OSCP Exam Preparation Documents. In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.

1. Jayesh Patel
Information Security Specialist
jay.net.in@gmail.com
Kioptrix: 2014 (#5)
This is Vulnhub Vulnerable machine series, In this session we find the root access of this machine.
Download VM :
https://www.vulnhub.com/entry/kioptrix-2014-5,62/
About :
As usual, this vulnerable machine is targeted at the beginner. It's not meant for the seasoned pentester or
security geek that's been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is
help in that regard.
Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball
reason it doesn't get its IP (well I do kinda know why but don't want to give any details away). So just add the
VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should
be good to go.
This was created using ESX 5.0 and tested on Fusion, but shouldn't be much of a problem on other platforms.
Kioptrix VM 2014 download 825Megs
MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a
SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432
Waist line 32"
p.s.: Don't forget to read my disclaimer..
Hacking Step :
How to get VM IP :
Use “netdiscover -r 192.168.2.89” Command in your Kali linux box
Note : Check Screen shot Tab
Enumeration :
Get Open ports information in target machine, for that we used nmap command for enumerate
open port details and running services with version number. We also get running OS detail.
Note : Check Screen shot Tab
Web Server Port :
We found web server port 80 and 8080, Now we open running web server in our kali machine. with
80 port we get “it Works” web server but when we use 8080 port, it give error like 403.
Now we open web server of target machine with “80” port, and check source information of page.
we can see following lines,

2. <META HTTP-EQUIV="refresh"
CONTENT="5;URL=pChart2.1.3/index.php">
In this lines you can see “pchart2.1.3” word. Now you can check this word with “searchsploit” and
find any vulnerability available in this application.
http://192.168/pChart2.1.3/examples/index.php?
Action=View&Script=%2f..%2f..%2fetc/passwd
We found above LFI vulnerability in this application, using this vulnerability we can get system details.
with above command we ca get system /etc/passwd file information.
But Now we want to get 8080 port virtual host hosting details, which details available
in /usr/local/etc/apache22/httpd.conf file.
Open this file with LFI vulnerability. like
http://192.168.2.89/pChart2.1.3/examples/index.php?
Action=View&Script=%2f..%2f..
%2fusr/local/etc/apache22/httpd.conf
We found the server running on 8080 with different user-agent. “User-Agent:Mozilla/4.0"
Note : Check Screen shot Tab
Access 8080 hosted web server :
Use following command for access 8080 hosted web server with specific user-agent.
curl -H "User-Agent:Mozilla/4.0" http://192.168.1.68:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>
Finally we get above output, In this output you can see one line “href=“phptax”. you can search
exploit for this phptax application using searchsploit command. and found one metasploit exploit.
Note : Check Screen shot Tab
Get Shell using Metasploit :

3. Now we have shell with web-root user permission. But our goal is to get root access. Using uname
command you can get running operating system and version and patch details.
Note : Check Screen shot Tab
Get Root Privilege Access :
Now we have some of target machine information, like In target machine “FreeBSD” OS running and
version is 9.0. Now use searchsploit command to find root privilege access exploit details.
Now found one exploit “28718.c” using searchsploit command.
Note : Check Screen shot Tab
Screenshot :