This is a straight-forward box that has been well documented before I even started down my ‘hacking’ path. So, I will more a less cut to the chase here as the main things you need to learn is:

1. How to Scan
2. How to Enumerate Ports
3. How to Search Google for Exploits

My Setup that I have used:


Assuming you have set this up in your home environment in either VMWare Workstation / Fusion, or Virtual Box, your home DHCP server gave it an IP address. Or you were smart and set it up as a host-only interface and or did not give it internet access at all. Either way, never have these machines running on your home network unless you are hacking away at it, ALWAYS SHUT IT OFF WHEN YOU ARE DONE! Safer than sorry!

Step 1: Find the IP address of the host

There’s really two ways you can go about doing this, 1.) just look for newly leased IP address from your router or 2.) NMAP scan / run netdiscovery — I personally used netdiscover

The IP Address for my instance of Kioptrix is

Step 1/2: Nmap Scan, Enumerate Versions

We run – Nmap -sC –sVoA nmap

  • sC: Safe Scripts
  • sV: detect versions of services on open ports
  • oA: output all formats (HTML, XML, GNMAP)

Step 3: Check for low hanging fruit

We can see that this is running several old and out of date services. The first one I am going to look for exploits is Apache as web servers are always a great way in. But, just make sure you search for exploits based on service and version, check google and exploitdb.

  • I first check for exploits using SearchSploit: Didn’t get a hit…

  • Google search the service and version:

Looks like there is an exploit with possible remote code execution. The exploit OpenFuck takes advantage of an OpenSSL Buffer Overflow Vulnerability. We’ll grab the source code from ExploitDB with wget, compile it, and run it against the vulnerable machine:

  1. Download the source code to current directory: wget
  2. It’s older source code so we need to make some changes to it. Follow this detailed Guide
  3. Compile the source code: gcc -o openfuck OpenFuck.c -lcrypt
  4. Run Openfuck:

cat /var/mail/root

From root Sat Sep 26 11:42:10 2009

Return-Path: <[email protected]>

Received: (from root@localhost)

by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831

for [email protected]; Sat, 26 Sep 2009 11:42:10 -0400

Date: Sat, 26 Sep 2009 11:42:10 -0400

From: root <[email protected]>

Message-Id: <[email protected]>

To: [email protected]

Subject: About Level 2

Status: O

If you are reading this, you got root. Congratulations.

Level 2 won’t be as easy…