Posted by Dennis Antunes

Follow on Twitter! @antunesdennis

Ahh, intentionally vulnerable distros… What better way to sharpen the knives in the drawer while avoiding the orange jumpsuit?

In this post and the accompanying video, we’ll get root on Kioptrix Lvl1. Sure it’s been done before (search YouTube) but my goal here is not only to show you to take level one, but more importantly to show you how to organize your approach and processes so they scale beyond a single host as well as what to do once you do have root (pilfer and pivot).

This is how we do….

First: My attack platform is of course BT5. Why, because it has just about every tool you’ll ever need and it just flat out rocks.

Second: Organization. Following a sound PT methodology, I like to map my activities to, and store the resulting raw data in, a unique workspace, per project. I first create a simple hierarchy of folders then blaze through them using the almighty screen. Ah screen, I truly love screen and you will too. I have @jabra to thank for initial the introduction about 7 years ago. If you fall in love you can thank me (pretty sure you will).

I use the following bash script and accompanying custom screenrc file to create a dedicated workspace for each new project. The script takes one argument, the top level directory to create. It creates this along with a number of subdirectories used for organizing collected data.

function startscreen
sed -e s/changethis/"$TOPLVL"/g my_screenrc_template > my_screenrc
screen -c my_screenrc
if [ "$#" -ne 1 ]
then echo "You must specify a top level directory: $0 tld"
if [ -e /root/$TOPLVL ]
then echo "$1 exists. Starting screen anyway." \
&& sleep 2 && startscreen
mkdir /root/$TOPLVL
mkdir /root/$TOPLVL/exploits
mkdir /root/$TOPLVL/nmap_scans
mkdir /root/$TOPLVL/pilfering
mkdir /root/$TOPLVL/reporting
mkdir /root/$TOPLVL/webpen
mkdir /root/$TOPLVL/wordlists

Using the default .screenrc, I simply appended the following lines and saved it off as my_screenrc_template. This file will be used by screen to initialize a number of different windows, each window starting in a different directory of the workspace. Note my script generates a custom screenrc per project using this template. The relevant lines are below:

setenv TOPLVL /root/changethis
chdir "$TOPLVL"
screen -h 2000 -t SHELL
chdir "$TOPLVL/nmap_scans"
screen -h 2000 -t NMAP
chdir "$TOPLVL/pilfering"
screen -h 2000 -t PILFERING
chdir "$TOPLVL/wordlists"
screen -h 2000 -t WORDLISTS
chdir "/pentest/exploits/exploitdb"
screen -h 2000 -t EXPLOITDB
chdir "$TOPLVL/exploits"
screen -h 2000 -t EXPLOITS
chdir "$TOPLVL/webpen"
screen -h 2000 -t WEBPEN
screen -h 2000 -t MSF msfconsole
chdir "/ftphome"
screen -h 2000 -t FTPHOME
chdir "/srv/tftp"
screen -h 2000 -t TFTP
chdir "$TOPLVL/reporting"
screen -h 2000 -t REPORTING

This should make a lot more sense once you see the video.

Third: The Repository: I use MSF as an attack platform, a payload encoder, and I would argue just as importantly, a repository. I input all my data: Nikto, nmap, nessus, etc. into MSF for easy perusal and retrieval. As you will see, I create a workspace for each new project, again for organization’s sake.

Fourth: The Exploit: Often the easiest part if we’ve mapped our target properly. In the video I use the CVE Details site to look up potential exploits based on the service versions uncovered.

Fifth and finally: The pilfer and pivot. Because there is a single host here, we will focus on the pilfer, keeping in mind all good pivots start first with a good pilfer. I’ll run my pilfer script for Linux ( which gathers just about all the info you will need to pivot from this host. This info also serves as an invaluable starting point in the event you are not root and need to escalate privileges.

Best viewed in fullscreen/HD:

About the author