In this blog post we will see how to root the Kioptrix 2014 Machine from Vulnhub.
First lets find the IP and open posts in the machine using nmap:
Here we have the IP. 192.168.18.76
The post 80 is open so there will be some web server running, lets have a look.
Yes, there is a page. Anything behind that? Lets have a look in the source code.
Here we have ‘pChart2.1.3’. Now we need to know what is pChart. Lets have a quick Google search.
The website http://www.pchart.net/ says it is a php based charting library. Now lets look for any existing vulnerabilities in pChart 2.1.3.
Exploit-DB says there are directory traversal and XSS vulnerabilities in pChart 2.1.3
Lets try that. by visiting the following page.
We have got the /etc.passwd file displayed on the browser.
Now lets try to read the httpd.conf file.
When we scroll down to the end, we will find something interesting.
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser <VirtualHost *:8080> DocumentRoot /usr/local/www/apache22/data2 <Directory "/usr/local/www/apache22/data2"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from env=Mozilla4_browser </Directory> </VirtualHost>
If our user agent is
Mozilla/4.0, we can connect to port 8080.
Lets try that.
curl -H "User-Agent:Mozilla/4.0" http://192.168.18.78:8080
And the resut is,
We have a hyperlink here, to /phptax/ lets try this on a browser.
I’m using a Firefox extension to switch user agents. Get that here:
I’ve installed the extension and activated the custom user agent for our machine.
Now let’s load the page in browser.
This looks like an app for filling tax forms. Ok. so lets look is there is any known vulnerabilities in this.
According to Exploit-DB, there is an RCE vulnerability in PhpTax.
Lets try to exploit that with Metasploit.
msfconsole search phptax
Now lets set the options.
run to run the exploit.
We got the shell now.
Now use the
whoami command to know the current user.
Now use command
/bin/sh -i to get a fully interactive shell.
Lets now get the OS version the machine is running.
Use the command
uname -a for that.
We are on FreeBSD 9.0. Lets look up online for available exploits.
We have a privilege escalation exploit at Exploit-DB, Lets try that.
Download the exploit to our Kali machine.
wget https://www.exploit-db.com/download/28718 exploit.c -O exploit.c
Time to send the file to target machine. The target does not have wget or curl. So we will use netcat to transfer the file.
Lets start a listener on our kali machine and send the file on target machine’s
On target machine,
Now we got the exploit file on our target.
Now lets compile it using gcc.
Time to exploit!
We are root now!