VulnHub — Kioptrix level 1

Welcome to my new wirteup about how to solve VulnHub Kioptrix machine to get the root access.

This machine is consider the easiest level of VulnHub machiens and it’s for beginner who wants to take OSCP like me, I’m not an expert yet :D

At the first we will practice here on how to perform Port scanning, HTTP/HTTPS, SMB, SSH enumeration and deal with some kind of interesting tools like MetaSploit, Nmap, netdiscover, searchsploit and other tools. So let’s get started…

At the fisrt you can get download the machine from here,22/

After setup it on the Vmware or VirtualBox, go to your Kali machine as it’s the main attacking machine for us.

If you don’t know how to setup it on virtualbox, see this story →

Our Mindset or Methodology through this level

0. Recon or Information Gathering (Nmap info, IP address, Mac address, open ports, public vulnerabilities, system version, services information, etc)

  1. Enumeration (HTTPS, HTTP, SMB, SQL, etc)
  2. Exploitation (LFI, SQLi, Information disclosure, Privilege escalation, OS Execution, RCE, etc)

#0 Step

Check your IP address by using ifconfig command in your terminal.

The IP addresses may be different in your case

Results back from ifocnfig command

#1 Step

Check the connected devices on your network to get the machine’s IP by using netdiscover tool (built in with kali), the command which used is

netdiscover -r

Netdiscover results which get back the IPs address of the connected devices

Or by using my own tool which I used it because it not take more time like netdiscover, you can find and download it in here

My own tool which get the same results but in less time

You’ll notice that the machine’s IP is (It may change in your network)

#2 Step

After knowing the IP address of the machine try to open it in the browser and you’ll get the default web page like this

Default web page of the machine

If you try to open any link of the links in this page you will not get any sensitive information so let us try to perform brute forcing in the directory by using tools like Dirsearch, Gobuster or Dirbuster

You can download Dirsearch from this link

But unfortunately we don’t get any sensitive disclosure through the directories which we try to open. So for now we will look at the error messages like inertign any word in the directory like admin to get 404 error page, may be get important informaiton about the server or anything else

Try to insert and note the results

404 Error messages contain server version

Now look at the information ! It’s the server version. Nice

Also don’t forget to check the automatic scanner like Nikto to get some of important information back to you like this

Nikto scan results

You’ll notice some of information like services or versions is outdate, server type and version, some of available directories, etc. For now note all this information, we’ll use if later.

That’s enough for this step, let us go to perform port scan

#3 Step

In this step we are searching of the open ports which we could use it to connect internally with the machine. We will use Nmap built in tool to do this task.

Nmap scan

You’ll notice that the machine have 22, 80, 111, 139, 443 and 32768 ports are open. For this ports I think that 22, 139 and 443 is the most important ports in this list so we’ll search about this service’s version like OpenSSH, smb and mod_ssl

Note also the OS version is inserting in the end of the results, we also should note this information

#4 Step

We’ll start by searching about openssh vulnerabilities by using searchsploit built-in tool

Searching about vulnerability related to openssh version which related to ssh port

You’ll notice multiple vulnerabilities which related to the ssh, so we’ll try to search about one which be the same version of our port machine 2.9p2 but unfortunately we didn’t find it. So what’s the next step ?

We’ll search by the same way about another vulnerable port, let’s start again with mod_ssl

Searching about mod_ssl vulnerability

Note that our mod_ssl version is 2.8.4 so we can use OpenFuck exploitation. Check the path /usr/share/exploitdb/exploits/unix/remote/ which is the path of the exploitation’s tool.

In the latest update of the Kali Linux this exploitation have more problems and you should use the update version from GitHub form here

After downloading the updated version of the tool we will install it like this

Installing steps of OpenFuck

After installing it, try to open it and insert the parameters which is required.

You’ll notice that depending on the version of our system we will use 0x6a or 0x6b. Try to use at first 0x6a and you’ll get this result, so the right one is 0x6b

Bingo! Now we have a root access on the machine by using mod_ssl port

Another method to get Root access

SMB Enumeration

If you notice in the Nmap results you’ll notice something called samba, so what’s this ? Samba or SMB (Server Message Block) is a service used to share files between multiple devices so we’ll try to access this port, but now we need to know the version of it at first because Nmap doesn’t gave us this info.

We’ll use Metasploit to get Samba version, open it by typing this command msfconsole and then search about smb you’ll found more results but note this result which called auxiliary/scanner/smb/smb_version which used to get the version of the samba server’s version

By typing < show info > you’ll know the information which you should insert like RHOSTS which you’ll specify it by this command


After typing this you should run the exploit by typing run

Nice! Now we know that the version is Samba 2.2.1a

we’ll go to search about any exploit related to this version by the latest techniques we’ve used in the first exploitation

You’ll find RCE exp. related to this version so change your directory to this directory and then compile it as follow

Now use -b 0 to brute force

Congrats again! Now you’ve root access

Congratulations bro ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll