Kioptrix is a vulnerable machine designed to teach the basic tools in penetration testing. The goal of this game is to acquire root access via any means possible (except actually hacking the VM server or player). There are more ways then one to successfully complete the challenges. In this post, we're trying to gain root access via SMB.

Discovery

We first need to find the IP address for the Kioptrix machine. We can do this by using netdiscover.

Enumeration

We can use this IP to see what services are running on the machine. One of the tools to automate this is nmap.

As you can see, there are a few services running on this machine such as SSH, Apache, and SMB. In this post, we're trying to acquire root access into this machine via SMB.

SMB Enumeration

We need to see which version of SMB the machine is running with since nmap doesn't show which one. Metasploit with smb_version scanner is the perfect tools to achieve this.

Here, it shows that the target machine is running SMB version 2.2.1a

Exploitation

We can then use searchsploit inside Metasploit to search for compatible payload to send to the target machine. In this case, it's called trans2open.

With the previous information, we have to search for the trans2open exploit inside Metasploit and use it. We also need to set the correct payload, such as x86/reverse_shell_tcp for Linux for the payload. I've tried a few payloads but this is the only one that's working perfectly for the job.

After setting up the exploit and the payload correctly, we then can run the exploit.

As you can see, the exploit is sent to the target machine and we have shell session opened inside the target machine. To see which user we connected to, we can use whoami command.

As you can see, we have gained root access inside the target machine via SMB