Thursday, June 7, 2018

Kioptrix - 2014 (#5)

KIOPTRIX- 2014 (#5) 

- Layout for this exercise:


The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix 2014 (#5)

- Kioptrix 2014 (#5) can be downloaded from here:,62/

- Once downloaded, extracted and opened with WMware:


- First, using netdiscover let's notice that the only IP address in the local network working with WMware is, so it should correspond to the vulnerable machine Kioptrix:

- Scanning with Nmap, there are only two open ports (80 and 8080), running Apache web server.

- Also, it is interesting that the operating system is FreeBSD 7.0|8.0|9.0

- Using dirb to check the contents of the website:

- Trying to connect to the web server to port 8080, there is a Forbidden message as answer:

Trying to connect to the web server to port 8080, It works !

- Viewing the Page Source, we detect the presence of pChart2.1.3:

- pChart is a PHP library that helps to create anti-aliased charts or pictures directly from the web server.

- Going deeper into folder pChart2.1.3:

- For instance, connecting to folder /examples:


- First, let's see if there is any pChart 2.1.3 related vulnerability:

- It seems that there are a numbers of vulnerabilities affecting the /examples folder:

- Let's focus our attention on the Directory Traversal attack:

- Crafting the Directory Traversal URL to our needs:

- The attack is successful:

- At this point let's remember (from Namp) that we are dealing with FreeBSD 7.0|8.0|9.0 operating system and Apache 2.2.21 web server. 

- The configuration file for this type of operating system and web server can be found at /usr/local/etc/apache22/httpd.conf:

- Now, let's craft the URL to see what we can learn from httpd.conf:

- The Directory Traversal attack is again successful:

- Let's notice the last part of the output, where it seems that for successfully connecting to the port 8080 the User-Agent must be mandatory Mozilla/4.0

- Connecting to with curl and specifying "User-Agent:Mozilla/4.0" the element phptax appears:

- phptax is an old web application to calculate US income return.

- Now, we must change the default Mozilla version to the needed 4.0. For that purpose, opening about:config and accepting the risk:

- Searching for useragent and opening a new String:

- Writing a new string and its value:

- Now, the connection to is successful and phptax is indexed:

- Metasploit helps to exploit phptax:

- Setting options:

- Running the exploit a limited shell is achieved for user www:


- Getting an sh shell:

- Remembering that the operating system is FreeBSD 9.0:

- Googling for FreeBSD 9.0 vulnerabilities:

- There is an interesting one for Privilege Escalation:

- Downloading the exploit and copying to a working directory:

- Setting a netcat listening session with the purpose of transferring the exploit to the victim machine:

- Doing the same thing at the victim's side (/tmp is writeable) the transfer is finally successful:

- Listing the exploit:

- Compiling:

- Running the exploit a root shell is achieved:


- Going to the /root folder:

etc ...