VulnHub — Kioptrix: Level 1

In reviewing multiple blogs and websites, the Kioptrix series is supposed to be for penetration tester beginners and is rumored to be similar to the challenges within Offensive Security’s PWK coursework. Since I classify myself as a beginner, my goal is to work through this series and document my findings along the way.


Download the Kioptrix VM from and use RAR to expand the compressed file. Since my Host machine is Linux (Ubuntu 16.04), I launched VMWare Player and selected the “Kioptrix Level 1.vmx” file.

Victim Description:

Based on reviewing the site, the listed vulnerabilities are buffer errors and privilege escalation. In addition, there is a flag that can be captured within email.

Information Gathering:

Since I am using a Private Network on a remote Linux Host, I chose to review the network settings on the Kali system to determine the Private Network IP Address and Subnet Mask.


Using the information gathered from the scans, I used Dirb to scan the web server for hidden directories or other items that may be useful.

Exploiting OpenSSH:

In researching OpenSSH 2.9p2, I was able to obtain the information that this version was vulnerable with the “off-by-one error in the channel code.” However, I was unable to find a usable exploit for CVE-2002–0083 at this time.

Exploiting Samba:

Researching Samba version 2.2.1a, there appears to be at least two methods that can be used to exploit Samba. The first method involves Metasploit and the second version involves a Perl script.

Method #1

This method is a walkthrough of using Metasploit to gain root access. For a better comprehension of the processes, I have included successes and failures.

Method #2

In this method, I have included my successes and failures with gaining root. This method is a walkthrough of using different scripts.

Exploiting Apache:

Reviewing the findings from Nikto, it was determined that CVE-2002–0082 was present and it is exploitable to produce a remote shell. With that information, it is time to find additional information within searchsploit.

Capturing the Flag:

Even though VulnHub notes that the flag is in email, I had been taught to issue a locate command for a possible file with the name flag in it.


While in a shell, it is a good practice to capture the /etc/passwd and /etc/shadow files for later use with a password cracker.

Cyber Security Enthusiast