Another day, another challenge.
I am studying for the OSCP exam. I read the following boot-to-root is a good VM to root in preparation for the exam.
Anyway without further ado…
Note: I set Kioptrix and Kali to both Bridged, so both VMs are on the same network. Please make sure to do this or the walkthrough will not work.
Booting the Kioptrix machine we see the following…
Hmm… so we need to acquire root of this machine. And we’re presented with a login prompt.
Going to our Kali machine, we first need to find open the terminal and find the IP address of the Kioptrix machine.
To do this, type netdiscover followed by Enter.
For me, the IP address is 192.168.0.10, this will be different for you.
Now, let’s see which services are running on the Kioptrix VM.
Type nmap -sV (TCP scan) <IP_ADDRESS> in my case my IP address is 192.168.0.10.
Below is a screenshot:
We have the following services open – ssh, http, rpcbind, netbios-ssn, ssl/http, status
Let’s look at the http page and see if we can find something useful
Nothing useful was listed here. Let’s go back to the services above and see if we can use another vector to find gems in the VM.
We see there’s a Samba server running on 139.
Maybe we can enumerate this server and get more information.
What can we use to enumerate?
There’s a useful tool called enum4linux which enumerate SMB servers for goodies.
Running the command enum4linux -a <IP_ADDRESS> we get:
As you can see the tool returns a lot of data. The important pieces are:
- The server version of Samba server
- The different groups and users for the server
Looking at the output we see the Samba server is 2.2.1a
Let’s see if we can find an exploit for this server version.
Using searchsploit we have the following:
OK, this looks promising.
Let’s try the first exploit. We need to copy the exploit to our current directory.
This is a perl program, so let’s see what we need to supply to get the exploit working:
We need to supply a target type, our ip, and a target ip. After supplying the correct information we have the following:
The exploit didn’t work. Let’s try another.
Going back to the searchsploit results, the second exploit – Samba 2.2.8 – Remote Root Exploit, we see that it’s a c program.
First, let’s copy this file to our current location.
Now we need to compile this file.
Using the gcc compiler, we can have a working exploit.
Let’s see what options we can use for this exploit…
OK. We need to specify the platform (-b), it’s good to have the verbose (-v), and specify the host. Let’s see a screenshot of this.
Score! We were able to gain a shell!!
OK, let’s see if we can find some goodies…
Looking at the bash history we see mail has been accessed. Let’s try accessing the mail.
Going to the inbox and reading the first message, we see the above message.
Score! We have successfully completed this boot to root!!
You didn’t show the command to read the mail message
Yes, I did. Look at the screenshot from the bash_history. The command is there – mail.