked (sort of) ...Unfortunately, it did not really lead me anywhere in regards to gaining root access but I wanted to demonstrate that there were other weaknesses on this machine.

Part III: Conclusion

The thing about pentesting is that there are multiple ways of analyzing a system and breaking into it and this all comes down to the pentester. With constant practice and repetition, you will begin to discover new ways of attacking your target. I will uploading new CTF/root based walkthroughs more frequently and hope you enjoyed this one. Cheers and happy hacking :)