Kioptrix Level 1 Hacking: Mastering SMB Exploits

Introduction:

In this blog post, we will explore the Server Message Block (SMB), which is a network protocol used for sharing files, printers, and various resources on a local network or the internet. We will be targeting the SMB service running on the Kioptrix Level 1 VM using Kali Linux, an open-source operating system specifically designed for penetration testing and ethical hacking.

The Kioptrix VM is a purposely vulnerable virtual machine available from Vulnhub. It is an excellent tool for both beginners and experienced cybersecurity enthusiasts to practice penetration testing and enhance their cybersecurity skills.

⚠Disclaimer⚠

This blog post is intended for educational and informational purposes only. The techniques and methods discussed here should only be used in ethical and legal contexts, such as cybersecurity training and penetration testing. Any misuse of the information provided in this post is strictly discouraged, and the author and website are not responsible for any unlawful activities undertaken by readers.

Objective

The sole aim of this assessment is to:

Acquire root access to the Kioptrix machine

Scope

The scope of this assessment was my internal network range and the Kioptrix VM situated within my internal network 

Planning

My Kali Linux (also situated within my internal network) is the machine I'd be using to source out attack vector(s) that can be used to achieve the Objective of this assessment. The ifconfig command was issued to determine the IP address of my Kali machine and the result showed that it's IP address = 192.168.43.72

A dedicated directory in the Kali home directory (~) will be created with the name kioptrix_1 to help organize the assessment process.

Reconnaissance

Scanning the network

To gather possible information about IP addresses or hosts running on that network, I utilized the Nmap tool within my Kali VM by issuing the command 'nmap -T4 192.168.43.0/24'

Outcome: Discovered an IP address (192.168.43.67) which is the IP for the Kioptrix VM that has 6 of its port open.

In-depth scanning

A more intricate nmap command ‘sudo nmap -sS -sV -T4 -p- -O -oN nmap 192.168.43.67 -Pn’ was issued to give in-depth detail about the open ports of the Kioptrix machine.

Outcome: The result of the nmap scan showed that SMB port is currently open but it's version isn't displayed.

  

Sourcing for SMB version

The version of a particular open service must be known to determine the vulnerability associated with it. To achieve this, a module (smb_version) in the Metasploit framework was used.

Outcome: The SMB version was found to be Samba 2.2.1a

Sourcing for Samba 2.2.1a vulnerability

Using Google as an Open Source Intelligence (OSINT) tool, a passive recon was done to find out possible loopholes of the Samba 2.2.1a SMB version.

Outcome: It was discovered that a buffer overflow is a common vulnerability found in that version of SMB: and to exploit it, the transopen module found in the Metasploit framework can be used. 

Penetration

Gaining Access

Since the trans2open module exists in Metasploit framework, a simple search was done in its terminal to determine the directory path of the module.

Outcome: It was discovered within the 'exploit/linux/samba' directory. The command 'use exploit/linux/samba/trans2open' was used to choose the module.

A payload named ‘shell_reverse_tcp’ was configured to aid the exploit. To determine what additional information required by this module, a command ‘options’ was passed and this showed that the module required a remote host to be set before the module can be exploited.

Outcome: Shell sessions were opened after the command ‘exploit’ was issued.

Assessing the shell session

The command ‘whoami’ showed that the access gained was that of a root user ; that is to say that the objective of this assessment has been achieved. To further acquire more information from this system, the command ‘/bin/bash -i’ was passed to get an active bash shell. 

Looking at the result from the list of previously entered command, the ‘mail' command seems like an interesting command. Which when executed, provided a list of two mails that can be accessed by issuing their unique ID. The first mail was a congratulations mail🙌...

Recommendations

The following recommendations can help mitigate the SMB vulnerability exploited in this report:

1. Regularly patch and update all systems running SMB services.
2. Implement a robust firewall configuration to restrict access to SMB ports. Only allow necessary traffic to and from trusted sources.
3. Use strong authentication methods for SMB or implement multi-factor authentication (MFA).
4. Set up comprehensive logging and monitoring of SMB traffic to help identify and detect any suspicious activities.
5. Train users and employees about the risks associated with SMB as human errors can often be a significant factor in security breaches
6. Disable all older SMB protocols (SMB1 and SMB2)which have known security issues and then stick to more secure versions like SMB3.

Conclusion

We hope that this blog post has provided you with valuable information and insights into the exploitation of the SMB service buffer overflow vulnerability present in the Kioptrix VM as well as recommendations on how to mitigate this vulnerability on any system running SMB. If you have any questions or comments, please feel free to leave them below. We would be happy to answer any questions you may have.

Lastly, we encourage you to share this blog post with others who may find it helpful. If you found this post informative and useful, please spread the word and help us reach a wider audience. Thank you for reading and we look forward to hearing from you!