Kioptrix: Level 1 (#1) Walkthrough

Vulnhub is a platform that provides VM(virtual machine) images, which are vulnerable by design and help to gain practical hands-on experience in Pentesting.

Kioptrix is a series of CTF(Capture The Flag) like VM’s, where need to gain root privileges on the machine. Kioptrix is a boot2rooot machine.

Link to the image of Kioptrix file:

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Enumeration:

So, now we need to know the Internal IP address of the Kioptrix machine so we the command in the terminal

netdiscover -r 192.168.231.0/24

The highlighted part is our Kioptrix machine

Nmap Scan:

nmap -sS -T4 -A -p- 192.168.231.1

┌──(kali㉿kali)-[~/VulHub/VulnHubKioptrixLevel1]
└─$ sudo nmap -sS -T4 -A -p- 192.168.231.1
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2021–11–15 12:47 EST
Warning: 192.168.231.1 giving up on port because retransmission cap hit (6).
Stats: 0:01:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.47% done
Stats: 0:01:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.07% done; ETC: 15:30 (2:40:47 remaining)
Stats: 0:08:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.98% done; ETC: 15:32 (2:36:11 remaining)
Stats: 0:26:46 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 16.77% done; ETC: 15:26 (2:11:42 remaining)
Stats: 0:41:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 25.75% done; ETC: 15:26 (1:57:52 remaining)
Stats: 0:52:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 32.47% done; ETC: 15:27 (1:47:53 remaining)
Stats: 1:12:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 45.29% done; ETC: 15:27 (1:27:18 remaining)
Stats: 1:19:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.02% done; ETC: 15:27 (1:19:36 remaining)
Stats: 1:31:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 57.07% done; ETC: 15:27 (1:08:19 remaining)
Stats: 1:45:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.91% done; ETC: 15:27 (0:54:21 remaining)
Stats: 1:57:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 72.94% done; ETC: 15:28 (0:43:23 remaining)
Stats: 2:02:41 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 76.28% done; ETC: 15:28 (0:38:05 remaining)
Stats: 2:07:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 79.28% done; ETC: 15:28 (0:33:21 remaining)
Stats: 2:22:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 88.24% done; ETC: 15:29 (0:18:58 remaining)
Stats: 2:33:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.98% done; ETC: 15:29 (0:08:07 remaining)
Stats: 2:38:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.85% done; ETC: 15:29 (0:03:28 remaining)
Stats: 2:46:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 15:33 (0:00:01 remaining)
Nmap scan report for 192.168.231.1
Host is up (0.0016s latency).
Not shown: 51155 filtered tcp ports (no-response), 14368 closed tcp ports (reset)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
903/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
913/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1536/tcp open msrpc Microsoft Windows RPC
1537/tcp open msrpc Microsoft Windows RPC
1538/tcp open msrpc Microsoft Windows RPC
1539/tcp open msrpc Microsoft Windows RPC
1540/tcp open msrpc Microsoft Windows RPC
1547/tcp open msrpc Microsoft Windows RPC
5040/tcp open unknown
7880/tcp open ssl/pss?
| tls-alpn:
|_ http/1.1
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
| HTTP/1.1 400 Bad Request
| FourOhFourRequest, HTTPOptions:
| HTTP/1.1 404 Not Found
| Content-Type: text/plain
| Strict-Transport-Security: max-age=31536000; includeSubdomains
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| Connection: close
| Date: Mon, 15 Nov 2021 20:36:52 GMT
| Found
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Type: text/plain
| Strict-Transport-Security: max-age=31536000; includeSubdomains
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| Connection: close
| Date: Mon, 15 Nov 2021 20:36:51 GMT
|_ Found
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Acunetix Ltd
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021–07–01T06:51:13
|_Not valid after: 2031–06–29T06:51:13
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port7880-TCP:V=7.92%T=SSL%I=7%D=11/15%Time=6192C4E4%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,F8,”HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x
SF:20text/plain\r\nStrict-Transport-Security:\x20max-age=31536000;\x20incl
SF:udeSubdomains\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nConnection:\x20close\r\nDate:\x20Mon,\x2015\x20Nov\x2
SF:02021\x2020:36:51\x20GMT\r\n\r\n404\x20Not\x20Found\n”)%r(HTTPOptions,F
SF:8,”HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/plain\r\nS
SF:trict-Transport-Security:\x20max-age=31536000;\x20includeSubdomains\r\n
SF:X-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Options:\x20nosniff\r\
SF:nConnection:\x20close\r\nDate:\x20Mon,\x2015\x20Nov\x202021\x2020:36:52
SF:\x20GMT\r\n\r\n404\x20Not\x20Found\n”)%r(RTSPRequest,1C,”HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\n\r\n”)%r(RPCCheck,1C,”HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\n\r\n”)%r(DNSVersionBindReqTCP,1C,”HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\n\r\n”)%r(DNSStatusRequestTCP,1C,”HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\n\r\n”)%r(Help,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\
SF:r\n”)%r(SSLSessionReq,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%
SF:r(TerminalServerCookie,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)
SF:%r(TLSSessionReq,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%r(Ker
SF:beros,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%r(SMBProgNeg,1C,
SF:”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%r(X11Probe,1C,”HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\n\r\n”)%r(FourOhFourRequest,F8,”HTTP/1\.1\x2
SF:0404\x20Not\x20Found\r\nContent-Type:\x20text/plain\r\nStrict-Transport
SF:-Security:\x20max-age=31536000;\x20includeSubdomains\r\nX-Frame-Options
SF::\x20SAMEORIGIN\r\nX-Content-Type-Options:\x20nosniff\r\nConnection:\x2
SF:0close\r\nDate:\x20Mon,\x2015\x20Nov\x202021\x2020:36:52\x20GMT\r\n\r\n
SF:404\x20Not\x20Found\n”)%r(LPDString,1C,”HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\n\r\n”)%r(LDAPSearchReq,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:n\r\n”)%r(LDAPBindReq,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%
SF:r(SIPOptions,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”)%r(LANDesk
SF:-RC,1C,”HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n”);
MAC Address: 00:50:56:C0:00:08 (VMware)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709–1803 (96%), Microsoft Windows 10 1709–1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586–14393 (92%), Microsoft Windows 10 1507–1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 — SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: LAPTOP-I4UUL2N1, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:c0:00:08 (VMware)
| smb2-time:
| date: 2021–11–15T20:39:10
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required

TRACEROUTE
HOP RTT ADDRESS
1 1.57 ms 192.168.231.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10328.80 seconds