Thursday, June 7, 2018

Kioptrix - 2014 (#5)


KIOPTRIX- 2014 (#5) 

- Layout for this exercise:





1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix 2014 (#5)

- Kioptrix 2014 (#5) can be downloaded from here:

https://www.vulnhub.com/entry/kioptrix-2014-5,62/





- Once downloaded, extracted and opened with WMware:






2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.159, so it should correspond to the vulnerable machine Kioptrix:






- Scanning with Nmap, there are only two open ports (80 and 8080), running Apache web server.




- Also, it is interesting that the operating system is FreeBSD 7.0|8.0|9.0

- Using dirb to check the contents of the website:




- Trying to connect to the web server to port 8080, there is a Forbidden message as answer:



Trying to connect to the web server to port 8080, It works !




- Viewing the Page Source, we detect the presence of pChart2.1.3:






- pChart is a PHP library that helps to create anti-aliased charts or pictures directly from the web server.

http://www.pchart.net/


- Going deeper into folder pChart2.1.3:







- For instance, connecting to folder /examples:






3 - EXPLOITATION

- First, let's see if there is any pChart 2.1.3 related vulnerability:




- It seems that there are a numbers of vulnerabilities affecting the /examples folder:





- Let's focus our attention on the Directory Traversal attack:





- Crafting the Directory Traversal URL to our needs:




- The attack is successful:




- At this point let's remember (from Namp) that we are dealing with FreeBSD 7.0|8.0|9.0 operating system and Apache 2.2.21 web server. 

- The configuration file for this type of operating system and web server can be found at /usr/local/etc/apache22/httpd.conf:


https://www.freebsd.org/doc/handbook/network-apache.html


- Now, let's craft the URL to see what we can learn from httpd.conf:




- The Directory Traversal attack is again successful:





- Let's notice the last part of the output, where it seems that for successfully connecting to the port 8080 the User-Agent must be mandatory Mozilla/4.0

- Connecting to 192.168.1.159:8080 with curl and specifying "User-Agent:Mozilla/4.0" the element phptax appears:




- phptax is an old web application to calculate US income return.

- Now, we must change the default Mozilla version to the needed 4.0. For that purpose, opening about:config and accepting the risk:





- Searching for useragent and opening a new String:




- Writing a new string and its value:







- Now, the connection to 192.168.1.159:8080 is successful and phptax is indexed:







- Metasploit helps to exploit phptax:








- Setting options:




- Running the exploit a limited shell is achieved for user www:




4 - PRIVILEGE ESCALATION

- Getting an sh shell:



- Remembering that the operating system is FreeBSD 9.0:




- Googling for FreeBSD 9.0 vulnerabilities:




- There is an interesting one for Privilege Escalation:





- Downloading the exploit and copying to a working directory:




- Setting a netcat listening session with the purpose of transferring the exploit to the victim machine:




- Doing the same thing at the victim's side (/tmp is writeable) the transfer is finally successful:






- Listing the exploit:



- Compiling:





- Running the exploit a root shell is achieved:






5 - CAPTURING THE FLAG

- Going to the /root folder:





etc ...