Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

Kioptrix

This is the first in the list of VM’s that are hosted on [vulnhub](https://vulnhub.com) and are good to try on when preparing for the OSCP exam.
There are more to follow, but I’m starting with this one and it should be an easy one.

Recon

First off I need to know what ports are open and what services are running.

It looks like there is a webserver running on port 80 and 8080. There is also a closed port.
In the nmap scan there is a notification on OpenSSL, but no port 443 is open. Also as we look at the version of Apache, we can see it is running on a FreeBSD system. This is important to keep in mind for system recon.

Webserver

When curling the webserver on port 80, I get:

When curling the webserver on port 8080, I get:

The comment in the first curl is a hint and it directs to the content of the actual webpage.
Google has this to say about pChart: *pChart is a PHP library that will help you to create anti-aliased charts or pictures directly from your web server.*

When looking at the exploit, it seems that there is a path traversal vulnerability that may come in handy.
To see if it works, I’m going to get access to the /etc/passwd  file, which is a file that is available on almost every Unix distro.

Looks like it works. 3 users, which you can tell by the UID from 1000 and up.
But these users can’t login > /sbin/nologin
There is also an extra superuser by the username of toor which has no shell assigned.
And root has a csh as default shell.

Because this is a FreeBSD distro you need to keep in mind that some files are stored differently than on Debian based distro’s.

Let’s look for the Apache configuration file. Because of the nmap scan, but also from the output above, I know I need to look for the apache22 location of the httpd.conf file.

A the bottom I find some information about a virtualhost, namely port 8080.
It seems I need another browser agent. Let’s test this with curl first.

And now with the right agent.

And it works.
I end up at a webpage with some kind of income taxform.
But it runs php and the software is called phptax / pfilez.

The first line looks promising.

Looks like I’m in the system.

After some time searchin the system it seems like a possible way to escalate my privileges is by running a kernel exploit.

Time to copy the exploit to the remote system.
First setting up a listener on my end and redirecting the file to stdin.

Then connection to the listener and redirecting the file to stdout.

Now to compile the script and run it.

Looks like it worked.
Time for the final step and retrieve the flag.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.