kioptrix – level 1

Kioptrix Level 1 was created by @loneferret and is the first in the series of five. The description from the author is as follows:

“This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.”

Sounds like a good quick challenge, so let’s get started with our usual netdiscover enumeration of the subnet and find our vulnerable host.

Target acquired. What ports do we have open?

Port 80 and 443 are both available; the usual suspects I start interrogating. Unfortunately for us both services only present the default Apache post-install pages. For those of you that have been playing along with my previous Troll: 1 and Troll: 2 write-ups, you know what time it is. If you haven’t been playing along.. it’s wfuzz time!

Okay.. nothing overly exciting there, but let’s take a look at the usage directory.


Nice, a Webalizer statistics page. Taking a look at what page or pages have been hit recently, we can see test.php looks popular. Let’s take a look at the page:


Pretty boring. Let’s keep enumerating through our ports. Next up, SMB on port 139. Let’s connect with smbclient, ascertain the version of Samba, and see if we can list any available shares.

Only the usual IPC$ and ADMIN$ shares. Next step, we check to see if the permissions happen to be weak, allowing us to connect to the shares. Alas, connecting to IPC$ failes with NT_STATUS_NETWORK_ACCESS_DENIED listing and ADMIN$ fails with NT_STATUS_WRONG_PASSWORD. Time to take a look at whether there are any vulnerabilities, and associated exploits, available with the Samba 2.2.1a version.

Nice… this looks promising. Luckily for me, I came across something very similar in a certification I recently achieved. Let’s take a look at the first exploit in our list, H D Moore’s exploit of CVE-2003-0201.

Damn. Looks like the exploit almost triggered, however we didn’t receive the expected reverse shell. Perhaps we could try a bind shell. Rather than spend the time altering H D Moore’s code, let’s take a look at the exploit available to us in Metasploit and set the payload to be a bind shell.

Voila! As we suspected, the exploit worked and our payload allowed us to connect via a bind shell.


Thanks @loneferret for a quick and enjoyable vulnerable boot2root VM. I look forward to taking a look at your other Kioptrix challenges. As always, cheers VulnHub for hosting the VM and making this all possible.

Until next time, tight lines and may you pop shells often.