Kioptrix2014 is one of the most recommended machines to play around prior to OSCP preparation. Therefore, I am very much eager to shell the box 🙂
Kali Machine IP: 192.168.56.102
Kioptrix Machine IP: 192.168.56.101 (how? )
nmap -sn 192.168.56.102/24
-sn SYN pack
nmap -sC -sV -p- -A -T4 192.168.56.101 -oN nmap.log
PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-title: Site doesn't have a title (text/html). 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-title: 403 Forbidden
As always, let’s check whether we can find anything with robots.txt and source code.
No luck with robots.txt
Source code meta tag reveals something interesting!
Let’s visit the link: http://192.168.56.101/pChart2.1.3/examples/index.php
I went through the folders and was looking for some upload function (I was expecting to upload some shell through which I could do a reverse connection but no luck lol)
Therefore, I had to do some shopping from exploit-db
We received ample of information but I am interested more with this highlighted one 🙂
you have to paste this line after the index.php
By the way, %2f means / you can learn more about it here.
Therefore, the complete link is
Lot of things going in my mind regarding what to do next, I realized the importance of having a steady methodology or approach.
Anyway, at this point I really can’t think of a way to proceed further, so let us check the nmap result again and we see that there is a port 8080 is open. Let’s check what resources is loaded there.
Visit this link: Additional Resource: To know the location of apache conf file; here.
User-Agent ^Mozilla/4.0 Mozilla4_browser
Usually, I use burpsuite for the purpose but this time, let’s use an add-on to suffice the need. I am using Firefox and we will use this user-agent switcher.
- Click on your add-on
- Then click on firefox icon
- click on Pen(or edit icon)
- Paste the string
Then I visit the URL again and I got an interesting application running on it.
searchsploit freebsd 9.0
cp /usr/share/exploitdb/exploits/freebsd/local/28718.c .
I copied the exploit code to my current directory (which represents by . )
There was an error when I try to compile the exploit code. I did google and thought it might be an old issue. No, it wasn’t 🙁
To compile the c program: gcc -o exploit 28718.c
28718.c:25:10: fatal error: machine/cpufunc.h: No such file or directory #include <machine/cpufunc.h> ^~~~~~~~~~~~~~~~~~~ compilation terminated.
Nevertheless, we still have one more exploit we have, remember the step 06?
To be continued