Kioptrix Level 1 Challenge Solution

Kioptrix Level 1 is a hacking challenge. We have to get the root access and find a flag for the next level.There are many ways to solve kioptrix level 1 challenge, I am writing here my way but you can get a lot of other ways on the web. Lets dive in Kioptrix level 1.
1. VMware
2. Kioptrix level 1 challenge(Click here to Download)
3. Kali Linux 2.0 (You can choose any attacking OS you want.)

Dive In:

So After turning on both the virtual machines, find the kioptrix internal IP address via any tool..You can use nmap and can define the subnet for checking the running hosts. I have used netdiscover tool to do so{in my case the IP address is}.

-> netdiscover -r

Now lets scan the host at for its open ports:

-> nmap -sV

Looking at this scan, you can choose any port to dig into. I choose netbios port because it is used by applications to communicate in a local network, So I know now that port 139 is open and Samba utility is running on that port. Lets find more information about this particular utility. 

-> smbclient -L \\

version for samba here is 2.2.1a. This kind of info is sometimes enough to exploit a machine. Lets search if an exploit for this version is available for not.

-> searchsploit samba2.2.

I am going to use this exploit “10.c”. Copy this to the Desktop for further compilation.

To compile this file use command:

-> gcc 10.c -o samba

Now all you have to go is run the exploit

-> ./samba -b 0

here 0 is for linux platform. run just ./samba for detailed help.

This exploit works successfully on this challenge and we have the root, you can check it by using whoami command.


But when I tried to add user it gave me this error . So now I know I need to define a path for useradd command. So I typed:

-> export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Now my user has been created and I can SCP any file from my OS to the target OS. But for now lets see if we can see the shadow file! Here it is:

You can do whatever you want since you are the admin now…But the final step of the challenge is to find the flag. This was not that easy but here is the flag.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: