KIOPTRIX: 2014 (#5) Walkthrough

As usual, this vulnerable machine is targeted at the beginners. It’s not meant for seasoned pentesters or security geeks who have been at this sort of stuff for 10+ years. https://www.vulnhub.com/entry/kioptrix-2014-5,62/

Hacking is a mindset. Hence, i would like to reference some powerful quotes here:

So in war, the way is to avoid what is strong, and strike at what is weak.
Sun Tzu, The Art of War

Enumeration

Let’s start with enumeration.

sudo nmap -p- -T4 -A ‘192.168.103.187’

Brooding🤔:

SSH is filtered -> Some firewall🛡 mechanism is in Place.

Web Server on 80 and 8080. Only way to get into the system through web server. If the web server does not have any explicit exploits 💣. Then, it must be through SQLi, LFI, RFI -> RCE🛠🔧🔨.

More Enumeration…🎯

  1. Port 80
  • Manual Viewing + robots.txt + source code
Nothing Fancy here 😩
Found a lead…🔑

📌 URL=pChart2.1.3/index.php

No robots.txt

  • Nikto Scan
mod_ssl …🔑

📍 We do have the mod_ssl module but it it not exploitable for this version of apache on FreeBSD platform.

  • GoBuster
Nothing Interesting here.

2. Port 8080

Same as port 80 but it is refusing connections.

Finding POI (Point Of Intrusion)

We had only one lead.

Found a directory traversal vulnerability and started exploring.

Payload: hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Using the same logic, had a look into the apache config file. Surprisingly found out the reason why it was not allowing us on port 8080. [/usr/local/etc/apache22/httpd.conf]

..
used a plugin to change my user-agent

Exploitation

Got the Reverse Shell❤️

Privilege Escalation

Using the kernel Exploit.
Used the kernel exploit to gain root🦠.

What could be more fun than breaking stuffs!!!