This write-up goes through exploiting outdated services/applications to get a root shell on the machine—the Target machine being used in Kioptrix 2014 available on Vulnhub.

Objective:

  1. Find Hidden Directories
  2. Exploit outdated versions of web application services
  3. Intercept traffic via burpsuite and replay to get  restricted access to URL paths

Getting Started

To get started, download the ova file available on Vulnhub. Open the file on your VMware or Virtual Box. Fire up you Kali-Linux or Parrot distribution for attacking the target machine

Recon & Scanning Phase

Use netdiscover to know the IP of our target machine. Since we don’t know the IP, we will scan the whole range of the network using the following command

netdiscover -r 192.168.0.0/16

So we have our target IP now, as seen below.

Target Machine IP discovered via netdiscover

Now that we have our target machine’s IP address, let’s do a Nmap scan to find out what services are running on the target machine

Nmap scan

From the scan above following two ports are open

  1. Port 80
  2. Port 8080

Enumeration

Both Ports are running Apache httpd 2.2.21 server. Let’s dig a little deep and navigate to the target machine IP addresses using these ports in the URL

Target Machine using Port 80
Target Machine using port 8080

We find nothing interesting, as seen above. Let’s check out the page source and see if we can find anything of our interest there

Page Source Target Machine on port 8080
Page Source of Target Machine using Port 80

As seen above, we find a URL path by checking the Page source of the target machine using port 80. Let’s navigate to the path we found above

Hidden URL of the Target machine

We see the above output of the URL we just found.

By researching about pchart we find that its an object-oriented PHP charting library. We find an exploit of pchart2.1.3 on exploit DB. There are two types of exploit we find, one is directory traversal and the other is cross-site scripting.

Pchart2.1.3 Exploit

Let’s use the URL for directory traversal exploit. We see the following output of a directory etc/passwd

Output etc/passwd

As we know from our Nmap scan, the target machine is using an open FreeBSD Linux server. Let’s check out the configuration file to get the restricted access to the contents of port 8080. For this check, the configuration files carefully. Append the following with the URL we used previously. As the version of apache is 2.2.1 we will use apache22 as pointed out in the documentation of open FreeBSD

/usr/local/etc/apache22/httpd.conf
Configuration File for the Open FreeBSD

Scrolling a bit in the above configuration file, we find out that there is a path for document root, which can be accessed by the particular version of the Mozilla browser. Since I was running a version 5 of Mozilla due to which directory was not shown.

The path for Port 8080

We are going to use Burp Suite to intercept the request and change the version of the Mozilla browser to see the URL path.

Burp Interception

As soon as we change the version of Mozilla to 4, we see a directory phptax/. Further intercepting the requests, we are able to find an overall picture of the URL path

Phptax

Looks like we find a tax document. Further researching on phptax, we come to know that it’s an income tax report generator and is vulnerable to RCE (Remote Code Execution)

The exploit can be found using searchploit or Metasploit.

Exploit for phptax using searchsploit
Exploit for Phptax using Metasploit

Gaining Access

Let’s exploit the phptax vulnerability now. Set the required parameters and exploit

Setting the required parameters
Exploit Error

Ooops, we get an error while executing the exploit. Don’t worry, we have got this. The new version of Metasploit (i.e., version 5) does not select the payload for our case. So we need to select the payload manually as seen below

Setting Payload Manually

Once we have set the payload manually, we are good to go. Hopefully the exploit runs successfully

All Parameters set

So our exploits are successful, and we can get shell access. The commands to interact with the shell are somewhat different as it an Open FreeBSD OS. We can see that we have gained shell, but we are not root yet. We need to escalate our privileges to get root access

Shell Popped

Privilege Escalation

Version 9.0 of FreeBSD has exploits related to privilege escalation. You may use any exploit

Privilege Escalation

Our Target machine is capable of using netcat. So let’s use this to transfer this exploit code using netcat to our target machine. Port 1234 is to listen to the incoming connections

netcat connection on the localhost

Now we need to connect back to our local machine

Netcat on Target Machine

As seen below, we can see that the exploit payload has been transferred successfully. Change the permission on the file. Compile the code and run the exploit

Exploit code transferred on the Target Machine
Privilege Escalated

So the exploit was a success, and we have rooted the target machine and have escalated privileges

I hope you liked the walkthrough. Happy hacking ;)

About Me

I am a cybersecurity enthusiast pursuing my Master’s Degree in Information Security and trying to get into a full-time cybersecurity career. You can follow for more write-ups and walkthroughs here.

The awesome image used in this article is called "Ninja Cyber" by Anggara Ts.