Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kioptrix 2014 5


Published on

OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Kioptrix 2014 5

  1. 1. Jayesh Patel Information Security Specialist Kioptrix: 2014 (#5) This is Vulnhub Vulnerable machine series, In this session we find the root access of this machine. Download VM :,62/ About : As usual, this vulnerable machine is targeted at the beginner. It's not meant for the seasoned pentester or security geek that's been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard. Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn't get its IP (well I do kinda know why but don't want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go. This was created using ESX 5.0 and tested on Fusion, but shouldn't be much of a problem on other platforms. Kioptrix VM 2014 download 825Megs MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432 Waist line 32" p.s.: Don't forget to read my disclaimer.. Hacking Step : How to get VM IP : Use “netdiscover -r” Command in your Kali linux box Note : Check Screen shot Tab Enumeration : Get Open ports information in target machine, for that we used nmap command for enumerate open port details and running services with version number. We also get running OS detail. Note : Check Screen shot Tab Web Server Port : We found web server port 80 and 8080, Now we open running web server in our kali machine. with 80 port we get “it Works” web server but when we use 8080 port, it give error like 403. Now we open web server of target machine with “80” port, and check source information of page. we can see following lines,
  2. 2. <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> In this lines you can see “pchart2.1.3” word. Now you can check this word with “searchsploit” and find any vulnerability available in this application. http://192.168/pChart2.1.3/examples/index.php? Action=View&Script=%2f..%2f..%2fetc/passwd We found above LFI vulnerability in this application, using this vulnerability we can get system details. with above command we ca get system /etc/passwd file information. But Now we want to get 8080 port virtual host hosting details, which details available in /usr/local/etc/apache22/httpd.conf file. Open this file with LFI vulnerability. like Action=View&Script=%2f..%2f.. %2fusr/local/etc/apache22/httpd.conf We found the server running on 8080 with different user-agent. “User-Agent:Mozilla/4.0" Note : Check Screen shot Tab Access 8080 hosted web server : Use following command for access 8080 hosted web server with specific user-agent. curl -H "User-Agent:Mozilla/4.0" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <ul><li><a href="phptax/"> phptax/</a></li> </ul> </body></html> Finally we get above output, In this output you can see one line “href=“phptax”. you can search exploit for this phptax application using searchsploit command. and found one metasploit exploit. Note : Check Screen shot Tab Get Shell using Metasploit :
  3. 3. Now we have shell with web-root user permission. But our goal is to get root access. Using uname command you can get running operating system and version and patch details. Note : Check Screen shot Tab Get Root Privilege Access : Now we have some of target machine information, like In target machine “FreeBSD” OS running and version is 9.0. Now use searchsploit command to find root privilege access exploit details. Now found one exploit “28718.c” using searchsploit command. Note : Check Screen shot Tab Screenshot :