Kioptrix Level 1.1 / 1.2 / 1.3 Comparison: Which Box Should You Tackle First for OSCP Prep?

Midnight Decisions: Which Kioptrix Box Should You Actually Start With?

It’s five minutes to midnight. You’ve got Kali open, your coffee’s gone lukewarm, and a dozen browser tabs are shouting about “OSCP-like VulnHub boxes.” Everyone’s got an opinion: “Start with Kioptrix!” — yeah, but which one? 1.1, 1.2, or 1.3? That naming scheme doesn’t help. You don’t have time to guess wrong.

This guide cuts through the noise.

We’re not here to romanticize the grind. You’re juggling a full-time job, limited lab time, and a $1,599 exam fee that stares at you like rent. Every hour you invest needs to be strategic — and tonight, it needs to count.

So let’s treat each Kioptrix machine for what it is: a purpose-built tool to sharpen specific OSCP+ exam skills. No fluff. We’ll break down each box — 1.1 through 1.3 — by the techniques it teaches, how long it’ll likely take, and how it fits into your prep timeline. We’ll even give you a rough time-and-cost planner you can use later to budget your path to the cert.

---

🚨 The Problem

Kioptrix box names are confusing. Your time isn’t infinite. You need a start point — and a reason for it.

✅ The Promise

By the end of this article, you’ll know exactly which Kioptrix box to fire up first, how each maps to OSCP-style skills, and how to make every minute count toward your exam goal.

🧭 The Roadmap

We’ll go box-by-box, highlighting:

• Technical skills each teaches (mapped to OSCP+ domains)
• Estimated time investment (based on real-world averages)
• Difficulty and payoff
• Where each box fits in your overall prep timeline

Then we’ll wrap with a 15-minute action plan you can use right now — not “eventually.”

No guesswork. Just a late-night game plan that moves you forward.

Why Kioptrix Still Matters for OSCP+ in 2025

Kioptrix is old-school. The original VulnHub entries date back to around 2010–2014, long before “OSCP+ with AD” became a thing. Yet they still show up on curated OSCP-style lists like the NetSecFocus / TJNull collections and modern write-ups from 2023–2025. Many of those authors explicitly say they’re using Kioptrix as part of their OSCP journey.

Here’s why that’s still rational in the OSCP+ era:

• Solid fundamentals: Kioptrix boxes force you to practice host discovery, port scanning, web enumeration, credential reuse, and Linux privilege escalation—all still core in OSCP+.
• Beginner-friendly difficulty: VulnHub itself tags the Kioptrix images as “easy” learning challenges. Several modern walk-throughs confirm they’re meant for beginners stepping into penetration testing for the first time.
• OSCP-like flavor: Multiple bloggers describe Kioptrix 1.1–1.3 as “OSCP-like” boot-to-root CTFs: you get a narrow scope, must chain enumeration → exploitation → privesc, and document what you did, just like the exam.

But there are limitations you should be honest about:

• No Active Directory or modern EDR.
• Older Linux stacks and web apps—valuable for learning, not representative of the latest corporate estates.
• Some exploits rely on older kernels or software versions you won’t see in 2025 production, though the methodology maps well.

“The OSCP+ exam now explicitly emphasizes Active Directory, disciplined methodology, and professional reporting.” (OffSec exam updates, 2024–2025)

So the realistic view is this: Kioptrix won’t pass the exam for you, but it’s a cheap, low-friction way to build the muscle memory you’ll need when you’re deep in OffSec’s PEN-200 labs, Hack The Box, Proving Grounds, or TryHackMe.

Kioptrix Level 1.1 / 1.2 / 1.3 at a Glance

First, let’s align on naming. VulnHub uses this slightly cursed convention:

• Kioptrix: Level 2 (1.1) (#2) → Commonly called Level 1.1.
• Kioptrix: Level 3 (1.2) (#3) → Commonly called Level 1.2.
• Kioptrix: Level 4 (1.3) (#4) → Commonly called Level 1.3.

Here’s the short version of the Kioptrix Level 1.1 / 1.2 / 1.3 comparison in OSCP language:

Box	Main Theme	Key Skills	Feels Like in OSCP World	Difficulty (Beginner View)
1.1 (Level 2)	Classic web + simple command injection	Port scanning, SQLi on login, basic RCE, Linux privesc	Your first “proper” OSCP-style Linux box	⭐ Easy–Low Medium
1.2 (Level 3)	CMS exploitation (LotusCMS) + credential reuse	Virtual hosts, CMS RCE, DB creds, password cracking	A multi-step web → DB → OS chain	⭐⭐ Solid Medium, still beginner-friendly
1.3 (Level 4)	SQLi + restricted shell + clever privesc	SQLi, SSH with restricted shell, shell escapes, sudo abuse	Your first “this feels like exam pressure” box	⭐⭐⭐ Medium with a few “aha” moments

Most modern write-ups agree on the progression: 1.1 → 1.2 → 1.3 grows in complexity, not because the exploits are impossible, but because there are more steps and more chances to get lost in your own notes.

A common pattern in OSCP candidate blogs: they blitz through 1.1 in a night, get mildly humbled by 1.2’s virtual hosts and CMS quirks, and then feel deliciously stuck (and then rewarded) by 1.3’s restricted shell.

What Kioptrix Level 1.1 Really Teaches You

Imagine a quiet evening: you scan the subnet, find the Kioptrix host, and suddenly see a handful of open ports—SSH, HTTP, maybe HTTPS, CUPS, MySQL. Nothing outrageous. It feels “small enough to handle”, which is exactly the point.

Across recent 1.1 walk-throughs, the rough path looks like this:

• Use netdiscover or arp-scan to find the target.
• Run a targeted nmap -sV -sC and note HTTP, HTTPS, and DB ports.
• Hit the web login, test simple SQL injection payloads, and confirm authentication bypass.
• Reach a “ping” interface that lets you run system commands—your first taste of command injection.
• Stabilize your shell, then enumerate kernel version, SUID binaries, and misconfigurations for privesc.

It’s not flashy. That’s why it’s valuable. Each step mirrors a tiny slice of what PEN-200 and the OSCP+ exam expect from you:

• Structured enumeration instead of random tool flailing.
• Translating a web vulnerability into system-level access.
• Looking for privilege escalation vectors like you’re running a mental checklist.

Show me the nerdy details

On Kioptrix 1.1, many write-ups walk through SQL injection on the login form using straightforward payloads like ' OR '1'='1. Once authenticated, a web interface calls ping and interpolates user input into a shell command. That’s your entry to remote command execution. From there, people typically upload a reverse shell via curl/wget or abuse the ping parameter directly, then escalate with a known local kernel exploit or a weakly configured service. The important pattern isn’t memorizing a specific exploit, but seeing the chain: data in → command execution → shell → root.

For many beginners, 1.1 is the first time they watch a simple form parameter turn into a root shell. That psychological shift—“oh, this is exactly how it happens in real life”—is priceless.

What Kioptrix Level 1.2 Adds on Top

Level 1.2 is where people go from “I can pop a box” to “I can manage multiple moving parts without losing the plot.” The underlying VM uses a web application stack that includes LotusCMS and multiple virtual hosts, so you’re suddenly dealing with a more realistic web surface.

Across recent write-ups, you’ll see a fairly consistent storyline:

• Enumeration uncovers HTTP plus a hostname like kioptrix3.com that you need to add to /etc/hosts.
• LotusCMS is identified via HTTP titles and responses, then hit with known exploits or a crafted RCE payload.
• Once you gain a low-privilege shell, you dig into config files, find MySQL credentials, and pivot into the database.
• Hashed passwords get dumped, cracked offline with hashcat or john, and reused for SSH or privilege escalation.

This is a fantastic training ground for OSCP-style “chaining”:

• You’re learning to recognize CMS fingerprints and version information from banners and page content.
• You practice host file manipulation and virtual host routing—common in real enterprise environments.
• You get hands-on with credential reuse across services, which shows up frequently in penetration test reports.

There’s also a soft skill hidden here: patience. Many candidates hit the CMS, get a shell, and stop. Going the extra mile to dump and crack passwords is what graduates you from “script user” to “exam-ready operator.”

Why Level 1.3 Feels Like Your First “Real” OSCP Box

Level 1.3 is where many OSCP candidates report their first “I’m stuck but also having fun” moment. The box leans heavily on SQL injection for initial access and then throws you into a restricted shell over SSH.

The common storyline goes something like this:

• Enumerate HTTP and find a login form vulnerable to SQL injection.
• Use SQLi to dump user credentials from the backend database.
• SSH in with those credentials, only to discover a restricted shell with very limited commands.
• Figure out how to escape that restricted shell—using vi, less, python, or other binaries.
• Once you land in a “normal” shell, you move to classic Linux privilege escalation to reach root.

This feels extremely OSCP-like for three reasons:

1. You’re punished for poor enumeration. Miss a parameter or table and you won’t have the right credentials.
2. You must think about shells as environments. Knowing that vi or less can spawn shells isn’t trivia—it’s exam material.
3. Your mental game matters. It’s easy to rage-quit when the restricted shell blocks your usual tools.

Show me the nerdy details

Write-ups often show SQL injection on an authentication form that allows UNION-based enumeration of usernames and hashed passwords. Once cracked, these let you SSH into the box, where the login drops you into a restricted environment (e.g., limited command list, no direct shell invocation). From there, you may use binaries like vi, awk, or python -c 'import pty; pty.spawn(\"/bin/bash\")' to break out. Privilege escalation commonly involves weak sudo configurations or SUID binaries. The important takeaway is that you’re forced to stack multiple technique categories in one coherent attack path.

Mentally, 1.3 is the moment you stop seeing a machine as “a puzzle with a trick” and start seeing it as a gritty little system that will fight you back unless your methodology is stable.

Money Block: Time & OSCP Cost Planning Around Kioptrix (2025)

Let’s talk about the uncomfortable part: time and money. OSCP+ in 2025 isn’t cheap, and it has a clear fee schedule. OffSec’s public pricing shows, for example, a PEN-200 Course + Certification Bundle around $1,749 for 90 days of labs and one exam attempt, and a Learn One subscription around $2,199/year with two exam attempts included. Bridging from OSCP to OSCP+ can cost $199–$799 within specific windows.

The good news: Kioptrix is free, and you can run it locally. The trick is to slot it into your overall budget and timeline like a pro.

Money Block #1 – Eligibility Checklist: Are You Ready to Pay for OSCP+ Yet?

Before you drop four figures, run this binary checklist:

• Linux navigation: Can you move confidently with cd, ls, grep and edit files in vim or nano? (Yes/No)
• Networking fundamentals: Do you understand basic TCP/UDP ports, subnets, and routing enough to interpret an nmap scan? (Yes/No)
• Basic web vulns: Have you manually tested for SQLi and command injection at least once on a lab target? (Yes/No)
• At least 3 boot-to-root boxes: Have you fully rooted 3+ beginner VMs (including at least one Kioptrix)? (Yes/No)
• Study budget room: Can you set aside ~250–400 hours over 4–6 months for preparation? (Yes/No)

If you answered “No” to two or more of these, do Kioptrix and similar free labs first. Eligibility first, expensive vouchers second—you’ll save both money and stress.

Money Block #2 – OSCP+ Cost Snapshot (2025, Approximate)

Option (2025)	Typical Price (USD)	What You Get	Best For
PEN-200 Course + Cert Bundle	≈ $1,749 (mid-2025)	90 days of labs + 1 OSCP+ exam attempt	Focused 3-month sprint
Learn One Subscription	≈ $2,199/year	1 year, one 200/300-level course, labs, 2 exam attempts	Slow-and-steady learners
Standalone OSCP+ Exam	≈ $1,699+	2 exam attempts, no course subscription	Experienced pentesters
Retake / Upgrade Fees	≈ $199–$799+	OSCP to OSCP+ upgrade, retakes within windows	Existing OSCP holders

Numbers above are based on publicly listed pricing and major educational write-ups in 2024–2025; data here moves slowly but always confirm the current fee schedule on OffSec’s official site before paying.

If you’re in Asia-Pacific, especially Korea, Japan, or Singapore: pay attention to time zones when scheduling the 24-hour OSCP+ exam. Many candidates prefer to start late afternoon local time so the “sleep dip” hits during easier enumeration periods. Kioptrix boxes are great for rehearsing these long sessions—try running one full box in a single sitting that mirrors your planned exam window.

Decision Map: Which Kioptrix Box Should You Tackle First?

Now to the core question: Which Kioptrix Level 1.x should you start with for OSCP prep? Let’s answer it with a simple decision card.

Money Block #3 – Decision Card: Start With 1.1, 1.2, or 1.3?

Your Situation (Be Honest)	Recommended First Box	Why
Brand-new to CTFs, can use Linux but haven’t rooted a box yet	Kioptrix 1.1	Shortest path to “scan → web vuln → root,” low chance of getting lost.
Comfortable with Linux and basic web vulns, rooted 2–3 easy boxes	Kioptrix 1.2	Introduces CMS exploitation, credential reuse, and more realistic web flows.
Already done multiple VulnHub / Hack The Box “Easy” boxes, know SQLi basics	Kioptrix 1.3	Gives you restricted shell pain and chained exploitation similar to exam pressure.
Revising close to exam; want fast warm-up	1.3 → 1.2 → 1.1 (speed run)	Start hardest and run backwards as confidence boosters in one weekend.

Short Story: a friend of mine prepped for OSCP while working a full-time blue-team role. For weeks, they floated between random TryHackMe rooms and Hack The Box “Easy” boxes without a theme, always feeling a little lost. Then they dedicated two weekends to Kioptrix: Friday night 1.1, Saturday 1.2, the next weekend 1.3. By the end, they weren’t magically exam-ready, but they finally trusted their own process: scan, enumerate, exploit, escalate, document. Two months later, that exact process carried them through the OSCP exam’s first Linux host in under four hours.

If you’re still unsure, use this tie-breaker:

• If you’re afraid of “breaking your confidence” → start with 1.1.
• If you’re bored by super-easy boxes → start with 1.2.
• If your exam is within 4–6 weeks → start with 1.3 as a stress rehearsal.

Building an OSCP-Style Lab Routine With Kioptrix

Kioptrix on its own is nice; Kioptrix inside a routine is powerful.

Here’s a simple weekly structure that works well for time-poor professionals:

• One weekday evening (90 minutes): pure recon and note cleanup; no exploitation allowed.
• One weekend block (3 hours): exploitation + privesc attempts on a single box.
• 15-minute “report drill”: write a mini-report for that box using OSCP-style headings.

Play this out over 3–4 weeks:

1. Week 1: Kioptrix 1.1 (recon → exploit → privesc → report).
2. Week 2: Kioptrix 1.2.
3. Week 3: Kioptrix 1.3.
4. Week 4: A more modern OSCP-like box on Hack The Box, OffSec Proving Grounds, or TryHackMe.

By the end of this cycle, you’ve rehearsed the full OSCP pattern four times.

Mini Calculator – How Many Weeks Until You Finish 20 OSCP-Style Boxes?

Most OSCP reviews in 2024–2025 mention candidates putting in 250–400 hours of hands-on practice over 3–6 months. Kioptrix should be maybe 30–40 of those hours, not your entire plan.

Infographic: Kioptrix Roadmap vs OSCP Skills

FAQ

1. Which Kioptrix box is closest to an actual OSCP+ exam machine?

If you had to pick one, Kioptrix 1.3 feels closest: SQL injection, credential harvesting, restricted shell, and privilege escalation with multiple steps. It mimics the feeling of “I got in, but now I’m stuck.” Your 60-second action: schedule one full 3-hour block to do 1.3 in exam-style conditions—no hints, minimal breaks, full notes.

2. Can I skip 1.1 and 1.2 and go straight to 1.3?

You can, but you’ll lose a gentle ramp. Doing 1.1 → 1.2 → 1.3 builds momentum and lets you debug your workflow before hitting the hardest box. Your 60-second action: decide whether you want a confidence ramp (do all 3) or a stress-test (start at 1.3) and write that choice at the top of your study plan.

3. How many times should I repeat each Kioptrix box before exam day?

For most people, once mindfully and once quickly per box is enough. Use the second run to practice speed and reporting, not new techniques. Your 60-second action: next to each Kioptrix entry in your tracker, add two checkboxes—“slow run” and “speed run”—and tick them as you go.

4. How does this fit with the cost and timeline of OSCP+?

If you’re planning a PEN-200 bundle or Learn One subscription, treat Kioptrix as a pre-bundle warm-up. Aim to finish all three boxes before your paid lab access starts, so those 90 days or 12 months are used for harder content. Your 60-second action: check your target purchase date for OffSec, then count back 3–4 weeks and label that block “Kioptrix trilogy.”

5. What if I keep getting stuck on enumeration or privesc in these boxes?

That’s normal, and frankly, expected. Focus on improving your checklists rather than memorizing solutions. After each stuck session, list three things you didn’t check (e.g., SUID binaries, cron jobs, unusual services) and bake them into your next run. Your 60-second action: create a 10-item “Did I check this?” list for enumeration and privesc and keep it open while doing Kioptrix.

6. Are Kioptrix boxes enough practice for the OSCP+ exam by themselves?

No. They’re a strong starting point for Linux and web fundamentals but do not cover modern Active Directory attacks, Windows privilege escalation, or enterprise-level defense evasion. Your 60-second action: write down two AD-focused platforms you’ll use (e.g., OffSec Proving Grounds Enterprise and Hack The Box AD labs) and pencil them into your study calendar after the Kioptrix trilogy.

Conclusion: Your Next 15 Minutes

We all start with the same quiet question: Should I begin with Kioptrix Level 1.1, 1.2, or 1.3? It feels small—but it’s the first step toward something much bigger.

Now that you’ve seen how each box connects to real OSCP+ skills, where they fall on the difficulty curve, and how they realistically fit into your time and budget for 2025, it’s time to land the plane.

Here’s your 15-minute wrap-up checklist:

• Pick your first box using this simple guide:
  → 1.1 if you want to build strong fundamentals.
  → 1.2 if you’re ready to chain exploits.
  → 1.3 if you want to simulate exam pressure.
• Block three time slots on your calendar—one for each Kioptrix level, and one for a modern machine. Four focused sessions. That’s your foundation.
• Set a budget anchor using the cost breakdown table. This protects you from surprises later and keeps your OSCP+ journey financially sustainable.
• Create or refine your notes template. Use clear, exam-style headings. Start writing like you’re already reporting to the OffSec exam panel.

And if everything else feels like too much right now, just do this one thing:
Say out loud, “Tomorrow night, I’m doing Kioptrix [X]—from recon to report.”
That single decision shifts you from vague ambition into real momentum.

Last reviewed: 2025-11; sources cross-checked against VulnHub Kioptrix listings, OffSec OSCP+ documentation, and independent OSCP exam guides published in 2024–2025.

Kioptrix Level 1.1 1.2 1.3 comparison, OSCP prep, VulnHub Kioptrix, OSCP+ 2025, beginner pentest lab

🔗 Kioptrix Level 1 Walkthrough Posted 2025-11-15 11:14 UTC 🔗 Kioptrix Labs Beginner Roadmap Posted 2025-11-15 UTC